diff --git a/creusot/tests/should_fail/bad_law.stderr b/creusot/tests/should_fail/bad_law.stderr index 0fa9046af0..0c45878833 100644 --- a/creusot/tests/should_fail/bad_law.stderr +++ b/creusot/tests/should_fail/bad_law.stderr @@ -4,8 +4,7 @@ error[creusot]: Laws cannot have additional generic parameters 6 | fn my_law(x: T); | ^^^^^^^^^^^^^^^^^^^ -Logic != Program -error[creusot]: Expected `my_law` to be a program function as specified by the trait declaration +error[creusot]: Expected `my_law` to be a logic function as specified by the trait declaration --> bad_law.rs:10:5 | 10 | fn my_law(_: T) {} diff --git a/creusot/tests/should_fail/bug/222.rs b/creusot/tests/should_fail/bug/222.rs index 26d339bc30..09688138ff 100644 --- a/creusot/tests/should_fail/bug/222.rs +++ b/creusot/tests/should_fail/bug/222.rs @@ -3,7 +3,7 @@ extern crate creusot_contracts; use creusot_contracts::{logic::Int, *}; trait A { - #[ghost] + #[logic] fn mktrue() -> Int { pearlite! { 5 } } @@ -17,7 +17,7 @@ trait A { } impl A for () { - #[ghost] + #[logic] fn mktrue() -> Int { pearlite! { 6 } } diff --git a/creusot/tests/should_fail/bug/436_0.rs b/creusot/tests/should_fail/bug/436_0.rs index a2eb958c4b..1fa6e050af 100644 --- a/creusot/tests/should_fail/bug/436_0.rs +++ b/creusot/tests/should_fail/bug/436_0.rs @@ -2,16 +2,16 @@ extern crate creusot_contracts; use creusot_contracts::*; struct S { - g: Ghost, + g: Snapshot, } -#[ghost] +#[logic(prophetic)] fn prophecy(x: &mut S) -> i32 { pearlite! { *(^x).g } } pub fn f() { - let b = &mut S { g: gh! { 1i32 } }; - b.g = gh! { prophecy(b) + 1i32 }; + let b = &mut S { g: snapshot! { 1i32 } }; + b.g = snapshot! { prophecy(b) + 1i32 }; proof_assert! { false } } diff --git a/creusot/tests/should_fail/bug/436_0.stderr b/creusot/tests/should_fail/bug/436_0.stderr index 180377c7a3..4154f9c419 100644 --- a/creusot/tests/should_fail/bug/436_0.stderr +++ b/creusot/tests/should_fail/bug/436_0.stderr @@ -1,10 +1,8 @@ -error[creusot]: called Logic function in Ghost context "creusot_contracts::__stubs::fin" - --> 436_0.rs:10:5 +error[creusot]: called prophetic logic function "prophecy" in logic context + --> 436_0.rs:15:23 | -10 | pearlite! { *(^x).g } - | ^^^^^^^^^^^^^^^^^^^^^ - | - = note: this error originates in the macro `pearlite` (in Nightly builds, run with -Z macro-backtrace for more info) +15 | b.g = snapshot! { prophecy(b) + 1i32 }; + | ^^^^^^^^ error: aborting due to previous error diff --git a/creusot/tests/should_fail/bug/436_1.rs b/creusot/tests/should_fail/bug/436_1.rs index e2b6bc1ebb..1ac4dc2c73 100644 --- a/creusot/tests/should_fail/bug/436_1.rs +++ b/creusot/tests/should_fail/bug/436_1.rs @@ -2,7 +2,7 @@ extern crate creusot_contracts; use creusot_contracts::*; struct S { - g: Ghost, + g: Snapshot, } #[predicate] @@ -11,7 +11,7 @@ fn prophecy(x: &mut S) -> bool { } pub fn f() { - let b = &mut S { g: gh! { true } }; - b.g = gh! { !prophecy(b) }; + let b = &mut S { g: snapshot! { true } }; + b.g = snapshot! { !prophecy(b) }; proof_assert! { false } } diff --git a/creusot/tests/should_fail/bug/436_1.stderr b/creusot/tests/should_fail/bug/436_1.stderr index 832ef17013..dec51b306a 100644 --- a/creusot/tests/should_fail/bug/436_1.stderr +++ b/creusot/tests/should_fail/bug/436_1.stderr @@ -1,8 +1,10 @@ -error[creusot]: called Logic function in Ghost context "prophecy" - --> 436_1.rs:15:18 +error[creusot]: called prophetic logic function "creusot_contracts::__stubs::fin" in logic context + --> 436_1.rs:10:5 | -15 | b.g = gh! { !prophecy(b) }; - | ^^^^^^^^ +10 | pearlite! { *(^x).g } + | ^^^^^^^^^^^^^^^^^^^^^ + | + = note: this error originates in the macro `pearlite` (in Nightly builds, run with -Z macro-backtrace for more info) error: aborting due to previous error diff --git a/creusot/tests/should_fail/bug/436_2.rs b/creusot/tests/should_fail/bug/436_2.rs index 2a678e4725..b426ec20ed 100644 --- a/creusot/tests/should_fail/bug/436_2.rs +++ b/creusot/tests/should_fail/bug/436_2.rs @@ -3,13 +3,13 @@ use creusot_contracts::*; enum Bad<'a> { None, - Some(Ghost<&'a mut Bad<'a>>), + Some(Snapshot<&'a mut Bad<'a>>), } pub fn test_bad() { let mut x = Bad::None; let m = &mut x; - let g = gh!(m); + let g = snapshot!(m); *m = Bad::Some(g); proof_assert!(*m == Bad::Some(g)); proof_assert!(^*g == ^m); diff --git a/creusot/tests/should_fail/bug/436_2.stderr b/creusot/tests/should_fail/bug/436_2.stderr index cecee78ff4..5a34046556 100644 --- a/creusot/tests/should_fail/bug/436_2.stderr +++ b/creusot/tests/should_fail/bug/436_2.stderr @@ -1,8 +1,8 @@ -error[creusot]: Illegal use of the Ghost type +error[creusot]: Illegal use of the Snapshot type --> 436_2.rs:6:10 | -6 | Some(Ghost<&'a mut Bad<'a>>), - | ^^^^^^^^^^^^^^^^^^^^^^ +6 | Some(Snapshot<&'a mut Bad<'a>>), + | ^^^^^^^^^^^^^^^^^^^^^^^^^ error: aborting due to previous error diff --git a/creusot/tests/should_fail/bug/869.mlcfg b/creusot/tests/should_fail/bug/869.mlcfg index f4bf3a9e22..2353255e0c 100644 --- a/creusot/tests/should_fail/bug/869.mlcfg +++ b/creusot/tests/should_fail/bug/869.mlcfg @@ -1,59 +1,59 @@ module C869_Unsound - use prelude.Ghost + use prelude.Snapshot use prelude.Borrow - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - predicate resolve0 (self : borrowed (Ghost.ghost_ty bool)) = + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + predicate resolve0 (self : borrowed (Snapshot.snap_ty bool)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self - val resolve0 (self : borrowed (Ghost.ghost_ty bool)) : bool + val resolve0 (self : borrowed (Snapshot.snap_ty bool)) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg unsound [#"../869.rs" 4 0 4 16] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); - var x : Ghost.ghost_ty bool; - var xm : borrowed (Ghost.ghost_ty bool); - var _4 : borrowed (Ghost.ghost_ty bool); - var b : borrowed (Ghost.ghost_ty bool); - var _6 : borrowed (Ghost.ghost_ty bool); - var bg : Ghost.ghost_ty (borrowed (Ghost.ghost_ty bool)); - var evil : borrowed (Ghost.ghost_ty bool); - var _12 : borrowed (Ghost.ghost_ty bool); - var _15 : Ghost.ghost_ty bool; + var x : Snapshot.snap_ty bool; + var xm : borrowed (Snapshot.snap_ty bool); + var _4 : borrowed (Snapshot.snap_ty bool); + var b : borrowed (Snapshot.snap_ty bool); + var _6 : borrowed (Snapshot.snap_ty bool); + var bg : Snapshot.snap_ty (borrowed (Snapshot.snap_ty bool)); + var evil : borrowed (Snapshot.snap_ty bool); + var _12 : borrowed (Snapshot.snap_ty bool); + var _15 : Snapshot.snap_ty bool; { goto BB0 } BB0 { - [#"../869.rs" 5 29 5 41] x <- ([#"../869.rs" 5 29 5 41] Ghost.new true); + [#"../869.rs" 5 32 5 50] x <- ([#"../869.rs" 5 32 5 50] Snapshot.new true); goto BB1 } BB1 { - [#"../869.rs" 7 31 7 37] _4 <- Borrow.borrow_mut x; - [#"../869.rs" 7 31 7 37] x <- ^ _4; - [#"../869.rs" 7 31 7 37] xm <- Borrow.borrow_final ( * _4) (Borrow.get_id _4); - [#"../869.rs" 7 31 7 37] _4 <- { _4 with current = ( ^ xm) ; }; + [#"../869.rs" 7 34 7 40] _4 <- Borrow.borrow_mut x; + [#"../869.rs" 7 34 7 40] x <- ^ _4; + [#"../869.rs" 7 34 7 40] xm <- Borrow.borrow_final ( * _4) (Borrow.get_id _4); + [#"../869.rs" 7 34 7 40] _4 <- { _4 with current = ( ^ xm) ; }; assume { resolve0 _4 }; - [#"../869.rs" 9 30 9 38] _6 <- Borrow.borrow_mut ( * xm); - [#"../869.rs" 9 30 9 38] xm <- { xm with current = ( ^ _6) ; }; - [#"../869.rs" 9 30 9 38] b <- Borrow.borrow_final ( * _6) (Borrow.get_id _6); - [#"../869.rs" 9 30 9 38] _6 <- { _6 with current = ( ^ b) ; }; + [#"../869.rs" 9 33 9 41] _6 <- Borrow.borrow_mut ( * xm); + [#"../869.rs" 9 33 9 41] xm <- { xm with current = ( ^ _6) ; }; + [#"../869.rs" 9 33 9 41] b <- Borrow.borrow_final ( * _6) (Borrow.get_id _6); + [#"../869.rs" 9 33 9 41] _6 <- { _6 with current = ( ^ b) ; }; assume { resolve0 b }; assume { resolve0 _6 }; - [#"../869.rs" 10 38 10 47] bg <- ([#"../869.rs" 10 38 10 47] Ghost.new b); + [#"../869.rs" 10 44 10 59] bg <- ([#"../869.rs" 10 44 10 59] Snapshot.new b); goto BB2 } BB2 { - assert { [@expl:assertion] [#"../869.rs" 11 20 11 50] Ghost.inner ( * Ghost.inner bg) = true /\ Ghost.inner ( ^ Ghost.inner bg) = true }; - [#"../869.rs" 13 33 13 41] _12 <- Borrow.borrow_final ( * xm) (Borrow.get_id xm); - [#"../869.rs" 13 33 13 41] xm <- { xm with current = ( ^ _12) ; }; - [#"../869.rs" 13 33 13 41] evil <- Borrow.borrow_final ( * _12) (Borrow.get_id _12); - [#"../869.rs" 13 33 13 41] _12 <- { _12 with current = ( ^ evil) ; }; + assert { [@expl:assertion] [#"../869.rs" 11 20 11 50] Snapshot.inner ( * Snapshot.inner bg) = true /\ Snapshot.inner ( ^ Snapshot.inner bg) = true }; + [#"../869.rs" 13 36 13 44] _12 <- Borrow.borrow_final ( * xm) (Borrow.get_id xm); + [#"../869.rs" 13 36 13 44] xm <- { xm with current = ( ^ _12) ; }; + [#"../869.rs" 13 36 13 44] evil <- Borrow.borrow_final ( * _12) (Borrow.get_id _12); + [#"../869.rs" 13 36 13 44] _12 <- { _12 with current = ( ^ evil) ; }; assume { resolve0 _12 }; - assert { [@expl:assertion] [#"../869.rs" 17 20 17 53] (evil = Ghost.inner bg) = (Ghost.inner ( ^ evil) = true) }; - [#"../869.rs" 18 12 18 58] _15 <- ([#"../869.rs" 18 12 18 58] Ghost.new (if evil = Ghost.inner bg then + assert { [@expl:assertion] [#"../869.rs" 17 20 17 53] (evil = Snapshot.inner bg) = (Snapshot.inner ( ^ evil) = true) }; + [#"../869.rs" 18 12 18 64] _15 <- ([#"../869.rs" 18 12 18 64] Snapshot.new (if evil = Snapshot.inner bg then false else true @@ -61,12 +61,12 @@ module C869_Unsound goto BB3 } BB3 { - [#"../869.rs" 18 4 18 58] evil <- { evil with current = ([#"../869.rs" 18 4 18 58] _15) ; }; - [#"../869.rs" 18 4 18 58] _15 <- any Ghost.ghost_ty bool; + [#"../869.rs" 18 4 18 64] evil <- { evil with current = ([#"../869.rs" 18 4 18 64] _15) ; }; + [#"../869.rs" 18 4 18 64] _15 <- any Snapshot.snap_ty bool; assume { resolve0 evil }; assume { resolve0 xm }; - assert { [@expl:assertion] [#"../869.rs" 19 20 19 37] Ghost.inner ( * evil) = (not Ghost.inner ( ^ evil)) }; - assert { [@expl:assertion] [#"../869.rs" 20 20 20 37] Ghost.inner ( * evil) = (not Ghost.inner ( * evil)) }; + assert { [@expl:assertion] [#"../869.rs" 19 20 19 37] Snapshot.inner ( * evil) = (not Snapshot.inner ( ^ evil)) }; + assert { [@expl:assertion] [#"../869.rs" 20 20 20 37] Snapshot.inner ( * evil) = (not Snapshot.inner ( * evil)) }; [#"../869.rs" 4 17 21 1] _0 <- ([#"../869.rs" 4 17 21 1] ()); return _0 } diff --git a/creusot/tests/should_fail/bug/869.rs b/creusot/tests/should_fail/bug/869.rs index 968f0d43cc..1c03245f58 100644 --- a/creusot/tests/should_fail/bug/869.rs +++ b/creusot/tests/should_fail/bug/869.rs @@ -2,20 +2,20 @@ extern crate creusot_contracts; use creusot_contracts::*; pub fn unsound() { - let mut x: Ghost = gh! { true }; + let mut x: Snapshot = snapshot! { true }; // id(xm) = i1 - let xm: &mut Ghost = &mut x; + let xm: &mut Snapshot = &mut x; // Not final: id(b) = i2 - let b: &mut Ghost = &mut *xm; - let bg: Ghost<&mut Ghost> = gh! { b }; + let b: &mut Snapshot = &mut *xm; + let bg: Snapshot<&mut Snapshot> = snapshot! { b }; proof_assert! { ***bg == true && *^*bg == true }; // Final: id(evil) = i1 - let evil: &mut Ghost = &mut *xm; + let evil: &mut Snapshot = &mut *xm; // This proof_assert does not pass ! // Indeed evil != *bg (because the id do not match), which causes the next line to put `true` inside `*evil`. // And thus *^evil == true, disproving the assertion. proof_assert! { (evil == *bg) == (*^evil == true) }; - *evil = gh! { if evil == *bg { false } else { true } }; + *evil = snapshot! { if evil == *bg { false } else { true } }; proof_assert! { **evil == !*^evil }; proof_assert! { **evil == !**evil }; } diff --git a/creusot/tests/should_fail/bug/borrowed_ghost.rs b/creusot/tests/should_fail/bug/borrowed_ghost.rs index 7dee17a169..a76d4866e8 100644 --- a/creusot/tests/should_fail/bug/borrowed_ghost.rs +++ b/creusot/tests/should_fail/bug/borrowed_ghost.rs @@ -2,9 +2,9 @@ extern crate creusot_contracts; use creusot_contracts::*; pub fn use_borrowed() { - let mut x = gh! { true }; - let r = &mut x; // x = ?, r = (gh true, x) - *r = gh! { !x.inner() }; // r = (gh (not (inner x)), x) - // resolve r: x = gh (not (inner x)) + let mut x = snapshot! { true }; + let r = &mut x; // x = ?, r = (snapshot true, x) + *r = snapshot! { !x.inner() }; // r = (snapshot (not (inner x)), x) + // resolve r: x = snapshot (not (inner x)) proof_assert! { x.inner() == !x.inner() } // UNSOUND! } diff --git a/creusot/tests/should_fail/bug/borrowed_ghost.stderr b/creusot/tests/should_fail/bug/borrowed_ghost.stderr index bcd2ec41da..b2d362a0b3 100644 --- a/creusot/tests/should_fail/bug/borrowed_ghost.stderr +++ b/creusot/tests/should_fail/bug/borrowed_ghost.stderr @@ -1,10 +1,10 @@ error[creusot]: Use of borrowed variable x --> borrowed_ghost.rs:7:10 | -7 | *r = gh! { !x.inner() }; // r = (gh (not (inner x)), x) - | ^^^^^^^^^^^^^^^^^^ +7 | *r = snapshot! { !x.inner() }; // r = (snapshot (not (inner x)), x) + | ^^^^^^^^^^^^^^^^^^^^^^^^ | - = note: this error originates in the macro `gh` (in Nightly builds, run with -Z macro-backtrace for more info) + = note: this error originates in the macro `snapshot` (in Nightly builds, run with -Z macro-backtrace for more info) error: aborting due to previous error diff --git a/creusot/tests/should_fail/builtin_with_contract.rs b/creusot/tests/should_fail/builtin_with_contract.rs index 13658b1e8a..1490467a70 100644 --- a/creusot/tests/should_fail/builtin_with_contract.rs +++ b/creusot/tests/should_fail/builtin_with_contract.rs @@ -1,7 +1,7 @@ extern crate creusot_contracts; use creusot_contracts::*; -#[ghost] +#[logic] #[ensures(true && false)] #[creusot::builtins = "dummy_function"] fn builtin_with_contract() {} diff --git a/creusot/tests/should_fail/ghost_mapping.rs b/creusot/tests/should_fail/ghost_mapping.rs index d351972ab3..9fdb87b0d4 100644 --- a/creusot/tests/should_fail/ghost_mapping.rs +++ b/creusot/tests/should_fail/ghost_mapping.rs @@ -1,22 +1,22 @@ extern crate creusot_contracts; use creusot_contracts::{logic::Mapping, *}; -#[logic] +#[logic(prophetic)] fn f(x: &mut i32) -> Mapping<(), i32> { pearlite! { |_| ^x } } -#[ghost] +#[logic] fn g(x: &mut i32) -> Mapping<(), i32> { pearlite! { |_| ^x } } -#[logic] +#[logic(prophetic)] fn h(y: &mut i32) -> bool { pearlite! { forall<_x:Int> ^y == 1i32 } } -#[ghost] +#[logic] fn i(y: &mut i32) -> bool { pearlite! { forall<_x:Int> ^y == 1i32 } } diff --git a/creusot/tests/should_fail/ghost_mapping.stderr b/creusot/tests/should_fail/ghost_mapping.stderr index 7d6ce9aaa4..0a40ed1ca5 100644 --- a/creusot/tests/should_fail/ghost_mapping.stderr +++ b/creusot/tests/should_fail/ghost_mapping.stderr @@ -1,4 +1,4 @@ -error[creusot]: called Logic function in Ghost context "creusot_contracts::__stubs::fin" +error[creusot]: called prophetic logic function "creusot_contracts::__stubs::fin" in logic context --> ghost_mapping.rs:11:5 | 11 | pearlite! { |_| ^x } @@ -6,7 +6,7 @@ error[creusot]: called Logic function in Ghost context "creusot_contracts::__stu | = note: this error originates in the macro `pearlite` (in Nightly builds, run with -Z macro-backtrace for more info) -error[creusot]: called Logic function in Ghost context "creusot_contracts::__stubs::fin" +error[creusot]: called prophetic logic function "creusot_contracts::__stubs::fin" in logic context --> ghost_mapping.rs:21:5 | 21 | pearlite! { forall<_x:Int> ^y == 1i32 } diff --git a/creusot/tests/should_fail/impure_functions.rs b/creusot/tests/should_fail/impure_functions.rs index 29f4a5ab2a..a5869b7572 100644 --- a/creusot/tests/should_fail/impure_functions.rs +++ b/creusot/tests/should_fail/impure_functions.rs @@ -1,7 +1,7 @@ extern crate creusot_contracts; use creusot_contracts::{logic::*, *}; -#[ghost] +#[logic] fn x(v: &Vec) -> Int { pearlite! { v.len()@ } } diff --git a/creusot/tests/should_fail/impure_functions.stderr b/creusot/tests/should_fail/impure_functions.stderr index 34403eb4d8..51ca718af7 100644 --- a/creusot/tests/should_fail/impure_functions.stderr +++ b/creusot/tests/should_fail/impure_functions.stderr @@ -1,10 +1,10 @@ -error[creusot]: called Program function in Ghost context "std::vec::Vec::::len" +error[creusot]: called program function "std::vec::Vec::::len" in logic context --> impure_functions.rs:6:19 | 6 | pearlite! { v.len()@ } | ^^^ -error[creusot]: called Ghost function in Program context "x" +error[creusot]: called logic function "x" in program context --> impure_functions.rs:10:13 | 10 | let _ = x(&Vec::<()>::new()); diff --git a/creusot/tests/should_fail/logic_ghost_impl.stderr b/creusot/tests/should_fail/logic_ghost_impl.stderr deleted file mode 100644 index 6f05bea770..0000000000 --- a/creusot/tests/should_fail/logic_ghost_impl.stderr +++ /dev/null @@ -1,9 +0,0 @@ -Logic != Ghost -error[creusot]: Expected `f` to be a ghost function as specified by the trait declaration - --> logic_ghost_impl.rs:11:5 - | -11 | fn f() { - | ^^^^^^ - -error: aborting due to previous error - diff --git a/creusot/tests/should_fail/logic_ghost_impl.rs b/creusot/tests/should_fail/logic_prophetic_impl.rs similarity index 85% rename from creusot/tests/should_fail/logic_ghost_impl.rs rename to creusot/tests/should_fail/logic_prophetic_impl.rs index 40ab38e93c..f71bb2a3d0 100644 --- a/creusot/tests/should_fail/logic_ghost_impl.rs +++ b/creusot/tests/should_fail/logic_prophetic_impl.rs @@ -7,7 +7,7 @@ trait T { } impl T for () { - #[ghost] + #[logic(prophetic)] fn f() { () } diff --git a/creusot/tests/should_fail/logic_prophetic_impl.stderr b/creusot/tests/should_fail/logic_prophetic_impl.stderr new file mode 100644 index 0000000000..6043a836f7 --- /dev/null +++ b/creusot/tests/should_fail/logic_prophetic_impl.stderr @@ -0,0 +1,8 @@ +error[creusot]: Expected `f` to be a logic function as specified by the trait declaration + --> logic_prophetic_impl.rs:11:5 + | +11 | fn f() { + | ^^^^^^ + +error: aborting due to previous error + diff --git a/creusot/tests/should_fail/trait_item_types_mismatch.stderr b/creusot/tests/should_fail/trait_item_types_mismatch.stderr index 9839639a5c..7165f39c19 100644 --- a/creusot/tests/should_fail/trait_item_types_mismatch.stderr +++ b/creusot/tests/should_fail/trait_item_types_mismatch.stderr @@ -4,8 +4,7 @@ error[creusot]: Expected implementation of trait `Trusted` for `()` to be marked 7 | impl Trusted for () {} | ^^^^^^^^^^^^^^^^^^^ -Predicate != Program -error[creusot]: Expected `my_predicate` to be a program function as specified by the trait declaration +error[creusot]: Expected `my_predicate` to be a predicate as specified by the trait declaration --> trait_item_types_mismatch.rs:17:5 | 17 | fn my_predicate() -> bool { diff --git a/creusot/tests/should_fail/traits/17_impl_refinement.rs b/creusot/tests/should_fail/traits/17_impl_refinement.rs index 47720c14e7..e80c05fb31 100644 --- a/creusot/tests/should_fail/traits/17_impl_refinement.rs +++ b/creusot/tests/should_fail/traits/17_impl_refinement.rs @@ -17,14 +17,14 @@ impl Tr for () { } trait ReqFalse { - #[ghost] + #[logic] #[requires(x@ >= 10)] fn need_false(x: u64) -> (); } impl ReqFalse for () { // This should not prove - #[ghost] + #[logic] #[requires(y@ >= 15)] fn need_false(y: u64) {} } diff --git a/creusot/tests/should_succeed/100doors.mlcfg b/creusot/tests/should_succeed/100doors.mlcfg index afcad7798f..f974b231f5 100644 --- a/creusot/tests/should_succeed/100doors.mlcfg +++ b/creusot/tests/should_succeed/100doors.mlcfg @@ -237,7 +237,7 @@ module C100doors_F ensures { result = invariant0 self } axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv0 x = true - use prelude.Ghost + use prelude.Snapshot predicate resolve3 (self : bool) = [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true val resolve3 (self : bool) : bool @@ -325,10 +325,10 @@ module C100doors_F end } ensures { inv5 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize) = @@ -358,14 +358,14 @@ module C100doors_F var _0 : (); var door_open : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global); var iter : Core_Ops_Range_Range_Type.t_range usize; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced : Ghost.ghost_ty (Seq.seq usize); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced : Snapshot.snap_ty (Seq.seq usize); var _11 : (); var _12 : Core_Option_Option_Type.t_option usize; var _13 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _14 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem : usize; - var _17 : Ghost.ghost_ty (Seq.seq usize); + var _17 : Snapshot.snap_ty (Seq.seq usize); var pass : usize; var door : usize; var _26 : bool; @@ -383,11 +383,11 @@ module C100doors_F goto BB2 } BB2 { - [#"../100doors.rs" 20 4 20 41] iter_old <- ([#"../100doors.rs" 20 4 20 41] Ghost.new iter); + [#"../100doors.rs" 20 4 20 41] iter_old <- ([#"../100doors.rs" 20 4 20 41] Snapshot.new iter); goto BB3 } BB3 { - [#"../100doors.rs" 20 4 20 41] produced <- ([#"../100doors.rs" 20 4 20 41] Ghost.new (Seq.empty )); + [#"../100doors.rs" 20 4 20 41] produced <- ([#"../100doors.rs" 20 4 20 41] Snapshot.new (Seq.empty )); goto BB4 } BB4 { @@ -398,7 +398,7 @@ module C100doors_F } BB6 { invariant { [#"../100doors.rs" 20 4 20 41] inv0 iter }; - invariant { [#"../100doors.rs" 20 4 20 41] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; + invariant { [#"../100doors.rs" 20 4 20 41] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../100doors.rs" 20 16 20 39] Seq.length (shallow_model0 door_open) = 100 }; goto BB7 } @@ -432,14 +432,14 @@ module C100doors_F absurd } BB12 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _12); - [#"../100doors.rs" 20 4 20 41] _17 <- ([#"../100doors.rs" 20 4 20 41] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _12); + [#"../100doors.rs" 20 4 20 41] _17 <- ([#"../100doors.rs" 20 4 20 41] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB13 } BB13 { [#"../100doors.rs" 20 4 20 41] produced <- ([#"../100doors.rs" 20 4 20 41] _17); - [#"../100doors.rs" 20 4 20 41] _17 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] pass <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../100doors.rs" 20 4 20 41] _17 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] pass <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../100doors.rs" 22 30 22 34] door <- ([#"../100doors.rs" 22 30 22 34] pass); goto BB14 } diff --git a/creusot/tests/should_succeed/all_zero.mlcfg b/creusot/tests/should_succeed/all_zero.mlcfg index 6294a3c0df..817be0c32b 100644 --- a/creusot/tests/should_succeed/all_zero.mlcfg +++ b/creusot/tests/should_succeed/all_zero.mlcfg @@ -26,7 +26,7 @@ end module AllZero_AllZero use AllZero_List_Type as AllZero_List_Type use prelude.Borrow - use prelude.Ghost + use prelude.Snapshot predicate resolve2 (self : borrowed (AllZero_List_Type.t_list)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (AllZero_List_Type.t_list)) : bool @@ -43,7 +43,7 @@ module AllZero_AllZero val resolve0 (self : borrowed uint32) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot use Core_Option_Option_Type as Core_Option_Option_Type use prelude.Int function get0 [#"../all_zero.rs" 21 4 21 40] (self : AllZero_List_Type.t_list) (ix : int) : Core_Option_Option_Type.t_option uint32 @@ -64,7 +64,7 @@ module AllZero_AllZero val len0 [#"../all_zero.rs" 13 4 13 23] (self : AllZero_List_Type.t_list) : int ensures { result = len0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg all_zero [#"../all_zero.rs" 34 0 34 29] [@cfg:stackify] [@cfg:subregion_analysis] (l : borrowed (AllZero_List_Type.t_list)) : () ensures { [#"../all_zero.rs" 32 0 32 77] forall i : int . 0 <= i /\ i < len0 ( * l) -> get0 ( ^ l) i = Core_Option_Option_Type.C_Some (0 : uint32) } ensures { [#"../all_zero.rs" 33 10 33 34] len0 ( * l) = len0 ( ^ l) } @@ -72,7 +72,7 @@ module AllZero_AllZero = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var l : borrowed (AllZero_List_Type.t_list) = l; - var old_l : Ghost.ghost_ty (borrowed (AllZero_List_Type.t_list)); + var old_l : Snapshot.snap_ty (borrowed (AllZero_List_Type.t_list)); var loop_l : borrowed (AllZero_List_Type.t_list); var value : borrowed uint32; var next : borrowed (AllZero_List_Type.t_list); @@ -81,7 +81,7 @@ module AllZero_AllZero goto BB0 } BB0 { - [#"../all_zero.rs" 36 16 36 25] old_l <- ([#"../all_zero.rs" 36 16 36 25] Ghost.new l); + [#"../all_zero.rs" 36 16 36 31] old_l <- ([#"../all_zero.rs" 36 16 36 31] Snapshot.new l); goto BB1 } BB1 { @@ -90,8 +90,8 @@ module AllZero_AllZero goto BB2 } BB2 { - invariant { [#"../all_zero.rs" 39 4 41 88] (forall i : int . 0 <= i /\ i < len0 ( * loop_l) -> get0 ( ^ loop_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) -> (forall i : int . 0 <= i /\ i < len0 ( * Ghost.inner old_l) -> get0 ( ^ Ghost.inner old_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) }; - invariant { [#"../all_zero.rs" 39 4 41 88] len0 ( ^ loop_l) = len0 ( * loop_l) -> len0 ( ^ Ghost.inner old_l) = len0 ( * Ghost.inner old_l) }; + invariant { [#"../all_zero.rs" 39 4 41 88] (forall i : int . 0 <= i /\ i < len0 ( * loop_l) -> get0 ( ^ loop_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) -> (forall i : int . 0 <= i /\ i < len0 ( * Snapshot.inner old_l) -> get0 ( ^ Snapshot.inner old_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) }; + invariant { [#"../all_zero.rs" 39 4 41 88] len0 ( ^ loop_l) = len0 ( * loop_l) -> len0 ( ^ Snapshot.inner old_l) = len0 ( * Snapshot.inner old_l) }; goto BB3 } BB3 { diff --git a/creusot/tests/should_succeed/all_zero.rs b/creusot/tests/should_succeed/all_zero.rs index 30d2b8b62a..f48895b8ed 100644 --- a/creusot/tests/should_succeed/all_zero.rs +++ b/creusot/tests/should_succeed/all_zero.rs @@ -9,7 +9,7 @@ pub enum List { use List::*; impl List { - #[ghost] + #[logic] fn len(self) -> Int { match self { Cons(_, ls) => 1 + ls.len(), @@ -17,7 +17,7 @@ impl List { } } - #[ghost] + #[logic] fn get(self, ix: Int) -> Option { match self { Cons(x, ls) => match pearlite! { ix == 0 } { @@ -33,7 +33,7 @@ impl List { #[ensures((*l).len() == (^l).len())] pub fn all_zero(l: &mut List) { use List::*; - let old_l = gh! { l }; + let old_l = snapshot! { l }; let mut loop_l = l; #[invariant( diff --git a/creusot/tests/should_succeed/bdd.mlcfg b/creusot/tests/should_succeed/bdd.mlcfg index 9dab2772aa..729da25651 100644 --- a/creusot/tests/should_succeed/bdd.mlcfg +++ b/creusot/tests/should_succeed/bdd.mlcfg @@ -773,11 +773,11 @@ module Bdd_Context_Type use prelude.Int use Bdd_Node_Type as Bdd_Node_Type use map.Map - use prelude.Ghost + use prelude.Snapshot use Bdd_Bumpalo_Bump_Type as Bdd_Bumpalo_Bump_Type use prelude.Borrow type t_context = - | C_Context (Bdd_Bumpalo_Bump_Type.t_bump) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd)) (Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node))) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)) uint64 + | C_Context (Bdd_Bumpalo_Bump_Type.t_bump) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd)) (Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node))) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)) uint64 let function context_hashcons (self : t_context) : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd) @@ -789,7 +789,7 @@ module Bdd_Context_Type match self with | C_Context _ _ _ _ _ a -> a end - let function context_hashcons_ghost (self : t_context) : Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node)) + let function context_hashcons_ghost (self : t_context) : Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node)) = [@vc:do_not_keep_trace] [@vc:sp] match self with | C_Context _ _ a _ _ _ -> a @@ -897,7 +897,7 @@ module Bdd_Impl10_GrowsIsValidBdd_Impl ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -909,14 +909,14 @@ module Bdd_Impl10_GrowsIsValidBdd_Impl predicate invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model4 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model5 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant1 self } @@ -1041,7 +1041,7 @@ module Bdd_Impl10_GrowsTrans_Impl ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -1053,14 +1053,14 @@ module Bdd_Impl10_GrowsTrans_Impl predicate invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model3 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model4 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant1 self } @@ -1189,7 +1189,7 @@ module Bdd_Impl10_SetIrreleventVar_Impl ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -1201,14 +1201,14 @@ module Bdd_Impl10_SetIrreleventVar_Impl predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant0 self } @@ -1319,7 +1319,7 @@ module Bdd_Impl10_DiscrValuation_Impl ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -1331,14 +1331,14 @@ module Bdd_Impl10_DiscrValuation_Impl predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model0 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model1 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model1 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant0 self } @@ -1505,7 +1505,7 @@ module Bdd_Impl10_BddCanonical_Impl ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -1517,14 +1517,14 @@ module Bdd_Impl10_BddCanonical_Impl predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model0 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model1 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model1 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant0 self } @@ -1701,7 +1701,7 @@ module Bdd_Impl11_New ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -1713,14 +1713,14 @@ module Bdd_Impl11_New predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model0 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model3 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model3 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model1 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model2 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant0 self } @@ -1733,7 +1733,7 @@ module Bdd_Impl11_New | Bdd_Context_Type.C_Context alloc hashcons hashcons_ghost not_memo and_memo cnt -> true end) use Bdd_Bumpalo_Bump_Type as Bdd_Bumpalo_Bump_Type - use prelude.Ghost + use prelude.Snapshot use map.Const val new3 [#"../bdd.rs" 69 8 69 28] (_1 : ()) : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd) ensures { [#"../bdd.rs" 67 18 67 47] shallow_model2 result = Const.const (Core_Option_Option_Type.C_None) } @@ -1742,7 +1742,7 @@ module Bdd_Impl11_New val new2 [#"../bdd.rs" 69 8 69 28] (_1 : ()) : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd) ensures { [#"../bdd.rs" 67 18 67 47] shallow_model1 result = Const.const (Core_Option_Option_Type.C_None) } - use prelude.Ghost + use prelude.Snapshot use map.Const use map.Const val new0 [#"../bdd.rs" 69 8 69 28] (_1 : ()) : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd) @@ -1758,7 +1758,7 @@ module Bdd_Impl11_New var alloc : Bdd_Bumpalo_Bump_Type.t_bump = alloc; var t : Bdd_Node_Type.t_node; var _5 : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd); - var _6 : Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node)); + var _6 : Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node)); var _8 : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd); var _9 : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd); var _10 : Bdd_Node_Type.t_node; @@ -1772,7 +1772,7 @@ module Bdd_Impl11_New goto BB1 } BB1 { - [#"../bdd.rs" 429 28 429 51] _6 <- ([#"../bdd.rs" 429 28 429 51] Ghost.new (Const.const t)); + [#"../bdd.rs" 429 28 429 57] _6 <- ([#"../bdd.rs" 429 28 429 57] Snapshot.new (Const.const t)); goto BB2 } BB2 { @@ -1786,7 +1786,7 @@ module Bdd_Impl11_New BB4 { [#"../bdd.rs" 426 8 433 9] _0 <- ([#"../bdd.rs" 426 8 433 9] Bdd_Context_Type.C_Context ([#"../bdd.rs" 427 12 427 17] alloc) _5 _6 _8 _9 ([#"../bdd.rs" 432 17 432 18] [#"../bdd.rs" 432 17 432 18] (0 : uint64))); _5 <- any Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd); - _6 <- any Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node)); + _6 <- any Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node)); _8 <- any Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd); _9 <- any Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd); return _0 @@ -1879,7 +1879,7 @@ module Bdd_Impl11_Hashcons ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -1891,14 +1891,14 @@ module Bdd_Impl11_Hashcons predicate invariant7 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model3 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model0 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model0 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model7 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model8 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant7 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant7 self } @@ -1988,8 +1988,8 @@ module Bdd_Impl11_Hashcons val grows0 [#"../bdd.rs" 296 4 296 35] (self : borrowed (Bdd_Context_Type.t_context)) : bool ensures { result = grows0 self } - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot use map.Map function shallow_model4 (self : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd))) : Map.map (Bdd_NodeLog_Type.t_nodelog) (Core_Option_Option_Type.t_option (Bdd_Bdd_Type.t_bdd)) @@ -2061,7 +2061,7 @@ module Bdd_Impl11_Hashcons var _19 : borrowed (Bdd_Node_Type.t_node); var _23 : (); var _24 : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd)); - var _27 : Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node)); + var _27 : Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node)); { goto BB0 } @@ -2101,12 +2101,12 @@ module Bdd_Impl11_Hashcons goto BB6 } BB6 { - [#"../bdd.rs" 447 30 447 71] _27 <- ([#"../bdd.rs" 447 30 447 71] Ghost.new (Map.set (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost ( * self))) (Bdd_Bdd_Type.bdd_1 r1) (Bdd_Bdd_Type.bdd_0 r1))); + [#"../bdd.rs" 447 30 447 77] _27 <- ([#"../bdd.rs" 447 30 447 77] Snapshot.new (Map.set (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost ( * self))) (Bdd_Bdd_Type.bdd_1 r1) (Bdd_Bdd_Type.bdd_0 r1))); goto BB7 } BB7 { - [#"../bdd.rs" 447 8 447 71] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 = * self in Bdd_Context_Type.C_Context x0 x1 ([#"../bdd.rs" 447 8 447 71] _27) x3 x4 x5) ; }; - [#"../bdd.rs" 447 8 447 71] _27 <- any Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node)); + [#"../bdd.rs" 447 8 447 77] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 = * self in Bdd_Context_Type.C_Context x0 x1 ([#"../bdd.rs" 447 8 447 77] _27) x3 x4 x5) ; }; + [#"../bdd.rs" 447 8 447 77] _27 <- any Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node)); switch ([#"../bdd.rs" 448 11 448 34] ([#"../bdd.rs" 448 11 448 19] Bdd_Context_Type.context_cnt ( * self)) > ([#"../bdd.rs" 448 22 448 34] ([#"../bdd.rs" 448 22 448 30] [#"../bdd.rs" 448 22 448 30] (18446744073709551615 : uint64)) - ([#"../bdd.rs" 448 33 448 34] [#"../bdd.rs" 448 33 448 34] (1 : uint64)))) | False -> goto BB11 | True -> goto BB8 @@ -2234,7 +2234,7 @@ module Bdd_Impl11_Node ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -2246,14 +2246,14 @@ module Bdd_Impl11_Node predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model2 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model3 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model3 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model7 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model8 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant0 self } @@ -2458,7 +2458,7 @@ module Bdd_Impl11_True ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -2470,14 +2470,14 @@ module Bdd_Impl11_True predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant0 self } @@ -2634,7 +2634,7 @@ module Bdd_Impl11_False ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -2646,14 +2646,14 @@ module Bdd_Impl11_False predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant0 self } @@ -2810,7 +2810,7 @@ module Bdd_Impl11_V ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -2822,14 +2822,14 @@ module Bdd_Impl11_V predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant0 self } @@ -3053,7 +3053,7 @@ module Bdd_Impl11_Not ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -3065,14 +3065,14 @@ module Bdd_Impl11_Not predicate invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model4 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model5 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model5 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model2 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model8 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant1 self } @@ -3508,7 +3508,7 @@ module Bdd_Impl11_And ensures { result = is_valid_bdd0 self b } use map.Map - use prelude.Ghost + use prelude.Snapshot predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) = [#"../bdd.rs" 318 12 327 13] match n with | Bdd_Node_Type.C_True -> true @@ -3520,14 +3520,14 @@ module Bdd_Impl11_And predicate invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) = [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model4 (Bdd_Context_Type.context_hashcons self)) n with - | Core_Option_Option_Type.C_Some b -> shallow_model5 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b + | Core_Option_Option_Type.C_Some b -> shallow_model5 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b | Core_Option_Option_Type.C_None -> true end) /\ (forall bm : uint64 . match Map.get (shallow_model8 (Bdd_Context_Type.context_not_memo self)) bm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n + | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model2 (Bdd_Context_Type.context_and_memo self)) abm with | Core_Option_Option_Type.C_None -> true - | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) + | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n) end) val invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool ensures { result = invariant1 self } diff --git a/creusot/tests/should_succeed/bdd.rs b/creusot/tests/should_succeed/bdd.rs index ba902cbec0..1c973686af 100644 --- a/creusot/tests/should_succeed/bdd.rs +++ b/creusot/tests/should_succeed/bdd.rs @@ -30,7 +30,7 @@ mod hashmap { #[ensures(result@ == Self::hash_log(self.deep_model()))] fn hash(&self) -> u64; - #[ghost] + #[logic] fn hash_log(_: Self::DeepModelTy) -> Int; } @@ -40,7 +40,7 @@ mod hashmap { impl ShallowModel for MyHashMap { type ShallowModelTy = Mapping>; - #[ghost] + #[logic] #[open(self)] #[trusted] fn shallow_model(self) -> Self::ShallowModelTy { @@ -78,7 +78,7 @@ mod hashmap { } #[open(self)] - #[ghost] + #[logic] fn hash_log(x: Self::DeepModelTy) -> Int { pearlite! { (U::hash_log(x.0) + V::hash_log(x.1) * 17) % (u64::MAX@ + 1) } } @@ -124,7 +124,7 @@ impl<'arena> hashmap::Hash for Node<'arena> { } #[open(self)] - #[ghost] + #[logic] fn hash_log(x: Self::DeepModelTy) -> Int { pearlite! { match x { @@ -144,7 +144,7 @@ impl<'arena> hashmap::Hash for Bdd<'arena> { } #[open(self)] - #[ghost] + #[logic] fn hash_log(x: Self::DeepModelTy) -> Int { pearlite! { x@ } } @@ -154,7 +154,7 @@ impl<'arena> DeepModel for Node<'arena> { type DeepModelTy = NodeLog; #[open(self)] - #[ghost] + #[logic] fn deep_model(self) -> Self::DeepModelTy { pearlite! { match self { @@ -171,7 +171,7 @@ impl<'arena> ShallowModel for Node<'arena> { type ShallowModelTy = NodeLog; #[open(self)] - #[ghost] + #[logic] fn shallow_model(self) -> Self::ShallowModelTy { pearlite! { self.deep_model() } } @@ -181,7 +181,7 @@ impl<'arena> DeepModel for Bdd<'arena> { type DeepModelTy = u64; #[open(self)] - #[ghost] + #[logic] fn deep_model(self) -> Self::DeepModelTy { pearlite! { self.1 } } @@ -191,7 +191,7 @@ impl<'arena> ShallowModel for Bdd<'arena> { type ShallowModelTy = u64; #[open(self)] - #[ghost] + #[logic] fn shallow_model(self) -> Self::ShallowModelTy { pearlite! { self.deep_model() } } @@ -205,7 +205,7 @@ impl<'arena> PartialEq for Bdd<'arena> { } impl<'arena> Bdd<'arena> { - #[ghost] + #[logic] fn interp(self, vars: Mapping) -> bool { pearlite! { match self { @@ -219,7 +219,7 @@ impl<'arena> Bdd<'arena> { } } - #[ghost] + #[logic] #[ensures(result >= 0)] fn size(self) -> Int { pearlite! { @@ -235,7 +235,7 @@ impl<'arena> Bdd<'arena> { } } - #[ghost] + #[logic] fn leastvar(self) -> Int { pearlite! { match self { @@ -250,7 +250,7 @@ impl<'arena> Bdd<'arena> { pub struct Context<'arena> { alloc: &'arena bumpalo::Bump, hashcons: hashmap::MyHashMap, Bdd<'arena>>, - hashcons_ghost: Ghost>>, + hashcons_ghost: Snapshot>>, not_memo: hashmap::MyHashMap, Bdd<'arena>>, and_memo: hashmap::MyHashMap<(Bdd<'arena>, Bdd<'arena>), Bdd<'arena>>, cnt: u64, @@ -292,7 +292,7 @@ impl<'arena> Invariant for Context<'arena> { impl<'arena> Context<'arena> { #[open(self)] - #[predicate] + #[predicate(prophetic)] pub fn grows(&mut self) -> bool { pearlite! { self.cnt@ <= (^self).cnt@ && @@ -328,14 +328,14 @@ impl<'arena> Context<'arena> { } } - #[ghost] + #[logic] #[open(self)] #[requires(self.grows())] #[requires(self.is_valid_bdd(b))] #[ensures((^self).is_valid_bdd(b))] pub fn grows_is_valid_bdd(&mut self, b: Bdd<'arena>) {} - #[ghost] + #[logic] #[open(self)] #[requires(self.grows())] #[requires(o.grows())] @@ -344,7 +344,7 @@ impl<'arena> Context<'arena> { #[ensures(oo.grows())] pub fn grows_trans(&mut self, o: &mut Self, oo: &mut Self) {} - #[ghost] + #[logic] #[requires(self.is_valid_bdd(a))] #[requires(x@ < a.leastvar())] #[ensures(a.interp(v) == a.interp(v.set(x, b)))] @@ -360,7 +360,7 @@ impl<'arena> Context<'arena> { } } - #[ghost] + #[logic] #[requires(self.is_valid_bdd(a))] #[requires(self.is_valid_bdd(b))] #[requires(a != b)] @@ -408,7 +408,7 @@ impl<'arena> Context<'arena> { } } - #[ghost] + #[logic] #[open(self)] #[requires(self.is_valid_bdd(a))] #[requires(self.is_valid_bdd(b))] @@ -426,7 +426,7 @@ impl<'arena> Context<'arena> { Context { alloc, hashcons: hashmap::MyHashMap::new(), - hashcons_ghost: gh! { Mapping::cst(t) }, + hashcons_ghost: snapshot! { Mapping::cst(t) }, not_memo: hashmap::MyHashMap::new(), and_memo: hashmap::MyHashMap::new(), cnt: 0, @@ -444,7 +444,7 @@ impl<'arena> Context<'arena> { } let r = Bdd(self.alloc.alloc(n), self.cnt); self.hashcons.add(n, r); - self.hashcons_ghost = gh! { self.hashcons_ghost.set(r.1, r.0) }; + self.hashcons_ghost = snapshot! { self.hashcons_ghost.set(r.1, r.0) }; if self.cnt > u64::MAX - 1 { loop { // prevent self from being resolved diff --git a/creusot/tests/should_succeed/binary_search.rs b/creusot/tests/should_succeed/binary_search.rs index 16a58f13c4..3bbf583b76 100644 --- a/creusot/tests/should_succeed/binary_search.rs +++ b/creusot/tests/should_succeed/binary_search.rs @@ -17,7 +17,7 @@ pub enum List { use List::*; impl List { - #[ghost] + #[logic] #[ensures(result >= 0)] fn len_logic(self) -> Int { match self { @@ -26,7 +26,7 @@ impl List { } } - #[ghost] + #[logic] fn get(self, ix: Int) -> Option { match self { Cons(t, ls) => { @@ -74,7 +74,7 @@ impl List { len } - #[ghost] + #[logic] fn get_default(self, ix: Int, def: T) -> T { match self.get(ix) { Some(v) => v, diff --git a/creusot/tests/should_succeed/bug/181_ident.rs b/creusot/tests/should_succeed/bug/181_ident.rs index 202233d6b1..d601a86ee1 100644 --- a/creusot/tests/should_succeed/bug/181_ident.rs +++ b/creusot/tests/should_succeed/bug/181_ident.rs @@ -3,7 +3,7 @@ extern crate creusot_contracts; use creusot_contracts::{logic::Int, *}; // Bug #181 -#[ghost] +#[logic] #[open] pub fn max_int(a: Int, b: Int) -> Int { if a < b { diff --git a/creusot/tests/should_succeed/bug/206.rs b/creusot/tests/should_succeed/bug/206.rs index d8b329f840..1e14851c50 100644 --- a/creusot/tests/should_succeed/bug/206.rs +++ b/creusot/tests/should_succeed/bug/206.rs @@ -4,11 +4,11 @@ use creusot_contracts::*; pub struct A(Vec); -#[ghost] +#[logic] #[ensures(a.0@ == a.0@)] fn u2(a: A) {} -#[ghost] +#[logic] #[open(self)] pub fn u(a: A) { pearlite! { diff --git a/creusot/tests/should_succeed/bug/217.rs b/creusot/tests/should_succeed/bug/217.rs index d9474e02ed..d27344e6f6 100644 --- a/creusot/tests/should_succeed/bug/217.rs +++ b/creusot/tests/should_succeed/bug/217.rs @@ -6,7 +6,7 @@ use creusot_contracts::{ }; #[open] -#[ghost] +#[logic] #[variant(c.len())] pub fn ex(c: Seq, a: Int) -> Int { if c.len() == 0 { diff --git a/creusot/tests/should_succeed/bug/265.rs b/creusot/tests/should_succeed/bug/265.rs index 3fa3b918b8..3800d4948e 100644 --- a/creusot/tests/should_succeed/bug/265.rs +++ b/creusot/tests/should_succeed/bug/265.rs @@ -2,13 +2,13 @@ extern crate creusot_contracts; use creusot_contracts::*; #[open] -#[ghost] +#[logic] pub fn bool_to_bool(b: bool) -> bool { b } #[open] -#[ghost] +#[logic] pub fn ex() { pearlite! { bool_to_bool(!true) }; } diff --git a/creusot/tests/should_succeed/bug/269.rs b/creusot/tests/should_succeed/bug/269.rs index d52bf783c1..bb8730c780 100644 --- a/creusot/tests/should_succeed/bug/269.rs +++ b/creusot/tests/should_succeed/bug/269.rs @@ -3,5 +3,5 @@ extern crate creusot_contracts; use creusot_contracts::*; #[open] -#[ghost] +#[logic] pub fn my_lemma() {} diff --git a/creusot/tests/should_succeed/bug/564.rs b/creusot/tests/should_succeed/bug/564.rs index a35c8dd2db..96a649271e 100644 --- a/creusot/tests/should_succeed/bug/564.rs +++ b/creusot/tests/should_succeed/bug/564.rs @@ -1,7 +1,7 @@ extern crate creusot_contracts; use creusot_contracts::*; -#[ghost] +#[logic] #[open] #[requires(invariants())] pub fn emits_pure_eq() -> bool { @@ -10,7 +10,7 @@ pub fn emits_pure_eq() -> bool { } } -#[ghost] +#[logic] #[open] #[requires(invariants())] pub fn emits_pure_implies() -> bool { @@ -19,7 +19,7 @@ pub fn emits_pure_implies() -> bool { } } -#[ghost] +#[logic] fn invariants() -> bool { true } diff --git a/creusot/tests/should_succeed/bug/570.rs b/creusot/tests/should_succeed/bug/570.rs index b05fdfb543..80a9793173 100644 --- a/creusot/tests/should_succeed/bug/570.rs +++ b/creusot/tests/should_succeed/bug/570.rs @@ -18,7 +18,7 @@ pub fn test_assign(mut s: S2) { } #[open] -#[ghost] +#[logic] pub fn test_logic(s: S2) { s.s1.f; } diff --git a/creusot/tests/should_succeed/bug/594.rs b/creusot/tests/should_succeed/bug/594.rs index 3596bd72ae..3ad0672196 100644 --- a/creusot/tests/should_succeed/bug/594.rs +++ b/creusot/tests/should_succeed/bug/594.rs @@ -2,7 +2,7 @@ extern crate creusot_contracts; use creusot_contracts::*; #[open] -#[ghost] +#[logic] pub fn test_logic((x, _): (u32, u32)) -> u32 { x } diff --git a/creusot/tests/should_succeed/bug/682.mlcfg b/creusot/tests/should_succeed/bug/682.mlcfg index 39e923a575..f4c346d39f 100644 --- a/creusot/tests/should_succeed/bug/682.mlcfg +++ b/creusot/tests/should_succeed/bug/682.mlcfg @@ -30,8 +30,8 @@ module C682_AddSome end module C682_Foo use prelude.UInt64 - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot use prelude.Borrow predicate resolve0 (self : borrowed uint64) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -45,7 +45,7 @@ module C682_Foo requires {[#"../682.rs" 4 11 4 32] * a <= div max0 (2 : uint64)} ensures { [#"../682.rs" 5 10 5 17] ^ a > * a } - use prelude.Ghost + use prelude.Snapshot let rec cfg foo [#"../682.rs" 12 0 12 23] [@cfg:stackify] [@cfg:subregion_analysis] (a : borrowed uint64) : () requires {[#"../682.rs" 10 11 10 21] * a = (3 : uint64)} ensures { [#"../682.rs" 11 10 11 17] ^ a > * a } @@ -53,14 +53,14 @@ module C682_Foo = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var a : borrowed uint64 = a; - var a_p : Ghost.ghost_ty uint64; + var a_p : Snapshot.snap_ty uint64; var _6 : (); var _7 : borrowed uint64; { goto BB0 } BB0 { - [#"../682.rs" 13 26 13 33] a_p <- ([#"../682.rs" 13 26 13 33] Ghost.new ( * a)); + [#"../682.rs" 13 29 13 42] a_p <- ([#"../682.rs" 13 29 13 42] Snapshot.new ( * a)); goto BB1 } BB1 { @@ -72,7 +72,7 @@ module C682_Foo } BB2 { assume { resolve0 a }; - assert { [@expl:assertion] [#"../682.rs" 15 18 15 27] * a > Ghost.inner a_p }; + assert { [@expl:assertion] [#"../682.rs" 15 18 15 27] * a > Snapshot.inner a_p }; [#"../682.rs" 12 24 16 1] _0 <- ([#"../682.rs" 12 24 16 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/682.rs b/creusot/tests/should_succeed/bug/682.rs index 869462f7e8..e26d997f37 100644 --- a/creusot/tests/should_succeed/bug/682.rs +++ b/creusot/tests/should_succeed/bug/682.rs @@ -10,7 +10,7 @@ fn add_some(a: &mut u64) { #[requires(*a == 3u64)] #[ensures(^a > *a)] pub fn foo(a: &mut u64) { - let a_p: Ghost = gh!(*a); + let a_p: Snapshot = snapshot!(*a); add_some(a); proof_assert!(*a > *a_p); } diff --git a/creusot/tests/should_succeed/bug/768.rs b/creusot/tests/should_succeed/bug/768.rs index 0baf4161d3..175c6947f2 100644 --- a/creusot/tests/should_succeed/bug/768.rs +++ b/creusot/tests/should_succeed/bug/768.rs @@ -8,7 +8,7 @@ pub struct A { impl A { #[open] - #[ghost] + #[logic] pub fn with_l(self, l: usize) -> Self { A { l, ..self } } diff --git a/creusot/tests/should_succeed/bug/797.rs b/creusot/tests/should_succeed/bug/797.rs index a65c40c744..df3951ecb4 100644 --- a/creusot/tests/should_succeed/bug/797.rs +++ b/creusot/tests/should_succeed/bug/797.rs @@ -2,7 +2,7 @@ extern crate creusot_contracts; use creusot_contracts::{logic::Mapping, *}; #[open] -#[ghost] +#[logic] pub fn make_mapping() -> Mapping<(Int, Int), bool> { |(x, y)| x + y == 0 } diff --git a/creusot/tests/should_succeed/bug/874.mlcfg b/creusot/tests/should_succeed/bug/874.mlcfg index 63e5f6614a..d2da1c5c95 100644 --- a/creusot/tests/should_succeed/bug/874.mlcfg +++ b/creusot/tests/should_succeed/bug/874.mlcfg @@ -290,7 +290,7 @@ module C874_CanExtend goto BB2 } BB2 { - [#"../874.rs" 5 16 5 29] v <- ([#"../874.rs" 5 16 5 29] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 254 47 254 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 5 21 5 22] [#"../874.rs" 5 21 5 22] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 5 24 5 25] [#"../874.rs" 5 24 5 25] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 5 27 5 28] [#"../874.rs" 5 27 5 28] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp)); + [#"../874.rs" 5 16 5 29] v <- ([#"../874.rs" 5 16 5 29] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 5 21 5 22] [#"../874.rs" 5 21 5 22] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 5 24 5 25] [#"../874.rs" 5 24 5 25] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 5 27 5 28] [#"../874.rs" 5 27 5 28] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp)); goto BB3 } BB3 { @@ -300,7 +300,7 @@ module C874_CanExtend goto BB5 } BB5 { - [#"../874.rs" 6 12 6 25] w <- ([#"../874.rs" 6 12 6 25] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 254 47 254 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 6 17 6 18] [#"../874.rs" 6 17 6 18] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 6 20 6 21] [#"../874.rs" 6 20 6 21] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 6 23 6 24] [#"../874.rs" 6 23 6 24] (6 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp)); + [#"../874.rs" 6 12 6 25] w <- ([#"../874.rs" 6 12 6 25] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 6 17 6 18] [#"../874.rs" 6 17 6 18] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 6 20 6 21] [#"../874.rs" 6 20 6 21] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 6 23 6 24] [#"../874.rs" 6 23 6 24] (6 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp)); goto BB6 } BB6 { @@ -319,7 +319,7 @@ module C874_CanExtend goto BB9 } BB9 { - [#"../874.rs" 9 12 9 34] z <- ([#"../874.rs" 9 12 9 34] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 254 47 254 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 9 17 9 18] [#"../874.rs" 9 17 9 18] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 9 20 9 21] [#"../874.rs" 9 20 9 21] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 9 23 9 24] [#"../874.rs" 9 23 9 24] (3 : int32))}; assume {Seq.get (__arr_temp.elts) 3 = ([#"../874.rs" 9 26 9 27] [#"../874.rs" 9 26 9 27] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 4 = ([#"../874.rs" 9 29 9 30] [#"../874.rs" 9 29 9 30] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 5 = ([#"../874.rs" 9 32 9 33] [#"../874.rs" 9 32 9 33] (6 : int32))}; assume {Slice.length __arr_temp = 6}; __arr_temp)); + [#"../874.rs" 9 12 9 34] z <- ([#"../874.rs" 9 12 9 34] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 9 17 9 18] [#"../874.rs" 9 17 9 18] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 9 20 9 21] [#"../874.rs" 9 20 9 21] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 9 23 9 24] [#"../874.rs" 9 23 9 24] (3 : int32))}; assume {Seq.get (__arr_temp.elts) 3 = ([#"../874.rs" 9 26 9 27] [#"../874.rs" 9 26 9 27] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 4 = ([#"../874.rs" 9 29 9 30] [#"../874.rs" 9 29 9 30] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 5 = ([#"../874.rs" 9 32 9 33] [#"../874.rs" 9 32 9 33] (6 : int32))}; assume {Slice.length __arr_temp = 6}; __arr_temp)); goto BB10 } BB10 { diff --git a/creusot/tests/should_succeed/bug/pure_neq.rs b/creusot/tests/should_succeed/bug/pure_neq.rs index 09e55673a2..feff180fa1 100644 --- a/creusot/tests/should_succeed/bug/pure_neq.rs +++ b/creusot/tests/should_succeed/bug/pure_neq.rs @@ -2,7 +2,7 @@ extern crate creusot_contracts; use creusot_contracts::{logic::Int, *}; #[open] -#[ghost] +#[logic] #[ensures(result == !(x == y))] pub fn f(x: Option, y: Option) -> bool { pearlite! { x != y } diff --git a/creusot/tests/should_succeed/cell/02.mlcfg b/creusot/tests/should_succeed/cell/02.mlcfg index a56f1f67d8..15bee105da 100644 --- a/creusot/tests/should_succeed/cell/02.mlcfg +++ b/creusot/tests/should_succeed/cell/02.mlcfg @@ -224,7 +224,7 @@ module C02_FibMemo val fib_cell0 [#"../02.rs" 84 0 84 32] (v : Alloc_Vec_Vec_Type.t_vec (C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib)) (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = fib_cell0 v } - use prelude.Ghost + use prelude.Snapshot function fib0 [#"../02.rs" 32 0 32 25] (i : int) : int axiom fib0_def : forall i : int . fib0 i = ([#"../02.rs" 29 0 29 8] if i <= 0 then 0 @@ -247,7 +247,7 @@ module C02_FibMemo requires {[#"../02.rs" 24 16 24 20] inv2 self} requires {[#"../02.rs" 24 22 24 23] inv4 v} - use prelude.Ghost + use prelude.Snapshot use int.Power function lemma_fib_bound0 [#"../02.rs" 47 0 47 30] (i : int) : () axiom lemma_fib_bound0_def : forall i : int . lemma_fib_bound0 i = ([#"../02.rs" 43 0 43 8] if i = 0 then @@ -260,7 +260,7 @@ module C02_FibMemo ensures { result = lemma_fib_bound0 i } axiom lemma_fib_bound0_spec : forall i : int . ([#"../02.rs" 44 11 44 17] 0 <= i) -> ([#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i) - use prelude.Ghost + use prelude.Snapshot function lemma_max_int0 [#"../02.rs" 62 0 62 22] (_1 : ()) : () = [#"../02.rs" 60 0 60 8] () val lemma_max_int0 [#"../02.rs" 62 0 62 22] (_1 : ()) : () @@ -308,8 +308,8 @@ module C02_FibMemo var _9 : C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib); var v : usize; var fib_i : usize; - var _19 : Ghost.ghost_ty (); - var _21 : Ghost.ghost_ty (); + var _19 : Snapshot.snap_ty (); + var _21 : Snapshot.snap_ty (); var _23 : usize; var _27 : usize; var _33 : (); @@ -364,11 +364,11 @@ module C02_FibMemo goto BB15 } BB10 { - [#"../02.rs" 104 16 104 37] _19 <- ([#"../02.rs" 104 16 104 37] Ghost.new ()); + [#"../02.rs" 104 16 104 43] _19 <- ([#"../02.rs" 104 16 104 43] Snapshot.new ()); goto BB11 } BB11 { - [#"../02.rs" 105 16 105 39] _21 <- ([#"../02.rs" 105 16 105 39] Ghost.new ()); + [#"../02.rs" 105 16 105 45] _21 <- ([#"../02.rs" 105 16 105 45] Snapshot.new ()); goto BB12 } BB12 { diff --git a/creusot/tests/should_succeed/cell/02.rs b/creusot/tests/should_succeed/cell/02.rs index 97186b6576..5bb5e2a2e9 100644 --- a/creusot/tests/should_succeed/cell/02.rs +++ b/creusot/tests/should_succeed/cell/02.rs @@ -26,7 +26,7 @@ impl> Cell { } } -#[ghost] +#[logic] #[open] #[variant(i)] pub fn fib(i: Int) -> Int { @@ -40,7 +40,7 @@ pub fn fib(i: Int) -> Int { } #[open] -#[ghost] +#[logic] #[requires(0 <= i)] #[ensures(fib(i) <= 2.pow(i))] #[variant(i)] @@ -57,7 +57,7 @@ pub fn lemma_fib_bound(i: Int) { #[trusted] #[open] -#[ghost] +#[logic] #[ensures(2.pow(63) < 0xffff_ffff_ffff_ffffusize@)] pub fn lemma_max_int() {} @@ -101,8 +101,8 @@ pub fn fib_memo(mem: &FibCache, i: usize) -> usize { } else if i == 1 { 1 } else { - gh! { lemma_max_int }; - gh! { lemma_fib_bound }; + snapshot! { lemma_max_int }; + snapshot! { lemma_fib_bound }; fib_memo(mem, i - 1) + fib_memo(mem, i - 2) }; proof_assert! { fib_i@ == fib(i@)}; diff --git a/creusot/tests/should_succeed/clones/02.rs b/creusot/tests/should_succeed/clones/02.rs index 074c8831d2..5131557d90 100644 --- a/creusot/tests/should_succeed/clones/02.rs +++ b/creusot/tests/should_succeed/clones/02.rs @@ -5,12 +5,12 @@ use creusot_contracts::*; // Here we want to ensure that `program` properly shares // the implementation of simple between itself and `uses_simple`. -#[ghost] +#[logic] fn simple() -> bool { true } -#[ghost] +#[logic] fn uses_simple() -> bool { simple() } diff --git a/creusot/tests/should_succeed/clones/03.rs b/creusot/tests/should_succeed/clones/03.rs index 85afc4d94b..acc5f3c8f6 100644 --- a/creusot/tests/should_succeed/clones/03.rs +++ b/creusot/tests/should_succeed/clones/03.rs @@ -2,7 +2,7 @@ extern crate creusot_contracts; use creusot_contracts::*; -#[ghost] +#[logic] fn omg(_x: T) -> bool { true } diff --git a/creusot/tests/should_succeed/clones/04.rs b/creusot/tests/should_succeed/clones/04.rs index 2c9ec822d8..0d3827e3e4 100644 --- a/creusot/tests/should_succeed/clones/04.rs +++ b/creusot/tests/should_succeed/clones/04.rs @@ -2,17 +2,17 @@ extern crate creusot_contracts; use creusot_contracts::*; -#[ghost] +#[logic] fn a(x: u32) -> bool { x > 0u32 } -#[ghost] +#[logic] fn b(x: u32) -> bool { x > 10u32 && a(x) } -#[ghost] +#[logic] fn c(x: u32) -> bool { x < 50u32 && b(x) } diff --git a/creusot/tests/should_succeed/filter_positive.rs b/creusot/tests/should_succeed/filter_positive.rs index 40888e945a..e5fbef896d 100644 --- a/creusot/tests/should_succeed/filter_positive.rs +++ b/creusot/tests/should_succeed/filter_positive.rs @@ -32,7 +32,7 @@ use creusot_contracts::{ // number of positive elements of `t` between `i` (included) and `j` // (excluded) -#[ghost] +#[logic] #[variant(j-i)] fn num_of_pos(i: Int, j: Int, t: Seq) -> Int { pearlite! { @@ -58,7 +58,7 @@ fn num_of_pos(i: Int, j: Int, t: Seq) -> Int { // // lemma: `num_of_pos` is increasing -#[ghost] +#[logic] #[requires(j <= k)] #[ensures(num_of_pos(i,j,t) <= num_of_pos(i,k,t))] #[variant(k-j)] @@ -72,7 +72,7 @@ fn lemma_num_of_pos_increasing(i: Int, j: Int, k: Int, t: Seq) { // lemma: `num_of_pos` is strictly increasing when a positive element // is met -#[ghost] +#[logic] #[requires(0 <= i && i < t.len())] #[requires(t[i]@ > 0)] #[ensures(num_of_pos(0,i,t) < num_of_pos(0,i+1,t))] diff --git a/creusot/tests/should_succeed/hashmap.mlcfg b/creusot/tests/should_succeed/hashmap.mlcfg index bf068bf2d6..e2130c43b3 100644 --- a/creusot/tests/should_succeed/hashmap.mlcfg +++ b/creusot/tests/should_succeed/hashmap.mlcfg @@ -445,16 +445,16 @@ module Hashmap_Impl5_Add ensures { result = inv5 _x } axiom inv5 : forall x : deep_model_ty0 . inv5 x = true - use prelude.Ghost - predicate invariant4 (self : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) - val invariant4 (self : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool + use prelude.Snapshot + predicate invariant4 (self : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) + val invariant4 (self : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool ensures { result = invariant4 self } - predicate inv4 (_x : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) - val inv4 (_x : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool + predicate inv4 (_x : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) + val inv4 (_x : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool ensures { result = inv4 _x } - axiom inv4 : forall x : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v))) . inv4 x = true + axiom inv4 : forall x : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v))) . inv4 x = true predicate invariant3 (self : borrowed (Hashmap_List_Type.t_list (k, v))) val invariant3 (self : borrowed (Hashmap_List_Type.t_list (k, v))) : bool ensures { result = invariant3 self } @@ -497,15 +497,15 @@ module Hashmap_Impl5_Add ensures { result = invariant1 self } axiom inv1 : forall x : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . inv1 x = true - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) + val invariant0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) . inv0 x = true use prelude.Mapping function deep_model0 (self : k) : deep_model_ty0 val deep_model0 (self : k) : deep_model_ty0 @@ -631,14 +631,14 @@ module Hashmap_Impl5_Add requires {inv14 other} ensures { [#"../../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75] result = (deep_model1 self = deep_model1 other) } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - predicate resolve2 (self : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) - val resolve2 (self : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + predicate resolve2 (self : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) + val resolve2 (self : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool ensures { result = resolve2 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve1 (self : borrowed (Hashmap_List_Type.t_list (k, v))) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed (Hashmap_List_Type.t_list (k, v))) : bool @@ -698,11 +698,11 @@ module Hashmap_Impl5_Add requires {inv13 self} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model3 self) } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) + val resolve0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg add [#"../hashmap.rs" 106 4 106 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) (key : k) (val' : v) : () requires {[#"../hashmap.rs" 103 15 103 36] hashmap_inv0 ( * self)} requires {[#"../hashmap.rs" 106 20 106 24] inv12 self} @@ -720,7 +720,7 @@ module Hashmap_Impl5_Add var self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v) = self; var key : k = key; var val' : v = val'; - var old_self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)); + var old_self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)); var length : usize; var index : usize; var _13 : uint64; @@ -730,7 +730,7 @@ module Hashmap_Impl5_Add var _18 : borrowed (Hashmap_List_Type.t_list (k, v)); var _19 : borrowed (Hashmap_List_Type.t_list (k, v)); var _20 : borrowed (Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)); - var old_l : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v))); + var old_l : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v))); var k : borrowed k; var v : borrowed v; var tl : borrowed (Hashmap_List_Type.t_list (k, v)); @@ -742,7 +742,7 @@ module Hashmap_Impl5_Add goto BB0 } BB0 { - [#"../hashmap.rs" 108 23 108 35] old_self <- ([#"../hashmap.rs" 108 23 108 35] Ghost.new self); + [#"../hashmap.rs" 108 23 108 41] old_self <- ([#"../hashmap.rs" 108 23 108 41] Snapshot.new self); goto BB1 } BB1 { @@ -781,7 +781,7 @@ module Hashmap_Impl5_Add assume { inv2 ( ^ l) }; assert { [@expl:type invariant] inv3 _18 }; assume { resolve1 _18 }; - [#"../hashmap.rs" 112 20 112 29] old_l <- ([#"../hashmap.rs" 112 20 112 29] Ghost.new l); + [#"../hashmap.rs" 112 20 112 35] old_l <- ([#"../hashmap.rs" 112 20 112 35] Snapshot.new l); goto BB6 } BB6 { @@ -790,12 +790,12 @@ module Hashmap_Impl5_Add goto BB7 } BB7 { - invariant { [#"../hashmap.rs" 114 20 114 52] good_bucket0 ( * Ghost.inner old_self) ( * l) (UIntSize.to_int index) }; - invariant { [#"../hashmap.rs" 114 8 114 54] good_bucket0 ( * Ghost.inner old_self) ( ^ l) (UIntSize.to_int index) -> good_bucket0 ( * Ghost.inner old_self) ( ^ Ghost.inner old_l) (UIntSize.to_int index) }; - invariant { [#"../hashmap.rs" 114 8 114 54] get0 ( ^ l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' -> get0 ( ^ Ghost.inner old_l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' }; - invariant { [#"../hashmap.rs" 114 8 114 54] forall i : deep_model_ty0 . inv5 i -> get0 ( ^ l) i = get0 ( * l) i -> get0 ( ^ Ghost.inner old_l) i = get0 ( * Ghost.inner old_l) i }; + invariant { [#"../hashmap.rs" 114 20 114 52] good_bucket0 ( * Snapshot.inner old_self) ( * l) (UIntSize.to_int index) }; + invariant { [#"../hashmap.rs" 114 8 114 54] good_bucket0 ( * Snapshot.inner old_self) ( ^ l) (UIntSize.to_int index) -> good_bucket0 ( * Snapshot.inner old_self) ( ^ Snapshot.inner old_l) (UIntSize.to_int index) }; + invariant { [#"../hashmap.rs" 114 8 114 54] get0 ( ^ l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' -> get0 ( ^ Snapshot.inner old_l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' }; + invariant { [#"../hashmap.rs" 114 8 114 54] forall i : deep_model_ty0 . inv5 i -> get0 ( ^ l) i = get0 ( * l) i -> get0 ( ^ Snapshot.inner old_l) i = get0 ( * Snapshot.inner old_l) i }; invariant { [#"../hashmap.rs" 118 20 118 44] no_double_binding0 ( * l) }; - invariant { [#"../hashmap.rs" 114 8 114 54] (forall i : deep_model_ty0 . inv5 i -> get0 ( * l) i = get0 ( ^ l) i \/ i = deep_model0 key) /\ no_double_binding0 ( ^ l) -> no_double_binding0 ( ^ Ghost.inner old_l) }; + invariant { [#"../hashmap.rs" 114 8 114 54] (forall i : deep_model_ty0 . inv5 i -> get0 ( * l) i = get0 ( ^ l) i \/ i = deep_model0 key) /\ no_double_binding0 ( ^ l) -> no_double_binding0 ( ^ Snapshot.inner old_l) }; goto BB8 } BB8 { @@ -1474,16 +1474,16 @@ module Hashmap_Impl5_Resize ensures { result = inv1 _x } axiom inv1 : forall x : deep_model_ty0 . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) + val invariant0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) . inv0 x = true use prelude.Mapping function deep_model0 (self : k) : deep_model_ty0 val deep_model0 (self : k) : deep_model_ty0 @@ -1654,7 +1654,7 @@ module Hashmap_Impl5_Resize val resolve1 (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool ensures { result = resolve1 self } - use prelude.Ghost + use prelude.Snapshot function shallow_model6 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v) = @@ -1662,12 +1662,12 @@ module Hashmap_Impl5_Resize val shallow_model6 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v) ensures { result = shallow_model6 self } - use prelude.Ghost - function shallow_model1 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v) + use prelude.Snapshot + function shallow_model1 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v) = - [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model6 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v) + [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model6 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v) ensures { result = shallow_model1 self } val new1 [#"../hashmap.rs" 98 4 98 46] (size : usize) : Hashmap_MyHashMap_Type.t_myhashmap k v @@ -1687,11 +1687,11 @@ module Hashmap_Impl5_Resize requires {inv10 self} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model5 self) } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) + val resolve0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg resize [#"../hashmap.rs" 161 4 161 24] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : () requires {[#"../hashmap.rs" 156 15 156 41] Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self))) < 1000} requires {[#"../hashmap.rs" 157 15 157 36] hashmap_inv0 ( * self)} @@ -1702,7 +1702,7 @@ module Hashmap_Impl5_Resize = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v) = self; - var old_self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)); + var old_self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)); var new : Hashmap_MyHashMap_Type.t_myhashmap k v; var _10 : usize; var i : usize; @@ -1722,7 +1722,7 @@ module Hashmap_Impl5_Resize goto BB0 } BB0 { - [#"../hashmap.rs" 162 23 162 35] old_self <- ([#"../hashmap.rs" 162 23 162 35] Ghost.new self); + [#"../hashmap.rs" 162 23 162 41] old_self <- ([#"../hashmap.rs" 162 23 162 41] Snapshot.new self); goto BB1 } BB1 { @@ -1747,12 +1747,12 @@ module Hashmap_Impl5_Resize goto BB6 } BB6 { - invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Ghost.inner old_self) k < UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; - invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k -> UIntSize.to_int i <= bucket_ix0 ( * Ghost.inner old_self) k /\ bucket_ix0 ( * Ghost.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self))) -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None }; - invariant { [#"../hashmap.rs" 166 8 166 111] forall j : int . UIntSize.to_int i <= j /\ j < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self))) -> index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)) j = index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self)) j }; + invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Snapshot.inner old_self) k < UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; + invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k -> UIntSize.to_int i <= bucket_ix0 ( * Snapshot.inner old_self) k /\ bucket_ix0 ( * Snapshot.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None }; + invariant { [#"../hashmap.rs" 166 8 166 111] forall j : int . UIntSize.to_int i <= j /\ j < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) -> index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)) j = index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self)) j }; invariant { [#"../hashmap.rs" 172 20 172 37] hashmap_inv0 new }; - invariant { [#"../hashmap.rs" 173 20 173 46] ^ Ghost.inner old_self = ^ self }; - invariant { [#"../hashmap.rs" 174 20 174 66] Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self))) = Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self))) }; + invariant { [#"../hashmap.rs" 173 20 173 46] ^ Snapshot.inner old_self = ^ self }; + invariant { [#"../hashmap.rs" 174 20 174 66] Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) = Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self))) }; invariant { [#"../hashmap.rs" 175 20 175 45] UIntSize.to_int i <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self))) }; goto BB7 } @@ -1809,14 +1809,14 @@ module Hashmap_Impl5_Resize } BB17 { invariant { [#"../hashmap.rs" 179 24 179 41] hashmap_inv0 new }; - invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Ghost.inner old_self) k < UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; - invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> UIntSize.to_int i < bucket_ix0 ( * Ghost.inner old_self) k /\ bucket_ix0 ( * Ghost.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self))) -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None }; - invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Ghost.inner old_self) k = UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = match get1 l k with + invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Snapshot.inner old_self) k < UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; + invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> UIntSize.to_int i < bucket_ix0 ( * Snapshot.inner old_self) k /\ bucket_ix0 ( * Snapshot.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None }; + invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Snapshot.inner old_self) k = UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = match get1 l k with | Core_Option_Option_Type.C_None -> Map.get (shallow_model2 new) k | Core_Option_Option_Type.C_Some v -> Core_Option_Option_Type.C_Some v end }; invariant { [#"../hashmap.rs" 186 24 186 45] no_double_binding0 l }; - invariant { [#"../hashmap.rs" 187 24 187 51] good_bucket0 ( * Ghost.inner old_self) l (UIntSize.to_int i) }; + invariant { [#"../hashmap.rs" 187 24 187 51] good_bucket0 ( * Snapshot.inner old_self) l (UIntSize.to_int i) }; goto BB18 } BB18 { @@ -1863,7 +1863,7 @@ module Hashmap_Impl5_Resize BB25 { assert { [@expl:type invariant] inv5 l }; assume { resolve4 l }; - assert { [@expl:assertion] [#"../hashmap.rs" 192 12 192 121] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Ghost.inner old_self) k = UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; + assert { [@expl:assertion] [#"../hashmap.rs" 192 12 192 121] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Snapshot.inner old_self) k = UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; goto BB27 } BB26 { diff --git a/creusot/tests/should_succeed/hashmap.rs b/creusot/tests/should_succeed/hashmap.rs index 96ce8163e0..d844cac633 100644 --- a/creusot/tests/should_succeed/hashmap.rs +++ b/creusot/tests/should_succeed/hashmap.rs @@ -23,7 +23,7 @@ impl Clone for List { } impl List<(K, V)> { - #[ghost] + #[logic] #[open] pub fn get(self, index: K::DeepModelTy) -> Option { pearlite! { @@ -50,7 +50,7 @@ trait Hash: DeepModel { #[ensures(result@ == Self::hash_log(self.deep_model()))] fn hash(&self) -> u64; - #[ghost] + #[logic] fn hash_log(_: Self::DeepModelTy) -> Int; } @@ -60,7 +60,7 @@ impl Hash for usize { *self as u64 } - #[ghost] + #[logic] fn hash_log(x: Int) -> Int { pearlite! { x } } @@ -74,18 +74,18 @@ impl ShallowModel for MyHashMap { type ShallowModelTy = Mapping>; #[open(self)] - #[ghost] + #[logic] fn shallow_model(self) -> Self::ShallowModelTy { pearlite! { |k| self.bucket(k).get(k) } } } impl MyHashMap { - #[ghost] + #[logic] fn bucket(self, k: K::DeepModelTy) -> List<(K, V)> { pearlite! { self.buckets[self.bucket_ix(k)] } } - #[ghost] + #[logic] fn bucket_ix(self, k: K::DeepModelTy) -> Int { pearlite! { K::hash_log(k).rem_euclid(self.buckets@.len()) } } @@ -105,11 +105,11 @@ impl MyHashMap { #[ensures(forall (^self)@.get(i) == (if i == key.deep_model() { Some(val) } else { self@.get(i) } ))] pub fn add(&mut self, key: K, val: V) { use List::*; - let old_self = gh! { self }; + let old_self = snapshot! { self }; let length = self.buckets.len(); let index: usize = key.hash() as usize % length; let mut l: &mut List<_> = &mut self.buckets[index]; - let old_l = gh! { l }; + let old_l = snapshot! { l }; #[invariant(old_self.good_bucket(*l, index@))] #[invariant(old_self.good_bucket(^l, index@) ==> old_self.good_bucket(^old_l.inner(), index@))] @@ -159,7 +159,7 @@ impl MyHashMap { #[ensures(forall (^self)@.get(k) == self@.get(k))] // lets prove the extensional version for now #[allow(dead_code)] fn resize(&mut self) { - let old_self = gh! { self }; + let old_self = snapshot! { self }; let mut new = Self::new(self.buckets.len() * 2); let mut i: usize = 0; diff --git a/creusot/tests/should_succeed/heapsort_generic.mlcfg b/creusot/tests/should_succeed/heapsort_generic.mlcfg index e0f38b0994..72aa82241c 100644 --- a/creusot/tests/should_succeed/heapsort_generic.mlcfg +++ b/creusot/tests/should_succeed/heapsort_generic.mlcfg @@ -377,17 +377,17 @@ module HeapsortGeneric_SiftDown ensures { result = invariant1 self } axiom inv1 : forall x : deep_model_ty0 . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true function deep_model3 (self : t) : deep_model_ty0 val deep_model3 (self : t) : deep_model_ty0 ensures { result = deep_model3 self } @@ -507,7 +507,7 @@ module HeapsortGeneric_SiftDown val deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0 ensures { result = deep_model0 self } - use prelude.Ghost + use prelude.Snapshot use seq.Permut predicate permutation_of0 (self : Seq.seq t) (o : Seq.seq t) = [#"../../../../creusot-contracts/src/logic/seq.rs" 107 8 107 37] Permut.permut self o 0 (Seq.length self) @@ -520,18 +520,19 @@ module HeapsortGeneric_SiftDown val shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t ensures { result = shallow_model4 self } - function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t = - [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model4 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model4 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t ensures { result = shallow_model1 self } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + + val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg sift_down [#"../heapsort_generic.rs" 41 0 43 29] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (start : usize) (end' : usize) : () requires {[#"../heapsort_generic.rs" 31 11 31 54] heap_frag0 (deep_model0 v) (UIntSize.to_int start + 1) (UIntSize.to_int end')} requires {[#"../heapsort_generic.rs" 32 11 32 24] UIntSize.to_int start < UIntSize.to_int end'} @@ -547,7 +548,7 @@ module HeapsortGeneric_SiftDown var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v; var start : usize = start; var end' : usize = end'; - var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); + var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); var i : usize; var _28 : bool; var child : usize; @@ -566,7 +567,7 @@ module HeapsortGeneric_SiftDown goto BB0 } BB0 { - [#"../heapsort_generic.rs" 45 16 45 25] old_v <- ([#"../heapsort_generic.rs" 45 16 45 25] Ghost.new v); + [#"../heapsort_generic.rs" 45 16 45 31] old_v <- ([#"../heapsort_generic.rs" 45 16 45 31] Snapshot.new v); goto BB1 } BB1 { @@ -578,8 +579,8 @@ module HeapsortGeneric_SiftDown BB2 { invariant { [#"../heapsort_generic.rs" 48 4 48 43] permutation_of0 (shallow_model0 v) (shallow_model1 old_v) }; invariant { [#"../heapsort_generic.rs" 49 16 49 41] UIntSize.to_int start <= UIntSize.to_int i /\ UIntSize.to_int i < UIntSize.to_int end' }; - invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . 0 <= j /\ j < UIntSize.to_int start \/ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) -> index_logic0 ( * Ghost.inner old_v) j = index_logic0 ( * v) j }; - invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall m : deep_model_ty0 . inv1 m -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 (Ghost.inner old_v)) j) m) -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 v) j) m) }; + invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . 0 <= j /\ j < UIntSize.to_int start \/ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) -> index_logic0 ( * Snapshot.inner old_v) j = index_logic0 ( * v) j }; + invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall m : deep_model_ty0 . inv1 m -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 (Snapshot.inner old_v)) j) m) -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 v) j) m) }; invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . UIntSize.to_int start <= parent0 j /\ j < UIntSize.to_int end' /\ UIntSize.to_int i <> parent0 j -> le_log0 (Seq.get (deep_model0 v) j) (Seq.get (deep_model0 v) (parent0 j)) }; invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 1 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i) -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) }; invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 2 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i) -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) }; @@ -883,17 +884,17 @@ module HeapsortGeneric_HeapSort ensures { result = cmp_le_log0 x y } axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true use seq.Seq predicate sorted_range0 [#"../heapsort_generic.rs" 77 0 77 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) = [#"../heapsort_generic.rs" 78 4 80 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j) @@ -1020,12 +1021,12 @@ module HeapsortGeneric_HeapSort val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t ensures { result = shallow_model5 self } - use prelude.Ghost - function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + use prelude.Snapshot + function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t = - [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t ensures { result = shallow_model1 self } function shallow_model4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t = @@ -1037,11 +1038,12 @@ module HeapsortGeneric_HeapSort requires {inv5 self} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model4 self) } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + + val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg heap_sort [#"../heapsort_generic.rs" 93 0 95 29] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : () requires {[#"../heapsort_generic.rs" 90 11 90 40] Seq.length (shallow_model0 v) < div (UIntSize.to_int max0) 2} requires {[#"../heapsort_generic.rs" 93 37 93 38] inv1 v} @@ -1051,7 +1053,7 @@ module HeapsortGeneric_HeapSort = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v; - var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); + var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); var start : usize; var _8 : usize; var _10 : bool; @@ -1070,7 +1072,7 @@ module HeapsortGeneric_HeapSort goto BB0 } BB0 { - [#"../heapsort_generic.rs" 97 16 97 25] old_v <- ([#"../heapsort_generic.rs" 97 16 97 25] Ghost.new v); + [#"../heapsort_generic.rs" 97 16 97 31] old_v <- ([#"../heapsort_generic.rs" 97 16 97 31] Snapshot.new v); goto BB1 } BB1 { diff --git a/creusot/tests/should_succeed/heapsort_generic.rs b/creusot/tests/should_succeed/heapsort_generic.rs index 93e7957cde..551c003231 100644 --- a/creusot/tests/should_succeed/heapsort_generic.rs +++ b/creusot/tests/should_succeed/heapsort_generic.rs @@ -6,7 +6,7 @@ use creusot_contracts::{ *, }; -#[ghost] +#[logic] fn parent(i: Int) -> Int { (i + 1) / 2 - 1 } @@ -17,7 +17,7 @@ fn heap_frag(s: Seq, start: Int, end: Int) -> bool { s[i] <= s[parent(i)] } } -#[ghost] +#[logic] #[requires(heap_frag(s, 0, end))] #[requires(0 <= i && i < end)] #[ensures(s[i] <= s[0])] @@ -42,7 +42,7 @@ fn sift_down(v: &mut Vec, start: usize, end: usize) where T::DeepModelTy: OrdLogic, { - let old_v = gh! { v }; + let old_v = snapshot! { v }; let mut i = start; #[invariant(v@.permutation_of(old_v@))] @@ -94,7 +94,7 @@ pub fn heap_sort(v: &mut Vec) where T::DeepModelTy: OrdLogic, { - let old_v = gh! { v }; + let old_v = snapshot! { v }; let mut start = v.len() / 2; #[invariant(v@.permutation_of(old_v@))] diff --git a/creusot/tests/should_succeed/hillel.mlcfg b/creusot/tests/should_succeed/hillel.mlcfg index 664ccbe4ac..f96c442327 100644 --- a/creusot/tests/should_succeed/hillel.mlcfg +++ b/creusot/tests/should_succeed/hillel.mlcfg @@ -102,17 +102,17 @@ module Hillel_RightPad ensures { result = inv1 _x } axiom inv1 : forall x : t . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true use seq.Seq function shallow_model1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t = @@ -143,7 +143,7 @@ module Hillel_RightPad requires {inv4 self} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model5 self) } - use prelude.Ghost + use prelude.Snapshot use seq.Seq function index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) (ix : int) : t @@ -158,18 +158,19 @@ module Hillel_RightPad val shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t ensures { result = shallow_model4 self } - function shallow_model0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + function shallow_model0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t = - [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model4 (Ghost.inner self) - val shallow_model0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model4 (Snapshot.inner self) + val shallow_model0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t ensures { result = shallow_model0 self } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + + val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg right_pad [#"../hillel.rs" 16 0 16 59] [@cfg:stackify] [@cfg:subregion_analysis] (str : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (len : usize) (pad : t) : () requires {[#"../hillel.rs" 16 22 16 25] inv2 str} requires {[#"../hillel.rs" 16 52 16 55] inv1 pad} @@ -185,7 +186,7 @@ module Hillel_RightPad var str : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = str; var len : usize = len; var pad : t = pad; - var old_str : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); + var old_str : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); var _19 : usize; var _22 : (); var _23 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); @@ -193,7 +194,7 @@ module Hillel_RightPad goto BB0 } BB0 { - [#"../hillel.rs" 17 18 17 29] old_str <- ([#"../hillel.rs" 17 18 17 29] Ghost.new str); + [#"../hillel.rs" 17 18 17 35] old_str <- ([#"../hillel.rs" 17 18 17 35] Snapshot.new str); goto BB1 } BB1 { @@ -205,7 +206,7 @@ module Hillel_RightPad invariant { [#"../hillel.rs" 19 16 19 44] Seq.length (shallow_model0 old_str) <= Seq.length (shallow_model1 str) }; invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len -> Seq.length (shallow_model1 str) <= UIntSize.to_int len }; invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model1 str) > UIntSize.to_int len -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) }; - invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 old_str) -> index_logic0 ( * str) i = index_logic0 ( * Ghost.inner old_str) i }; + invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 old_str) -> index_logic0 ( * str) i = index_logic0 ( * Snapshot.inner old_str) i }; invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . Seq.length (shallow_model0 old_str) <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( * str) i = pad }; goto BB3 } @@ -304,18 +305,18 @@ module Hillel_LeftPad ensures { result = inv1 _x } axiom inv1 : forall x : t . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true - use prelude.Ghost + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true + use prelude.Snapshot use seq.Seq function index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) (ix : int) : t @@ -356,16 +357,16 @@ module Hillel_LeftPad requires {inv4 self} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model7 self) } - use prelude.Ghost + use prelude.Snapshot use prelude.Int function shallow_model6 (self : usize) : int = [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] UIntSize.to_int self val shallow_model6 (self : usize) : int ensures { result = shallow_model6 self } - function shallow_model3 (self : Ghost.ghost_ty usize) : int = - [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model6 (Ghost.inner self) - val shallow_model3 (self : Ghost.ghost_ty usize) : int + function shallow_model3 (self : Snapshot.snap_ty usize) : int = + [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model6 (Snapshot.inner self) + val shallow_model3 (self : Snapshot.snap_ty usize) : int ensures { result = shallow_model3 self } function shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t @@ -374,19 +375,20 @@ module Hillel_LeftPad val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t ensures { result = shallow_model5 self } - function shallow_model0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + function shallow_model0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t = - [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self) - val shallow_model0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self) + val shallow_model0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t ensures { result = shallow_model0 self } - use prelude.Ghost - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + use prelude.Snapshot + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + + val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg left_pad [#"../hillel.rs" 33 0 33 58] [@cfg:stackify] [@cfg:subregion_analysis] (str : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (len : usize) (pad : t) : () requires {[#"../hillel.rs" 33 21 33 24] inv2 str} requires {[#"../hillel.rs" 33 51 33 54] inv1 pad} @@ -400,23 +402,23 @@ module Hillel_LeftPad var str : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = str; var len : usize = len; var pad : t = pad; - var old_str : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); - var c : Ghost.ghost_ty usize; + var old_str : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); + var c : Snapshot.snap_ty usize; var _20 : usize; var _23 : (); var _24 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); - var _26 : Ghost.ghost_ty usize; + var _26 : Snapshot.snap_ty usize; { goto BB0 } BB0 { - [#"../hillel.rs" 34 18 34 29] old_str <- ([#"../hillel.rs" 34 18 34 29] Ghost.new str); + [#"../hillel.rs" 34 18 34 35] old_str <- ([#"../hillel.rs" 34 18 34 35] Snapshot.new str); goto BB1 } BB1 { assert { [@expl:type invariant] inv0 old_str }; assume { resolve0 old_str }; - [#"../hillel.rs" 35 30 35 44] c <- ([#"../hillel.rs" 35 30 35 44] Ghost.new (0 : usize)); + [#"../hillel.rs" 35 33 35 53] c <- ([#"../hillel.rs" 35 33 35 53] Snapshot.new (0 : usize)); goto BB2 } BB2 { @@ -427,7 +429,7 @@ module Hillel_LeftPad invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len -> Seq.length (shallow_model1 str) <= UIntSize.to_int len }; invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model1 str) > UIntSize.to_int len -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) }; invariant { [#"../hillel.rs" 40 16 40 49] shallow_model3 c = Seq.length (shallow_model1 str) - Seq.length (shallow_model0 old_str) }; - invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . shallow_model3 c <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( * str) i = index_logic0 ( * Ghost.inner old_str) (i - shallow_model3 c) }; + invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . shallow_model3 c <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( * str) i = index_logic0 ( * Snapshot.inner old_str) (i - shallow_model3 c) }; invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . 0 <= i /\ i < shallow_model3 c -> index_logic0 ( * str) i = pad }; goto BB4 } @@ -450,12 +452,12 @@ module Hillel_LeftPad goto BB7 } BB7 { - [#"../hillel.rs" 45 12 45 31] _26 <- ([#"../hillel.rs" 45 12 45 31] Ghost.new ((1 : usize) + Ghost.inner c)); + [#"../hillel.rs" 45 12 45 37] _26 <- ([#"../hillel.rs" 45 12 45 37] Snapshot.new ((1 : usize) + Snapshot.inner c)); goto BB8 } BB8 { - [#"../hillel.rs" 45 8 45 31] c <- ([#"../hillel.rs" 45 8 45 31] _26); - [#"../hillel.rs" 45 8 45 31] _26 <- any Ghost.ghost_ty usize; + [#"../hillel.rs" 45 8 45 37] c <- ([#"../hillel.rs" 45 8 45 37] _26); + [#"../hillel.rs" 45 8 45 37] _26 <- any Snapshot.snap_ty usize; goto BB3 } BB9 { @@ -732,30 +734,30 @@ module Hillel_InsertUnique ensures { result = inv3 _x } axiom inv3 : forall x : Core_Slice_Iter_Iter_Type.t_iter t . inv3 x = true - use prelude.Ghost - predicate invariant2 (self : Ghost.ghost_ty (Seq.seq t)) - val invariant2 (self : Ghost.ghost_ty (Seq.seq t)) : bool + use prelude.Snapshot + predicate invariant2 (self : Snapshot.snap_ty (Seq.seq t)) + val invariant2 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = invariant2 self } - predicate inv2 (_x : Ghost.ghost_ty (Seq.seq t)) - val inv2 (_x : Ghost.ghost_ty (Seq.seq t)) : bool + predicate inv2 (_x : Snapshot.snap_ty (Seq.seq t)) + val inv2 (_x : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = inv2 _x } - axiom inv2 : forall x : Ghost.ghost_ty (Seq.seq t) . inv2 x = true + axiom inv2 : forall x : Snapshot.snap_ty (Seq.seq t) . inv2 x = true predicate invariant1 (self : slice t) val invariant1 (self : slice t) : bool ensures { result = invariant1 self } axiom inv1 : forall x : slice t . inv1 x = true - predicate invariant0 (self : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) - val invariant0 (self : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool + predicate invariant0 (self : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) + val invariant0 (self : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) - val inv0 (_x : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool + predicate inv0 (_x : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) + val inv0 (_x : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) . inv0 x = true function deep_model1 (self : t) : deep_model_ty0 val deep_model1 (self : t) : deep_model_ty0 ensures { result = deep_model1 self } @@ -825,7 +827,7 @@ module Hillel_InsertUnique requires {inv12 other} ensures { [#"../../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75] result = (deep_model4 self = deep_model4 other) } - use prelude.Ghost + use prelude.Snapshot predicate resolve7 (self : t) val resolve7 (self : t) : bool ensures { result = resolve7 self } @@ -858,24 +860,24 @@ module Hillel_InsertUnique end } ensures { inv4 result } - use prelude.Ghost - function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t = - [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix - val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t + use prelude.Snapshot + function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq t)) (ix : int) : t = + [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix + val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq t)) (ix : int) : t ensures { result = index_logic0 self ix } - use prelude.Ghost - use prelude.Ghost - predicate resolve4 (self : Ghost.ghost_ty (Seq.seq t)) - val resolve4 (self : Ghost.ghost_ty (Seq.seq t)) : bool + use prelude.Snapshot + use prelude.Snapshot + predicate resolve4 (self : Snapshot.snap_ty (Seq.seq t)) + val resolve4 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = resolve4 self } - use prelude.Ghost - predicate resolve3 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t)) - val resolve3 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool + use prelude.Snapshot + predicate resolve3 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t)) + val resolve3 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool ensures { result = resolve3 self } - use prelude.Ghost + use prelude.Snapshot predicate into_iter_post0 (self : Core_Slice_Iter_Iter_Type.t_iter t) (res : Core_Slice_Iter_Iter_Type.t_iter t) = [#"../../../../creusot-contracts/src/std/iter.rs" 80 8 80 19] self = res val into_iter_post0 (self : Core_Slice_Iter_Iter_Type.t_iter t) (res : Core_Slice_Iter_Iter_Type.t_iter t) : bool @@ -910,11 +912,11 @@ module Hillel_InsertUnique ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 147 26 147 42] shallow_model0 result = shallow_model1 self } ensures { inv1 result } - predicate resolve1 (self : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) - val resolve1 (self : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool + predicate resolve1 (self : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) + val resolve1 (self : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool ensures { result = resolve1 self } - use prelude.Ghost + use prelude.Snapshot predicate is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) = [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i) val is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) : bool @@ -928,11 +930,11 @@ module Hillel_InsertUnique val deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0 ensures { result = deep_model0 self } - predicate resolve0 (self : Ghost.ghost_ty ()) - val resolve0 (self : Ghost.ghost_ty ()) : bool + predicate resolve0 (self : Snapshot.snap_ty ()) + val resolve0 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot function subset_push0 [#"../hillel.rs" 72 0 72 37] (s : Seq.seq deep_model_ty0) (elem : deep_model_ty0) : () = [#"../hillel.rs" 70 0 70 8] () val subset_push0 [#"../hillel.rs" 72 0 72 37] (s : Seq.seq deep_model_ty0) (elem : deep_model_ty0) : () @@ -954,18 +956,18 @@ module Hillel_InsertUnique var _0 : (); var vec : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = vec; var elem : t = elem; - var _8 : Ghost.ghost_ty (); - var ghost_vec : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); + var _8 : Snapshot.snap_ty (); + var ghost_vec : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); var iter : Core_Slice_Iter_Iter_Type.t_iter t; var _16 : Core_Slice_Iter_Iter_Type.t_iter t; var _18 : slice t; - var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t); - var produced : Ghost.ghost_ty (Seq.seq t); + var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t); + var produced : Snapshot.snap_ty (Seq.seq t); var _28 : Core_Option_Option_Type.t_option t; var _29 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t); var _30 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t); var __creusot_proc_iter_elem : t; - var _33 : Ghost.ghost_ty (Seq.seq t); + var _33 : Snapshot.snap_ty (Seq.seq t); var e : t; var _38 : bool; var _41 : t; @@ -981,7 +983,7 @@ module Hillel_InsertUnique goto BB2 } BB2 { - [#"../hillel.rs" 80 4 80 41] _8 <- ([#"../hillel.rs" 80 4 80 41] Ghost.new ()); + [#"../hillel.rs" 80 4 80 47] _8 <- ([#"../hillel.rs" 80 4 80 47] Snapshot.new ()); goto BB3 } BB3 { @@ -990,7 +992,7 @@ module Hillel_InsertUnique goto BB4 } BB4 { - [#"../hillel.rs" 82 20 82 32] ghost_vec <- ([#"../hillel.rs" 82 20 82 32] Ghost.new ( * vec)); + [#"../hillel.rs" 82 20 82 38] ghost_vec <- ([#"../hillel.rs" 82 20 82 38] Snapshot.new ( * vec)); goto BB5 } BB5 { @@ -1011,12 +1013,12 @@ module Hillel_InsertUnique goto BB8 } BB8 { - [#"../hillel.rs" 84 4 84 111] iter_old <- ([#"../hillel.rs" 84 4 84 111] Ghost.new iter); + [#"../hillel.rs" 84 4 84 111] iter_old <- ([#"../hillel.rs" 84 4 84 111] Snapshot.new iter); goto BB9 } BB9 { assume { resolve3 iter_old }; - [#"../hillel.rs" 84 4 84 111] produced <- ([#"../hillel.rs" 84 4 84 111] Ghost.new (Seq.empty )); + [#"../hillel.rs" 84 4 84 111] produced <- ([#"../hillel.rs" 84 4 84 111] Snapshot.new (Seq.empty )); goto BB10 } BB10 { @@ -1029,8 +1031,8 @@ module Hillel_InsertUnique } BB12 { invariant { [#"../hillel.rs" 84 4 84 111] inv3 iter }; - invariant { [#"../hillel.rs" 84 4 84 111] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../hillel.rs" 84 4 84 111] forall j : int . 0 <= j /\ j < Seq.length (Ghost.inner produced) -> deep_model2 (index_logic0 produced j) <> deep_model1 elem }; + invariant { [#"../hillel.rs" 84 4 84 111] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../hillel.rs" 84 4 84 111] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced) -> deep_model2 (index_logic0 produced j) <> deep_model1 elem }; goto BB13 } BB13 { @@ -1071,21 +1073,21 @@ module Hillel_InsertUnique absurd } BB18 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _28); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _28); assert { [@expl:type invariant] inv4 _28 }; assume { resolve6 _28 }; - [#"../hillel.rs" 84 4 84 111] _33 <- ([#"../hillel.rs" 84 4 84 111] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../hillel.rs" 84 4 84 111] _33 <- ([#"../hillel.rs" 84 4 84 111] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB19 } BB19 { [#"../hillel.rs" 84 4 84 111] produced <- ([#"../hillel.rs" 84 4 84 111] _33); - [#"../hillel.rs" 84 4 84 111] _33 <- any Ghost.ghost_ty (Seq.seq t); + [#"../hillel.rs" 84 4 84 111] _33 <- any Snapshot.snap_ty (Seq.seq t); assert { [@expl:type invariant] inv2 produced }; assume { resolve4 produced }; - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] e <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] e <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); assert { [@expl:type invariant] inv5 __creusot_proc_iter_elem }; assume { resolve7 __creusot_proc_iter_elem }; - assert { [@expl:assertion] [#"../hillel.rs" 86 24 86 57] e = index_logic1 (Ghost.inner ghost_vec) (Seq.length (Ghost.inner produced) - 1) }; + assert { [@expl:assertion] [#"../hillel.rs" 86 24 86 57] e = index_logic1 (Snapshot.inner ghost_vec) (Seq.length (Snapshot.inner produced) - 1) }; [#"../hillel.rs" 87 16 87 21] _41 <- ([#"../hillel.rs" 87 16 87 21] elem); [#"../hillel.rs" 87 11 87 21] _38 <- ([#"../hillel.rs" 87 11 87 21] eq0 ([#"../hillel.rs" 87 11 87 12] e) ([#"../hillel.rs" 87 16 87 21] _41)); goto BB20 @@ -1315,16 +1317,16 @@ module Hillel_Unique ensures { result = invariant1 self } axiom inv1 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (Seq.seq t)) - val invariant0 (self : Ghost.ghost_ty (Seq.seq t)) : bool + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (Seq.seq t)) + val invariant0 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (Seq.seq t)) - val inv0 (_x : Ghost.ghost_ty (Seq.seq t)) : bool + predicate inv0 (_x : Snapshot.snap_ty (Seq.seq t)) + val inv0 (_x : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (Seq.seq t) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (Seq.seq t) . inv0 x = true predicate resolve2 (self : t) val resolve2 (self : t) : bool ensures { result = resolve2 self } @@ -1360,7 +1362,7 @@ module Hillel_Unique ensures { result = resolve4 self } use seq.Seq - use prelude.Ghost + use prelude.Snapshot predicate resolve3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool @@ -1430,7 +1432,7 @@ module Hillel_Unique ensures { inv8 result } use seq_ext.SeqExt - use prelude.Ghost + use prelude.Snapshot function index_logic4 [@inline:trivial] (self : slice t) (ix : int) : t = [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model3 self) ix val index_logic4 [@inline:trivial] (self : slice t) (ix : int) : t @@ -1447,10 +1449,10 @@ module Hillel_Unique val deep_model1 (self : slice t) : Seq.seq deep_model_ty0 ensures { result = deep_model1 self } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize) = @@ -1473,11 +1475,11 @@ module Hillel_Unique requires {inv5 self} ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 238 0 334 1] Seq.length (shallow_model0 self) = UIntSize.to_int result } - predicate resolve0 (self : Ghost.ghost_ty (Seq.seq t)) - val resolve0 (self : Ghost.ghost_ty (Seq.seq t)) : bool + predicate resolve0 (self : Snapshot.snap_ty (Seq.seq t)) + val resolve0 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot use seq.Seq val new0 (_1 : ()) : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 68 26 68 44] Seq.length (shallow_model1 result) = 0 } @@ -1494,16 +1496,16 @@ module Hillel_Unique var _0 : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global); var str : slice t = str; var unique : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global); - var sub_str : Ghost.ghost_ty (Seq.seq t); + var sub_str : Snapshot.snap_ty (Seq.seq t); var iter : Core_Ops_Range_Range_Type.t_range usize; var _11 : usize; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced : Ghost.ghost_ty (Seq.seq usize); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced : Snapshot.snap_ty (Seq.seq usize); var _23 : Core_Option_Option_Type.t_option usize; var _24 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _25 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem : usize; - var _28 : Ghost.ghost_ty (Seq.seq usize); + var _28 : Snapshot.snap_ty (Seq.seq usize); var i : usize; var elem : t; var _32 : usize; @@ -1511,7 +1513,7 @@ module Hillel_Unique var _35 : (); var _36 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); var _37 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); - var _39 : Ghost.ghost_ty (Seq.seq t); + var _39 : Snapshot.snap_ty (Seq.seq t); { goto BB0 } @@ -1520,7 +1522,7 @@ module Hillel_Unique goto BB1 } BB1 { - [#"../hillel.rs" 102 37 102 55] sub_str <- ([#"../hillel.rs" 102 37 102 55] Ghost.new (Seq.empty )); + [#"../hillel.rs" 102 40 102 64] sub_str <- ([#"../hillel.rs" 102 40 102 64] Snapshot.new (Seq.empty )); goto BB2 } BB2 { @@ -1535,11 +1537,11 @@ module Hillel_Unique goto BB4 } BB4 { - [#"../hillel.rs" 104 4 104 48] iter_old <- ([#"../hillel.rs" 104 4 104 48] Ghost.new iter); + [#"../hillel.rs" 104 4 104 48] iter_old <- ([#"../hillel.rs" 104 4 104 48] Snapshot.new iter); goto BB5 } BB5 { - [#"../hillel.rs" 104 4 104 48] produced <- ([#"../hillel.rs" 104 4 104 48] Ghost.new (Seq.empty )); + [#"../hillel.rs" 104 4 104 48] produced <- ([#"../hillel.rs" 104 4 104 48] Snapshot.new (Seq.empty )); goto BB6 } BB6 { @@ -1556,10 +1558,10 @@ module Hillel_Unique } BB10 { invariant { [#"../hillel.rs" 104 4 104 48] inv1 iter }; - invariant { [#"../hillel.rs" 104 4 104 48] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; + invariant { [#"../hillel.rs" 104 4 104 48] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../hillel.rs" 104 16 104 46] is_unique0 (deep_model0 unique) }; invariant { [#"../hillel.rs" 105 16 105 64] is_subset0 (deep_model0 unique) (deep_model1 str) }; - invariant { [#"../hillel.rs" 106 16 106 95] is_subset0 (SeqExt.subsequence (deep_model1 str) 0 (Seq.length (Ghost.inner produced))) (deep_model0 unique) }; + invariant { [#"../hillel.rs" 106 16 106 95] is_subset0 (SeqExt.subsequence (deep_model1 str) 0 (Seq.length (Snapshot.inner produced))) (deep_model0 unique) }; goto BB11 } BB11 { @@ -1596,14 +1598,14 @@ module Hillel_Unique absurd } BB16 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _23); - [#"../hillel.rs" 104 4 104 48] _28 <- ([#"../hillel.rs" 104 4 104 48] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _23); + [#"../hillel.rs" 104 4 104 48] _28 <- ([#"../hillel.rs" 104 4 104 48] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB17 } BB17 { [#"../hillel.rs" 104 4 104 48] produced <- ([#"../hillel.rs" 104 4 104 48] _28); - [#"../hillel.rs" 104 4 104 48] _28 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../hillel.rs" 104 4 104 48] _28 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../hillel.rs" 108 26 108 27] _32 <- ([#"../hillel.rs" 108 26 108 27] i); [#"../hillel.rs" 108 22 108 28] _34 <- ([#"../hillel.rs" 108 22 108 28] _32 < ([#"../hillel.rs" 108 22 108 28] Slice.length str)); assert { [@expl:index in bounds] [#"../hillel.rs" 108 22 108 28] _34 }; @@ -1626,12 +1628,12 @@ module Hillel_Unique BB19 { assert { [@expl:type invariant] inv4 _37 }; assume { resolve3 _37 }; - [#"../hillel.rs" 110 18 110 44] _39 <- ([#"../hillel.rs" 110 18 110 44] Ghost.new (Seq.snoc (Ghost.inner sub_str) elem)); + [#"../hillel.rs" 110 18 110 50] _39 <- ([#"../hillel.rs" 110 18 110 50] Snapshot.new (Seq.snoc (Snapshot.inner sub_str) elem)); goto BB20 } BB20 { - [#"../hillel.rs" 110 8 110 44] sub_str <- ([#"../hillel.rs" 110 8 110 44] _39); - [#"../hillel.rs" 110 8 110 44] _39 <- any Ghost.ghost_ty (Seq.seq t); + [#"../hillel.rs" 110 8 110 50] sub_str <- ([#"../hillel.rs" 110 8 110 50] _39); + [#"../hillel.rs" 110 8 110 50] _39 <- any Snapshot.snap_ty (Seq.seq t); assert { [@expl:type invariant] inv0 sub_str }; assume { resolve0 sub_str }; goto BB10 @@ -1942,7 +1944,7 @@ module Hillel_Fulcrum ensures { result = inv0 _x } axiom inv0 : forall x : Core_Slice_Iter_Iter_Type.t_iter uint32 . inv0 x = true - use prelude.Ghost + use prelude.Snapshot function abs_diff1 (self : int) (other : int) : int = [#"../../../../creusot-contracts/src/logic/int.rs" 50 4 50 12] if self < other then other - self else self - other val abs_diff1 (self : int) (other : int) : int @@ -2001,11 +2003,11 @@ module Hillel_Fulcrum ensures { result = score0 seq i } axiom score0_spec : forall seq : Seq.seq uint32, i : int . ([#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq) -> ([#"../hillel.rs" 143 0 143 79] 0 = i \/ i = Seq.length seq -> score0 seq i = sum_range0 seq 0 (Seq.length seq)) && ([#"../hillel.rs" 142 10 142 64] 0 <= score0 seq i /\ score0 seq i <= sum_range0 seq 0 (Seq.length seq)) - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post1 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize) = @@ -2052,11 +2054,11 @@ module Hillel_Fulcrum end } ensures { inv3 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : slice uint32) (res : Core_Slice_Iter_Iter_Type.t_iter uint32) = [#"../../../../creusot-contracts/src/std/slice.rs" 346 20 346 32] self = shallow_model3 res val into_iter_post0 (self : slice uint32) (res : Core_Slice_Iter_Iter_Type.t_iter uint32) : bool @@ -2083,27 +2085,27 @@ module Hillel_Fulcrum var s : slice uint32 = s; var total : uint32; var iter : Core_Slice_Iter_Iter_Type.t_iter uint32; - var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter uint32); - var produced : Ghost.ghost_ty (Seq.seq uint32); + var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter uint32); + var produced : Snapshot.snap_ty (Seq.seq uint32); var _18 : (); var _19 : Core_Option_Option_Type.t_option uint32; var _20 : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32); var _21 : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32); var __creusot_proc_iter_elem : uint32; - var _24 : Ghost.ghost_ty (Seq.seq uint32); + var _24 : Snapshot.snap_ty (Seq.seq uint32); var x : uint32; var min_i : usize; var min_dist : uint32; var sum : uint32; var iter1 : Core_Ops_Range_Range_Type.t_range usize; var _37 : usize; - var iter_old1 : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced1 : Ghost.ghost_ty (Seq.seq usize); + var iter_old1 : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced1 : Snapshot.snap_ty (Seq.seq usize); var _50 : Core_Option_Option_Type.t_option usize; var _51 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _52 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem1 : usize; - var _55 : Ghost.ghost_ty (Seq.seq usize); + var _55 : Snapshot.snap_ty (Seq.seq usize); var i : usize; var dist : uint32; var _63 : (); @@ -2118,11 +2120,11 @@ module Hillel_Fulcrum goto BB1 } BB1 { - [#"../hillel.rs" 159 4 159 60] iter_old <- ([#"../hillel.rs" 159 4 159 60] Ghost.new iter); + [#"../hillel.rs" 159 4 159 60] iter_old <- ([#"../hillel.rs" 159 4 159 60] Snapshot.new iter); goto BB2 } BB2 { - [#"../hillel.rs" 159 4 159 60] produced <- ([#"../hillel.rs" 159 4 159 60] Ghost.new (Seq.empty )); + [#"../hillel.rs" 159 4 159 60] produced <- ([#"../hillel.rs" 159 4 159 60] Snapshot.new (Seq.empty )); goto BB3 } BB3 { @@ -2130,8 +2132,8 @@ module Hillel_Fulcrum } BB4 { invariant { [#"../hillel.rs" 159 4 159 60] inv0 iter }; - invariant { [#"../hillel.rs" 159 4 159 60] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../hillel.rs" 159 16 159 58] UInt32.to_int total = sum_range0 (shallow_model1 s) 0 (Seq.length (Ghost.inner produced)) }; + invariant { [#"../hillel.rs" 159 4 159 60] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../hillel.rs" 159 16 159 58] UInt32.to_int total = sum_range0 (shallow_model1 s) 0 (Seq.length (Snapshot.inner produced)) }; invariant { [#"../hillel.rs" 160 16 160 52] UInt32.to_int total <= sum_range0 (shallow_model1 s) 0 (Seq.length (shallow_model1 s)) }; goto BB5 } @@ -2167,13 +2169,13 @@ module Hillel_Fulcrum absurd } BB10 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _19); - [#"../hillel.rs" 159 4 159 60] _24 <- ([#"../hillel.rs" 159 4 159 60] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _19); + [#"../hillel.rs" 159 4 159 60] _24 <- ([#"../hillel.rs" 159 4 159 60] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB11 } BB11 { [#"../hillel.rs" 159 4 159 60] produced <- ([#"../hillel.rs" 159 4 159 60] _24); - [#"../hillel.rs" 159 4 159 60] _24 <- any Ghost.ghost_ty (Seq.seq uint32); + [#"../hillel.rs" 159 4 159 60] _24 <- any Snapshot.snap_ty (Seq.seq uint32); [#"../hillel.rs" 161 9 161 10] x <- ([#"../hillel.rs" 161 9 161 10] __creusot_proc_iter_elem); [#"../hillel.rs" 162 8 162 18] total <- ([#"../hillel.rs" 162 8 162 18] total + ([#"../hillel.rs" 162 17 162 18] x)); [#"../hillel.rs" 161 16 163 5] _18 <- ([#"../hillel.rs" 161 16 163 5] ()); @@ -2185,11 +2187,11 @@ module Hillel_Fulcrum goto BB13 } BB13 { - [#"../hillel.rs" 171 4 171 58] iter_old1 <- ([#"../hillel.rs" 171 4 171 58] Ghost.new iter1); + [#"../hillel.rs" 171 4 171 58] iter_old1 <- ([#"../hillel.rs" 171 4 171 58] Snapshot.new iter1); goto BB14 } BB14 { - [#"../hillel.rs" 171 4 171 58] produced1 <- ([#"../hillel.rs" 171 4 171 58] Ghost.new (Seq.empty )); + [#"../hillel.rs" 171 4 171 58] produced1 <- ([#"../hillel.rs" 171 4 171 58] Snapshot.new (Seq.empty )); goto BB15 } BB15 { @@ -2197,12 +2199,12 @@ module Hillel_Fulcrum } BB16 { invariant { [#"../hillel.rs" 171 4 171 58] inv1 iter1 }; - invariant { [#"../hillel.rs" 171 4 171 58] produces1 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 }; - invariant { [#"../hillel.rs" 171 16 171 56] UInt32.to_int sum = sum_range0 (shallow_model1 s) 0 (Seq.length (Ghost.inner produced1)) }; + invariant { [#"../hillel.rs" 171 4 171 58] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 }; + invariant { [#"../hillel.rs" 171 16 171 56] UInt32.to_int sum = sum_range0 (shallow_model1 s) 0 (Seq.length (Snapshot.inner produced1)) }; invariant { [#"../hillel.rs" 172 16 172 30] UInt32.to_int sum <= UInt32.to_int total }; - invariant { [#"../hillel.rs" 173 16 173 61] UIntSize.to_int min_i <= Seq.length (Ghost.inner produced1) /\ UIntSize.to_int min_i < Seq.length (shallow_model1 s) }; + invariant { [#"../hillel.rs" 173 16 173 61] UIntSize.to_int min_i <= Seq.length (Snapshot.inner produced1) /\ UIntSize.to_int min_i < Seq.length (shallow_model1 s) }; invariant { [#"../hillel.rs" 174 16 174 46] UInt32.to_int min_dist = score0 (shallow_model1 s) (UIntSize.to_int min_i) }; - invariant { [#"../hillel.rs" 171 4 171 58] forall j : int . 0 <= j /\ j < Seq.length (Ghost.inner produced1) -> score0 (shallow_model1 s) (UIntSize.to_int min_i) <= score0 (shallow_model1 s) j }; + invariant { [#"../hillel.rs" 171 4 171 58] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced1) -> score0 (shallow_model1 s) (UIntSize.to_int min_i) <= score0 (shallow_model1 s) j }; goto BB17 } BB17 { @@ -2229,14 +2231,14 @@ module Hillel_Fulcrum goto BB21 } BB21 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1 <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _50); - [#"../hillel.rs" 171 4 171 58] _55 <- ([#"../hillel.rs" 171 4 171 58] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _50); + [#"../hillel.rs" 171 4 171 58] _55 <- ([#"../hillel.rs" 171 4 171 58] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); goto BB22 } BB22 { [#"../hillel.rs" 171 4 171 58] produced1 <- ([#"../hillel.rs" 171 4 171 58] _55); - [#"../hillel.rs" 171 4 171 58] _55 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1); + [#"../hillel.rs" 171 4 171 58] _55 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1); [#"../hillel.rs" 177 19 177 44] dist <- ([#"../hillel.rs" 177 19 177 44] abs_diff0 ([#"../hillel.rs" 177 19 177 22] sum) ([#"../hillel.rs" 177 32 177 43] ([#"../hillel.rs" 177 32 177 37] total) - ([#"../hillel.rs" 177 40 177 43] sum))); goto BB23 } diff --git a/creusot/tests/should_succeed/hillel.rs b/creusot/tests/should_succeed/hillel.rs index 4b8e81c428..667779f4ef 100644 --- a/creusot/tests/should_succeed/hillel.rs +++ b/creusot/tests/should_succeed/hillel.rs @@ -14,7 +14,7 @@ use creusot_contracts::{ #[ensures(forall 0 <= i && i < str@.len() ==> (^str)[i] == str[i])] #[ensures(forall str@.len() <= i && i < len@ ==> (^str)[i] == pad)] fn right_pad(str: &mut Vec, len: usize, pad: T) { - let old_str = gh! { str }; + let old_str = snapshot! { str }; #[invariant(old_str@.len() <= str@.len())] #[invariant(old_str@.len() < len@ ==> str@.len() <= len@)] @@ -31,8 +31,8 @@ fn right_pad(str: &mut Vec, len: usize, pad: T) { #[ensures(forall 0 <= i && i < ((^str)@.len() - str@.len()) ==> (^str)[i] == pad)] #[ensures(forall 0 <= i && i < str@.len() ==> (^str)[i + ((^str)@.len() - str@.len())] == str[i])] fn left_pad(str: &mut Vec, len: usize, pad: T) { - let old_str = gh! { str }; - let mut c: Ghost = gh! { 0usize }; + let old_str = snapshot! { str }; + let mut c: Snapshot = snapshot! { 0usize }; #[invariant(old_str@.len() <= str@.len())] #[invariant(old_str@.len() < len@ ==> str@.len() <= len@)] @@ -42,7 +42,7 @@ fn left_pad(str: &mut Vec, len: usize, pad: T) { #[invariant(forall 0 <= i && i < c@ ==> str[i] == pad)] while str.len() < len { str.insert(0, pad); - c = gh! { 1usize + *c }; + c = snapshot! { 1usize + *c }; } } @@ -67,7 +67,7 @@ fn is_subset(sub: Seq, sup: Seq) -> bool { } } -#[ghost] +#[logic] #[ensures(is_subset(s, s.push(elem)))] fn subset_push(s: Seq, elem: T) {} @@ -77,9 +77,9 @@ fn subset_push(s: Seq, elem: T) {} #[ensures(is_subset((^vec).deep_model(), vec.deep_model().push(elem.deep_model())))] #[ensures(contains((^vec).deep_model(), elem.deep_model()))] fn insert_unique(vec: &mut Vec, elem: T) { - gh! { subset_push:: }; + snapshot! { subset_push:: }; proof_assert! { is_subset(vec.deep_model(), vec.deep_model().push(elem.deep_model())) }; - let ghost_vec = gh! { *vec }; + let ghost_vec = snapshot! { *vec }; #[invariant(forall 0 <= j && j < produced.len() ==> produced[j].deep_model() != elem.deep_model())] for e in vec.iter() { @@ -99,7 +99,7 @@ fn insert_unique(vec: &mut Vec, elem: T) { #[ensures(is_subset(str.deep_model(), result.deep_model()))] fn unique(str: &[T]) -> Vec { let mut unique = Vec::new(); - let mut sub_str: Ghost> = gh! { Seq::EMPTY }; + let mut sub_str: Snapshot> = snapshot! { Seq::EMPTY }; #[invariant(is_unique(unique.deep_model()))] #[invariant(is_subset(unique.deep_model(), str.deep_model()))] @@ -107,7 +107,7 @@ fn unique(str: &[T]) -> Vec { for i in 0..str.len() { let elem: T = str[i]; insert_unique(&mut unique, elem); - sub_str = gh! { sub_str.push(elem) }; + sub_str = snapshot! { sub_str.push(elem) }; } proof_assert! { is_subset(str.deep_model().subsequence(0, str@.len()), unique.deep_model()) } @@ -115,7 +115,7 @@ fn unique(str: &[T]) -> Vec { unique } -#[ghost] +#[logic] #[variant(to - from)] #[requires(0 <= from && from <= to && to <= seq.len())] #[ensures(result >= 0)] @@ -127,7 +127,7 @@ fn sum_range(seq: Seq, from: Int, to: Int) -> Int { } } -#[ghost] +#[logic] #[variant(i - from)] #[requires(0 <= from && from <= i && i <= to && to <= seq.len())] #[ensures(sum_range(seq, from, to) == sum_range(seq, from, i) + sum_range(seq, i, to))] @@ -137,7 +137,7 @@ fn sum_range_split(seq: Seq, from: Int, to: Int, i: Int) { } } -#[ghost] +#[logic] #[requires(0 <= i && i <= seq.len())] #[ensures(0 <= result && result <= sum_range(seq, 0 , seq.len()))] #[ensures(0 == i || i == seq.len() ==> result == sum_range(seq, 0, seq.len()))] diff --git a/creusot/tests/should_succeed/inplace_list_reversal.mlcfg b/creusot/tests/should_succeed/inplace_list_reversal.mlcfg index 65a1e6a0e8..f48b7797ed 100644 --- a/creusot/tests/should_succeed/inplace_list_reversal.mlcfg +++ b/creusot/tests/should_succeed/inplace_list_reversal.mlcfg @@ -32,16 +32,16 @@ module InplaceListReversal_Rev ensures { result = inv1 _x } axiom inv1 : forall x : InplaceListReversal_List_Type.t_list t . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t))) - val invariant0 (self : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t))) + val invariant0 (self : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t))) - val inv0 (_x : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t))) + val inv0 (_x : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t)) . inv0 x = true predicate resolve2 (self : borrowed (InplaceListReversal_List_Type.t_list t)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (InplaceListReversal_List_Type.t_list t)) : bool @@ -51,7 +51,7 @@ module InplaceListReversal_Rev val resolve1 (self : InplaceListReversal_List_Type.t_list t) : bool ensures { result = resolve1 self } - use prelude.Ghost + use prelude.Snapshot function rev_append0 [#"../inplace_list_reversal.rs" 16 0 16 55] (n : InplaceListReversal_List_Type.t_list t) (o : InplaceListReversal_List_Type.t_list t) : InplaceListReversal_List_Type.t_list t = @@ -69,11 +69,11 @@ module InplaceListReversal_Rev ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 8 22 8 37] result = * dest } ensures { inv1 result } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t))) - val resolve0 (self : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t))) + val resolve0 (self : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg rev [#"../inplace_list_reversal.rs" 24 0 24 30] [@cfg:stackify] [@cfg:subregion_analysis] (l : borrowed (InplaceListReversal_List_Type.t_list t)) : () requires {[#"../inplace_list_reversal.rs" 24 14 24 15] inv2 l} ensures { [#"../inplace_list_reversal.rs" 23 10 23 35] ^ l = rev_append0 ( * l) (InplaceListReversal_List_Type.C_Nil) } @@ -81,7 +81,7 @@ module InplaceListReversal_Rev = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var l : borrowed (InplaceListReversal_List_Type.t_list t) = l; - var old_l : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t)); + var old_l : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t)); var prev : InplaceListReversal_List_Type.t_list t; var head : InplaceListReversal_List_Type.t_list t; var _7 : borrowed (InplaceListReversal_List_Type.t_list t); @@ -91,7 +91,7 @@ module InplaceListReversal_Rev goto BB0 } BB0 { - [#"../inplace_list_reversal.rs" 25 16 25 25] old_l <- ([#"../inplace_list_reversal.rs" 25 16 25 25] Ghost.new l); + [#"../inplace_list_reversal.rs" 25 16 25 31] old_l <- ([#"../inplace_list_reversal.rs" 25 16 25 31] Snapshot.new l); goto BB1 } BB1 { @@ -112,7 +112,7 @@ module InplaceListReversal_Rev goto BB4 } BB4 { - invariant { [#"../inplace_list_reversal.rs" 28 16 28 73] rev_append0 head prev = rev_append0 ( * Ghost.inner old_l) (InplaceListReversal_List_Type.C_Nil) }; + invariant { [#"../inplace_list_reversal.rs" 28 16 28 73] rev_append0 head prev = rev_append0 ( * Snapshot.inner old_l) (InplaceListReversal_List_Type.C_Nil) }; goto BB5 } BB5 { diff --git a/creusot/tests/should_succeed/inplace_list_reversal.rs b/creusot/tests/should_succeed/inplace_list_reversal.rs index 6aee771ec7..26607bc85c 100644 --- a/creusot/tests/should_succeed/inplace_list_reversal.rs +++ b/creusot/tests/should_succeed/inplace_list_reversal.rs @@ -11,7 +11,7 @@ pub enum List { use List::*; type Node = Box<(T, List)>; -#[ghost] +#[logic] #[open(self)] pub fn rev_append(n: List, o: List) -> List { match n { @@ -22,7 +22,7 @@ pub fn rev_append(n: List, o: List) -> List { #[ensures(^l == rev_append(*l, Nil))] pub fn rev(l: &mut List) { - let old_l = gh! { l }; + let old_l = snapshot! { l }; let mut prev = Nil; let mut head = replace(l, Nil); #[invariant(rev_append(head, prev) == rev_append(*old_l.inner(), Nil))] diff --git a/creusot/tests/should_succeed/ite_normalize.rs b/creusot/tests/should_succeed/ite_normalize.rs index a9a960ac43..f4253b10ab 100644 --- a/creusot/tests/should_succeed/ite_normalize.rs +++ b/creusot/tests/should_succeed/ite_normalize.rs @@ -44,7 +44,7 @@ impl Clone for BTreeMap { impl ShallowModel for BTreeMap { type ShallowModelTy = creusot_contracts::logic::Mapping>; - #[ghost] + #[logic] #[open(self)] #[trusted] fn shallow_model(self) -> Self::ShallowModelTy { diff --git a/creusot/tests/should_succeed/iterators/01_range.mlcfg b/creusot/tests/should_succeed/iterators/01_range.mlcfg index e9dc99bf9f..490a8aa47f 100644 --- a/creusot/tests/should_succeed/iterators/01_range.mlcfg +++ b/creusot/tests/should_succeed/iterators/01_range.mlcfg @@ -196,7 +196,7 @@ module C01Range_SumRange ensures { result = inv0 _x } axiom inv0 : forall x : C01Range_Range_Type.t_range . inv0 x = true - use prelude.Ghost + use prelude.Snapshot use seq.Seq use Core_Option_Option_Type as Core_Option_Option_Type use prelude.Borrow @@ -216,11 +216,11 @@ module C01Range_SumRange | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot val into_iter0 [#"../01_range.rs" 70 4 70 34] (self : C01Range_Range_Type.t_range) : C01Range_Range_Type.t_range ensures { [#"../01_range.rs" 69 14 69 28] result = self } @@ -233,12 +233,12 @@ module C01Range_SumRange var n : isize = n; var i : isize; var it : C01Range_Range_Type.t_range; - var iter_old : Ghost.ghost_ty (C01Range_Range_Type.t_range); - var produced : Ghost.ghost_ty (Seq.seq isize); + var iter_old : Snapshot.snap_ty (C01Range_Range_Type.t_range); + var produced : Snapshot.snap_ty (Seq.seq isize); var _17 : Core_Option_Option_Type.t_option isize; var _18 : borrowed (C01Range_Range_Type.t_range); var x : isize; - var _21 : Ghost.ghost_ty (Seq.seq isize); + var _21 : Snapshot.snap_ty (Seq.seq isize); { goto BB0 } @@ -248,11 +248,11 @@ module C01Range_SumRange goto BB1 } BB1 { - [#"../01_range.rs" 80 19 80 29] iter_old <- ([#"../01_range.rs" 80 19 80 29] Ghost.new it); + [#"../01_range.rs" 80 19 80 35] iter_old <- ([#"../01_range.rs" 80 19 80 35] Snapshot.new it); goto BB2 } BB2 { - [#"../01_range.rs" 81 23 81 41] produced <- ([#"../01_range.rs" 81 23 81 41] Ghost.new (Seq.empty )); + [#"../01_range.rs" 81 23 81 47] produced <- ([#"../01_range.rs" 81 23 81 47] Snapshot.new (Seq.empty )); goto BB3 } BB3 { @@ -260,8 +260,8 @@ module C01Range_SumRange } BB4 { invariant { [#"../01_range.rs" 82 16 82 23] inv0 it }; - invariant { [#"../01_range.rs" 83 16 83 55] produces0 (Ghost.inner iter_old) (Ghost.inner produced) it }; - invariant { [#"../01_range.rs" 84 16 84 46] IntSize.to_int i = Seq.length (Ghost.inner produced) /\ i <= n }; + invariant { [#"../01_range.rs" 83 16 83 55] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) it }; + invariant { [#"../01_range.rs" 84 16 84 46] IntSize.to_int i = Seq.length (Snapshot.inner produced) /\ i <= n }; goto BB5 } BB5 { @@ -290,12 +290,12 @@ module C01Range_SumRange } BB10 { [#"../01_range.rs" 87 17 87 18] x <- ([#"../01_range.rs" 87 17 87 18] Core_Option_Option_Type.some_0 _17); - [#"../01_range.rs" 88 27 88 69] _21 <- ([#"../01_range.rs" 88 27 88 69] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton x))); + [#"../01_range.rs" 88 27 88 75] _21 <- ([#"../01_range.rs" 88 27 88 75] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton x))); goto BB11 } BB11 { - [#"../01_range.rs" 88 16 88 69] produced <- ([#"../01_range.rs" 88 16 88 69] _21); - [#"../01_range.rs" 88 16 88 69] _21 <- any Ghost.ghost_ty (Seq.seq isize); + [#"../01_range.rs" 88 16 88 75] produced <- ([#"../01_range.rs" 88 16 88 75] _21); + [#"../01_range.rs" 88 16 88 75] _21 <- any Snapshot.snap_ty (Seq.seq isize); [#"../01_range.rs" 89 16 89 22] i <- ([#"../01_range.rs" 89 16 89 22] i + ([#"../01_range.rs" 89 21 89 22] [#"../01_range.rs" 89 21 89 22] (1 : isize))); goto BB4 } diff --git a/creusot/tests/should_succeed/iterators/01_range.rs b/creusot/tests/should_succeed/iterators/01_range.rs index cb83e7000e..5d1e9d0330 100644 --- a/creusot/tests/should_succeed/iterators/01_range.rs +++ b/creusot/tests/should_succeed/iterators/01_range.rs @@ -19,7 +19,7 @@ impl Iterator for Range { type Item = isize; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { self.resolve() && self.start >= self.end @@ -77,15 +77,15 @@ impl Range { pub fn sum_range(n: isize) -> isize { let mut i = 0; let mut it = Range { start: 0, end: n }.into_iter(); - let iter_old = gh! { it }; - let mut produced = gh! { Seq::EMPTY }; + let iter_old = snapshot! { it }; + let mut produced = snapshot! { Seq::EMPTY }; #[invariant(inv(it))] #[invariant(iter_old.produces(produced.inner(), it))] #[invariant(i@ == produced.len() && i <= n)] loop { match it.next() { Some(x) => { - produced = gh! { produced.concat(Seq::singleton(x)) }; + produced = snapshot! { produced.concat(Seq::singleton(x)) }; i += 1 } None => break, diff --git a/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg b/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg index 44f2b567f0..ecdd711011 100644 --- a/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg +++ b/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg @@ -903,7 +903,7 @@ module C02IterMut_AllZero val shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize ensures { result = shallow_model2 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool @@ -935,17 +935,18 @@ module C02IterMut_AllZero end } ensures { [#"../02_iter_mut.rs" 63 26 63 44] inv3 result } - use prelude.Ghost - function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize + use prelude.Snapshot + function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize + = - [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix - val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize + [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix + val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize ensures { result = index_logic0 self ix } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot val into_iter0 [#"../02_iter_mut.rs" 70 4 70 30] (self : C02IterMut_IterMut_Type.t_itermut usize) : C02IterMut_IterMut_Type.t_itermut usize requires {[#"../02_iter_mut.rs" 70 17 70 21] inv0 self} ensures { [#"../02_iter_mut.rs" 69 14 69 28] result = self } @@ -968,12 +969,12 @@ module C02IterMut_AllZero var it : C02IterMut_IterMut_Type.t_itermut usize; var _5 : C02IterMut_IterMut_Type.t_itermut usize; var _6 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)); - var iter_old : Ghost.ghost_ty (C02IterMut_IterMut_Type.t_itermut usize); - var produced : Ghost.ghost_ty (Seq.seq (borrowed usize)); + var iter_old : Snapshot.snap_ty (C02IterMut_IterMut_Type.t_itermut usize); + var produced : Snapshot.snap_ty (Seq.seq (borrowed usize)); var _15 : Core_Option_Option_Type.t_option (borrowed usize); var _16 : borrowed (C02IterMut_IterMut_Type.t_itermut usize); var x : borrowed usize; - var _19 : Ghost.ghost_ty (Seq.seq (borrowed usize)); + var _19 : Snapshot.snap_ty (Seq.seq (borrowed usize)); { goto BB0 } @@ -990,11 +991,11 @@ module C02IterMut_AllZero goto BB2 } BB2 { - [#"../02_iter_mut.rs" 86 19 86 29] iter_old <- ([#"../02_iter_mut.rs" 86 19 86 29] Ghost.new it); + [#"../02_iter_mut.rs" 86 19 86 35] iter_old <- ([#"../02_iter_mut.rs" 86 19 86 35] Snapshot.new it); goto BB3 } BB3 { - [#"../02_iter_mut.rs" 87 23 87 41] produced <- ([#"../02_iter_mut.rs" 87 23 87 41] Ghost.new (Seq.empty )); + [#"../02_iter_mut.rs" 87 23 87 47] produced <- ([#"../02_iter_mut.rs" 87 23 87 47] Snapshot.new (Seq.empty )); goto BB4 } BB4 { @@ -1002,8 +1003,8 @@ module C02IterMut_AllZero } BB5 { invariant { [#"../02_iter_mut.rs" 88 16 88 23] inv0 it }; - invariant { [#"../02_iter_mut.rs" 89 16 89 55] produces0 (Ghost.inner iter_old) (Ghost.inner produced) it }; - invariant { [#"../02_iter_mut.rs" 88 4 88 25] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner produced) -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 }; + invariant { [#"../02_iter_mut.rs" 89 16 89 55] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) it }; + invariant { [#"../02_iter_mut.rs" 88 4 88 25] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced) -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 }; goto BB6 } BB6 { @@ -1036,12 +1037,12 @@ module C02IterMut_AllZero BB11 { [#"../02_iter_mut.rs" 93 17 93 18] x <- ([#"../02_iter_mut.rs" 93 17 93 18] Core_Option_Option_Type.some_0 _15); [#"../02_iter_mut.rs" 93 17 93 18] _15 <- (let Core_Option_Option_Type.C_Some x0 = _15 in Core_Option_Option_Type.C_Some (any borrowed usize)); - [#"../02_iter_mut.rs" 94 27 94 69] _19 <- ([#"../02_iter_mut.rs" 94 27 94 69] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton x))); + [#"../02_iter_mut.rs" 94 27 94 75] _19 <- ([#"../02_iter_mut.rs" 94 27 94 75] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton x))); goto BB12 } BB12 { - [#"../02_iter_mut.rs" 94 16 94 69] produced <- ([#"../02_iter_mut.rs" 94 16 94 69] _19); - [#"../02_iter_mut.rs" 94 16 94 69] _19 <- any Ghost.ghost_ty (Seq.seq (borrowed usize)); + [#"../02_iter_mut.rs" 94 16 94 75] produced <- ([#"../02_iter_mut.rs" 94 16 94 75] _19); + [#"../02_iter_mut.rs" 94 16 94 75] _19 <- any Snapshot.snap_ty (Seq.seq (borrowed usize)); [#"../02_iter_mut.rs" 95 16 95 22] x <- { x with current = ([#"../02_iter_mut.rs" 95 16 95 22] [#"../02_iter_mut.rs" 95 21 95 22] (0 : usize)) ; }; assume { resolve0 x }; goto BB5 diff --git a/creusot/tests/should_succeed/iterators/02_iter_mut.rs b/creusot/tests/should_succeed/iterators/02_iter_mut.rs index c83d4a7a44..42e717ee55 100644 --- a/creusot/tests/should_succeed/iterators/02_iter_mut.rs +++ b/creusot/tests/should_succeed/iterators/02_iter_mut.rs @@ -16,7 +16,7 @@ struct IterMut<'a, T> { impl<'a, T> Invariant for IterMut<'a, T> { #[open] - #[predicate] + #[predicate(prophetic)] fn invariant(self) -> bool { // Property that is always true but we must carry around.. pearlite! { (^self.inner)@.len() == (*self.inner)@.len() } @@ -27,13 +27,13 @@ impl<'a, T> Iterator for IterMut<'a, T> { type Item = &'a mut T; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { self.inner.resolve() && self.inner@.ext_eq(Seq::EMPTY) } } #[open] - #[predicate] + #[predicate(prophetic)] fn produces(self, visited: Seq, tl: Self) -> bool { pearlite! { self.inner@.len() == visited.len() + tl.inner@.len() && @@ -83,15 +83,15 @@ fn iter_mut<'a, T>(v: &'a mut Vec) -> IterMut<'a, T> { #[ensures(forall 0 <= i && i < v@.len() ==> (^v)[i]@ == 0)] pub fn all_zero(v: &mut Vec) { let mut it = iter_mut(v).into_iter(); - let iter_old = gh! { it }; - let mut produced = gh! { Seq::EMPTY }; + let iter_old = snapshot! { it }; + let mut produced = snapshot! { Seq::EMPTY }; #[invariant(inv(it))] #[invariant(iter_old.produces(produced.inner(), it))] #[invariant(forall 0 <= i && i < produced.len() ==> (^produced[i])@ == 0)] loop { match it.next() { Some(x) => { - produced = gh! { produced.concat(Seq::singleton(x)) }; + produced = snapshot! { produced.concat(Seq::singleton(x)) }; *x = 0; } None => break, diff --git a/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg b/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg index b498071408..ef7847c07c 100644 --- a/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg +++ b/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg @@ -158,16 +158,16 @@ module C03StdIterators_SliceIter ensures { result = inv2 _x } axiom inv2 : forall x : Core_Slice_Iter_Iter_Type.t_iter t . inv2 x = true - use prelude.Ghost - predicate invariant1 (self : Ghost.ghost_ty (Seq.seq t)) - val invariant1 (self : Ghost.ghost_ty (Seq.seq t)) : bool + use prelude.Snapshot + predicate invariant1 (self : Snapshot.snap_ty (Seq.seq t)) + val invariant1 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = invariant1 self } - predicate inv1 (_x : Ghost.ghost_ty (Seq.seq t)) - val inv1 (_x : Ghost.ghost_ty (Seq.seq t)) : bool + predicate inv1 (_x : Snapshot.snap_ty (Seq.seq t)) + val inv1 (_x : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = inv1 _x } - axiom inv1 : forall x : Ghost.ghost_ty (Seq.seq t) . inv1 x = true + axiom inv1 : forall x : Snapshot.snap_ty (Seq.seq t) . inv1 x = true predicate invariant0 (self : slice t) val invariant0 (self : slice t) : bool ensures { result = invariant0 self } @@ -209,19 +209,19 @@ module C03StdIterators_SliceIter end } ensures { inv3 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - predicate resolve2 (self : Ghost.ghost_ty (Seq.seq t)) - val resolve2 (self : Ghost.ghost_ty (Seq.seq t)) : bool + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + predicate resolve2 (self : Snapshot.snap_ty (Seq.seq t)) + val resolve2 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = resolve2 self } - use prelude.Ghost - predicate resolve1 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t)) - val resolve1 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool + use prelude.Snapshot + predicate resolve1 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t)) + val resolve1 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool ensures { result = resolve1 self } - use prelude.Ghost + use prelude.Snapshot predicate into_iter_post0 (self : Core_Slice_Iter_Iter_Type.t_iter t) (res : Core_Slice_Iter_Iter_Type.t_iter t) = [#"../../../../../creusot-contracts/src/std/iter.rs" 80 8 80 19] self = res val into_iter_post0 (self : Core_Slice_Iter_Iter_Type.t_iter t) (res : Core_Slice_Iter_Iter_Type.t_iter t) : bool @@ -257,13 +257,13 @@ module C03StdIterators_SliceIter var i : usize; var iter : Core_Slice_Iter_Iter_Type.t_iter t; var _7 : Core_Slice_Iter_Iter_Type.t_iter t; - var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t); - var produced : Ghost.ghost_ty (Seq.seq t); + var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t); + var produced : Snapshot.snap_ty (Seq.seq t); var _17 : Core_Option_Option_Type.t_option t; var _18 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t); var _19 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t); var __creusot_proc_iter_elem : t; - var _22 : Ghost.ghost_ty (Seq.seq t); + var _22 : Snapshot.snap_ty (Seq.seq t); { goto BB0 } @@ -280,12 +280,12 @@ module C03StdIterators_SliceIter goto BB2 } BB2 { - [#"../03_std_iterators.rs" 8 4 8 38] iter_old <- ([#"../03_std_iterators.rs" 8 4 8 38] Ghost.new iter); + [#"../03_std_iterators.rs" 8 4 8 38] iter_old <- ([#"../03_std_iterators.rs" 8 4 8 38] Snapshot.new iter); goto BB3 } BB3 { assume { resolve1 iter_old }; - [#"../03_std_iterators.rs" 8 4 8 38] produced <- ([#"../03_std_iterators.rs" 8 4 8 38] Ghost.new (Seq.empty )); + [#"../03_std_iterators.rs" 8 4 8 38] produced <- ([#"../03_std_iterators.rs" 8 4 8 38] Snapshot.new (Seq.empty )); goto BB4 } BB4 { @@ -295,8 +295,8 @@ module C03StdIterators_SliceIter } BB5 { invariant { [#"../03_std_iterators.rs" 8 4 8 38] inv2 iter }; - invariant { [#"../03_std_iterators.rs" 8 4 8 38] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../03_std_iterators.rs" 8 16 8 36] UIntSize.to_int i = Seq.length (Ghost.inner produced) }; + invariant { [#"../03_std_iterators.rs" 8 4 8 38] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../03_std_iterators.rs" 8 16 8 36] UIntSize.to_int i = Seq.length (Snapshot.inner produced) }; goto BB6 } BB6 { @@ -333,15 +333,15 @@ module C03StdIterators_SliceIter absurd } BB11 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _17); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _17); assert { [@expl:type invariant] inv3 _17 }; assume { resolve4 _17 }; - [#"../03_std_iterators.rs" 8 4 8 38] _22 <- ([#"../03_std_iterators.rs" 8 4 8 38] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../03_std_iterators.rs" 8 4 8 38] _22 <- ([#"../03_std_iterators.rs" 8 4 8 38] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB12 } BB12 { [#"../03_std_iterators.rs" 8 4 8 38] produced <- ([#"../03_std_iterators.rs" 8 4 8 38] _22); - [#"../03_std_iterators.rs" 8 4 8 38] _22 <- any Ghost.ghost_ty (Seq.seq t); + [#"../03_std_iterators.rs" 8 4 8 38] _22 <- any Snapshot.snap_ty (Seq.seq t); assert { [@expl:type invariant] inv1 produced }; assume { resolve2 produced }; assert { [@expl:type invariant] inv4 __creusot_proc_iter_elem }; @@ -530,16 +530,16 @@ module C03StdIterators_VecIter ensures { result = inv2 _x } axiom inv2 : forall x : Core_Slice_Iter_Iter_Type.t_iter t . inv2 x = true - use prelude.Ghost - predicate invariant1 (self : Ghost.ghost_ty (Seq.seq t)) - val invariant1 (self : Ghost.ghost_ty (Seq.seq t)) : bool + use prelude.Snapshot + predicate invariant1 (self : Snapshot.snap_ty (Seq.seq t)) + val invariant1 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = invariant1 self } - predicate inv1 (_x : Ghost.ghost_ty (Seq.seq t)) - val inv1 (_x : Ghost.ghost_ty (Seq.seq t)) : bool + predicate inv1 (_x : Snapshot.snap_ty (Seq.seq t)) + val inv1 (_x : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = inv1 _x } - axiom inv1 : forall x : Ghost.ghost_ty (Seq.seq t) . inv1 x = true + axiom inv1 : forall x : Snapshot.snap_ty (Seq.seq t) . inv1 x = true predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = invariant0 self } @@ -590,19 +590,19 @@ module C03StdIterators_VecIter end } ensures { inv3 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - predicate resolve2 (self : Ghost.ghost_ty (Seq.seq t)) - val resolve2 (self : Ghost.ghost_ty (Seq.seq t)) : bool + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + predicate resolve2 (self : Snapshot.snap_ty (Seq.seq t)) + val resolve2 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = resolve2 self } - use prelude.Ghost - predicate resolve1 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t)) - val resolve1 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool + use prelude.Snapshot + predicate resolve1 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t)) + val resolve1 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool ensures { result = resolve1 self } - use prelude.Ghost + use prelude.Snapshot predicate into_iter_post0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) (res : Core_Slice_Iter_Iter_Type.t_iter t) = @@ -634,13 +634,13 @@ module C03StdIterators_VecIter var vec : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) = vec; var i : usize; var iter : Core_Slice_Iter_Iter_Type.t_iter t; - var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t); - var produced : Ghost.ghost_ty (Seq.seq t); + var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t); + var produced : Snapshot.snap_ty (Seq.seq t); var _16 : Core_Option_Option_Type.t_option t; var _17 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t); var _18 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t); var __creusot_proc_iter_elem : t; - var _21 : Ghost.ghost_ty (Seq.seq t); + var _21 : Snapshot.snap_ty (Seq.seq t); { goto BB0 } @@ -652,12 +652,12 @@ module C03StdIterators_VecIter goto BB1 } BB1 { - [#"../03_std_iterators.rs" 19 4 19 38] iter_old <- ([#"../03_std_iterators.rs" 19 4 19 38] Ghost.new iter); + [#"../03_std_iterators.rs" 19 4 19 38] iter_old <- ([#"../03_std_iterators.rs" 19 4 19 38] Snapshot.new iter); goto BB2 } BB2 { assume { resolve1 iter_old }; - [#"../03_std_iterators.rs" 19 4 19 38] produced <- ([#"../03_std_iterators.rs" 19 4 19 38] Ghost.new (Seq.empty )); + [#"../03_std_iterators.rs" 19 4 19 38] produced <- ([#"../03_std_iterators.rs" 19 4 19 38] Snapshot.new (Seq.empty )); goto BB3 } BB3 { @@ -667,8 +667,8 @@ module C03StdIterators_VecIter } BB4 { invariant { [#"../03_std_iterators.rs" 19 4 19 38] inv2 iter }; - invariant { [#"../03_std_iterators.rs" 19 4 19 38] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../03_std_iterators.rs" 19 16 19 36] UIntSize.to_int i = Seq.length (Ghost.inner produced) }; + invariant { [#"../03_std_iterators.rs" 19 4 19 38] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../03_std_iterators.rs" 19 16 19 36] UIntSize.to_int i = Seq.length (Snapshot.inner produced) }; goto BB5 } BB5 { @@ -705,15 +705,15 @@ module C03StdIterators_VecIter absurd } BB10 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _16); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _16); assert { [@expl:type invariant] inv3 _16 }; assume { resolve4 _16 }; - [#"../03_std_iterators.rs" 19 4 19 38] _21 <- ([#"../03_std_iterators.rs" 19 4 19 38] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../03_std_iterators.rs" 19 4 19 38] _21 <- ([#"../03_std_iterators.rs" 19 4 19 38] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB11 } BB11 { [#"../03_std_iterators.rs" 19 4 19 38] produced <- ([#"../03_std_iterators.rs" 19 4 19 38] _21); - [#"../03_std_iterators.rs" 19 4 19 38] _21 <- any Ghost.ghost_ty (Seq.seq t); + [#"../03_std_iterators.rs" 19 4 19 38] _21 <- any Snapshot.snap_ty (Seq.seq t); assert { [@expl:type invariant] inv1 produced }; assume { resolve2 produced }; assert { [@expl:type invariant] inv4 __creusot_proc_iter_elem }; @@ -904,7 +904,7 @@ module C03StdIterators_AllZero val shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize ensures { result = shallow_model2 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool @@ -944,17 +944,18 @@ module C03StdIterators_AllZero end } ensures { inv3 result } - use prelude.Ghost - function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize + use prelude.Snapshot + function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize + = - [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix - val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize + [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix + val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize ensures { result = index_logic0 self ix } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate resolve0 (self : borrowed (slice usize)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve0 (self : borrowed (slice usize)) : bool @@ -1000,13 +1001,13 @@ module C03StdIterators_AllZero var _6 : borrowed (slice usize); var _7 : borrowed (slice usize); var _8 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)); - var iter_old : Ghost.ghost_ty (Core_Slice_Iter_IterMut_Type.t_itermut usize); - var produced : Ghost.ghost_ty (Seq.seq (borrowed usize)); + var iter_old : Snapshot.snap_ty (Core_Slice_Iter_IterMut_Type.t_itermut usize); + var produced : Snapshot.snap_ty (Seq.seq (borrowed usize)); var _17 : Core_Option_Option_Type.t_option (borrowed usize); var _18 : borrowed (Core_Slice_Iter_IterMut_Type.t_itermut usize); var _19 : borrowed (Core_Slice_Iter_IterMut_Type.t_itermut usize); var __creusot_proc_iter_elem : borrowed usize; - var _22 : Ghost.ghost_ty (Seq.seq (borrowed usize)); + var _22 : Snapshot.snap_ty (Seq.seq (borrowed usize)); var x : borrowed usize; { goto BB0 @@ -1032,11 +1033,11 @@ module C03StdIterators_AllZero } BB3 { assume { resolve0 _7 }; - [#"../03_std_iterators.rs" 29 4 29 87] iter_old <- ([#"../03_std_iterators.rs" 29 4 29 87] Ghost.new iter); + [#"../03_std_iterators.rs" 29 4 29 87] iter_old <- ([#"../03_std_iterators.rs" 29 4 29 87] Snapshot.new iter); goto BB4 } BB4 { - [#"../03_std_iterators.rs" 29 4 29 87] produced <- ([#"../03_std_iterators.rs" 29 4 29 87] Ghost.new (Seq.empty )); + [#"../03_std_iterators.rs" 29 4 29 87] produced <- ([#"../03_std_iterators.rs" 29 4 29 87] Snapshot.new (Seq.empty )); goto BB5 } BB5 { @@ -1044,8 +1045,8 @@ module C03StdIterators_AllZero } BB6 { invariant { [#"../03_std_iterators.rs" 29 4 29 87] inv0 iter }; - invariant { [#"../03_std_iterators.rs" 29 4 29 87] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../03_std_iterators.rs" 29 4 29 87] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner produced) -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 }; + invariant { [#"../03_std_iterators.rs" 29 4 29 87] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../03_std_iterators.rs" 29 4 29 87] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced) -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 }; goto BB7 } BB7 { @@ -1080,16 +1081,16 @@ module C03StdIterators_AllZero absurd } BB12 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _17); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] _17 <- (let Core_Option_Option_Type.C_Some x0 = _17 in Core_Option_Option_Type.C_Some (any borrowed usize)); - [#"../03_std_iterators.rs" 29 4 29 87] _22 <- ([#"../03_std_iterators.rs" 29 4 29 87] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _17); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] _17 <- (let Core_Option_Option_Type.C_Some x0 = _17 in Core_Option_Option_Type.C_Some (any borrowed usize)); + [#"../03_std_iterators.rs" 29 4 29 87] _22 <- ([#"../03_std_iterators.rs" 29 4 29 87] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB13 } BB13 { [#"../03_std_iterators.rs" 29 4 29 87] produced <- ([#"../03_std_iterators.rs" 29 4 29 87] _22); - [#"../03_std_iterators.rs" 29 4 29 87] _22 <- any Ghost.ghost_ty (Seq.seq (borrowed usize)); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- any borrowed usize; + [#"../03_std_iterators.rs" 29 4 29 87] _22 <- any Snapshot.snap_ty (Seq.seq (borrowed usize)); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- any borrowed usize; [#"../03_std_iterators.rs" 31 8 31 14] x <- { x with current = ([#"../03_std_iterators.rs" 31 8 31 14] [#"../03_std_iterators.rs" 31 13 31 14] (0 : usize)) ; }; assume { resolve2 x }; goto BB6 @@ -1421,9 +1422,9 @@ module C03StdIterators_SkipTake end module CreusotContracts_Std1_Iter_MapInv_MapInv_Type use seq.Seq - use prelude.Ghost + use prelude.Snapshot type t_mapinv 'i 'b 'f = - | C_MapInv 'i 'f (Ghost.ghost_ty (Seq.seq 'b)) + | C_MapInv 'i 'f (Snapshot.snap_ty (Seq.seq 'b)) let function mapinv_iter (self : t_mapinv 'i 'b 'f) : 'i = [@vc:do_not_keep_trace] [@vc:sp] match self with @@ -1433,7 +1434,7 @@ module CreusotContracts_Std1_Iter_MapInv_MapInv_Type match self with | C_MapInv _ a _ -> a end - let function mapinv_produced (self : t_mapinv 'i 'b 'f) : Ghost.ghost_ty (Seq.seq 'b) + let function mapinv_produced (self : t_mapinv 'i 'b 'f) : Snapshot.snap_ty (Seq.seq 'b) = [@vc:do_not_keep_trace] [@vc:sp] match self with | C_MapInv _ _ a -> a @@ -1442,7 +1443,7 @@ end module C03StdIterators_Counter_Closure0_Type use prelude.UInt32 use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.Int16 use prelude.UIntSize use prelude.Int @@ -1455,7 +1456,7 @@ module C03StdIterators_Counter_Closure0 use prelude.Int16 use prelude.UInt32 use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.Int use prelude.UIntSize use prelude.Borrow @@ -1474,16 +1475,16 @@ module C03StdIterators_Counter_Closure0 let constant max0 : usize = [@vc:do_not_keep_trace] [@vc:sp] (18446744073709551615 : usize) use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.UIntSize predicate resolve0 (self : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve0 (self : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool ensures { result = resolve0 self } - let rec cfg c03StdIterators_Counter_Closure0 [#"../03_std_iterators.rs" 48 12 48 91] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (x : uint32) (_prod : Ghost.ghost_ty (Seq.seq uint32)) : uint32 - requires {[#"../03_std_iterators.rs" 47 23 47 65] UIntSize.to_int ( * field_00 ( * _1)) = Seq.length (Ghost.inner _prod) /\ * field_00 ( * _1) < max0} - ensures { [#"../03_std_iterators.rs" 48 22 48 89] UIntSize.to_int ( * field_00 ( ^ _1)) = UIntSize.to_int ( * field_00 ( * _1)) + 1 /\ UIntSize.to_int ( * field_00 ( ^ _1)) = Seq.length (Ghost.inner _prod) + 1 /\ result = x } + let rec cfg c03StdIterators_Counter_Closure0 [#"../03_std_iterators.rs" 48 12 48 91] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (x : uint32) (_prod : Snapshot.snap_ty (Seq.seq uint32)) : uint32 + requires {[#"../03_std_iterators.rs" 47 23 47 65] UIntSize.to_int ( * field_00 ( * _1)) = Seq.length (Snapshot.inner _prod) /\ * field_00 ( * _1) < max0} + ensures { [#"../03_std_iterators.rs" 48 22 48 89] UIntSize.to_int ( * field_00 ( ^ _1)) = UIntSize.to_int ( * field_00 ( * _1)) + 1 /\ UIntSize.to_int ( * field_00 ( ^ _1)) = Seq.length (Snapshot.inner _prod) + 1 /\ result = x } ensures { unnest0 ( * _1) ( ^ _1) } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1508,17 +1509,17 @@ end module C03StdIterators_Counter use prelude.UInt32 use seq.Seq - use prelude.Ghost - predicate invariant15 (self : Ghost.ghost_ty (Seq.seq uint32)) = + use prelude.Snapshot + predicate invariant15 (self : Snapshot.snap_ty (Seq.seq uint32)) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true - val invariant15 (self : Ghost.ghost_ty (Seq.seq uint32)) : bool + val invariant15 (self : Snapshot.snap_ty (Seq.seq uint32)) : bool ensures { result = invariant15 self } - predicate inv15 (_x : Ghost.ghost_ty (Seq.seq uint32)) - val inv15 (_x : Ghost.ghost_ty (Seq.seq uint32)) : bool + predicate inv15 (_x : Snapshot.snap_ty (Seq.seq uint32)) + val inv15 (_x : Snapshot.snap_ty (Seq.seq uint32)) : bool ensures { result = inv15 _x } - axiom inv15 : forall x : Ghost.ghost_ty (Seq.seq uint32) . inv15 x = true + axiom inv15 : forall x : Snapshot.snap_ty (Seq.seq uint32) . inv15 x = true use prelude.Slice predicate invariant14 (self : slice uint32) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true @@ -1631,23 +1632,23 @@ module C03StdIterators_Counter = ^ field_00 _2 = ^ field_00 self use seq.Seq - use prelude.Ghost - predicate postcondition_mut0 [#"../03_std_iterators.rs" 48 12 48 91] (self : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32))) (result : uint32) + use prelude.Snapshot + predicate postcondition_mut0 [#"../03_std_iterators.rs" 48 12 48 91] (self : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32))) (result : uint32) = - (let (x, _prod) = args in UIntSize.to_int ( * field_00 ( ^ self)) = UIntSize.to_int ( * field_00 ( * self)) + 1 /\ UIntSize.to_int ( * field_00 ( ^ self)) = Seq.length (Ghost.inner _prod) + 1 /\ result = x) /\ unnest0 ( * self) ( ^ self) + (let (x, _prod) = args in UIntSize.to_int ( * field_00 ( ^ self)) = UIntSize.to_int ( * field_00 ( * self)) + 1 /\ UIntSize.to_int ( * field_00 ( ^ self)) = Seq.length (Snapshot.inner _prod) + 1 /\ result = x) /\ unnest0 ( * self) ( ^ self) use seq.Seq - predicate precondition0 [#"../03_std_iterators.rs" 48 12 48 91] (self : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32))) + predicate precondition0 [#"../03_std_iterators.rs" 48 12 48 91] (self : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32))) = - [#"../03_std_iterators.rs" 47 23 47 65] let (x, _prod) = args in UIntSize.to_int ( * field_00 self) = Seq.length (Ghost.inner _prod) /\ * field_00 self < max0 - use prelude.Ghost + [#"../03_std_iterators.rs" 47 23 47 65] let (x, _prod) = args in UIntSize.to_int ( * field_00 self) = Seq.length (Snapshot.inner _prod) /\ * field_00 self < max0 + use prelude.Snapshot use seq_ext.SeqExt use seq.Seq use seq.Seq use seq.Seq use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.Slice function shallow_model5 (self : slice uint32) : Seq.seq uint32 val shallow_model5 (self : slice uint32) : Seq.seq uint32 @@ -1689,11 +1690,11 @@ module C03StdIterators_Counter predicate produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (visited : Seq.seq uint32) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq uint32 . inv9 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq uint32 . inv9 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ else * Seq.get fs 0 = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self /\ ^ Seq.get fs (Seq.length visited - 1) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (visited : Seq.seq uint32) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool ensures { result = produces1 self visited succ } @@ -1749,7 +1750,7 @@ module C03StdIterators_Counter predicate next_precondition0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (produced : Seq.seq uint32) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (produced : Seq.seq uint32) : bool ensures { result = next_precondition0 iter func produced } @@ -1757,7 +1758,7 @@ module C03StdIterators_Counter predicate preservation0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall b : uint32 . forall f : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv11 b -> inv12 f -> inv3 e2 -> inv3 e1 -> inv9 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall b : uint32 . forall f : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv11 b -> inv12 f -> inv3 e2 -> inv3 e1 -> inv9 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool ensures { result = preservation0 iter func } @@ -1902,7 +1903,7 @@ module C03StdIterators_Counter predicate completed0 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0)) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9] Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( * self)) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( * self) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( ^ self) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9] Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( * self)) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( * self) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( ^ self) val completed0 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0)) : bool ensures { result = completed0 self } @@ -1923,7 +1924,7 @@ module C03StdIterators_Counter predicate resolve1 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 16] resolve3 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) /\ resolve4 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 27] resolve3 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) /\ resolve4 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) val resolve1 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool ensures { result = resolve1 self } @@ -1933,13 +1934,13 @@ module C03StdIterators_Counter ensures { inv8 result } val map_inv0 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 - requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 138] forall i2 : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i2 -> inv3 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))} + requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 141] forall i2 : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i2 -> inv3 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 44 15 44 51] reinitialize0 ()} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 45 15 45 70] preservation0 self func} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 21 47 25] inv2 self} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 27 47 31] inv4 func} - ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 46 14 46 85] result = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.C_MapInv self func (Ghost.new (Seq.empty )) } - ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 47 4 50 58] inv5 result } + ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 46 14 46 88] result = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.C_MapInv self func (Snapshot.new (Seq.empty )) } + ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 47 4 50 61] inv5 result } val iter0 (self : slice uint32) : Core_Slice_Iter_Iter_Type.t_iter uint32 requires {inv1 self} @@ -2114,7 +2115,7 @@ module C03StdIterators_SumRange ensures { result = invariant0 self } axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range isize . inv0 x = true - use prelude.Ghost + use prelude.Snapshot use seq.Seq predicate resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range isize)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -2134,11 +2135,11 @@ module C03StdIterators_SumRange end } ensures { inv2 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range isize) (res : Core_Ops_Range_Range_Type.t_range isize) = @@ -2166,13 +2167,13 @@ module C03StdIterators_SumRange var n : isize = n; var i : isize; var iter : Core_Ops_Range_Range_Type.t_range isize; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range isize); - var produced : Ghost.ghost_ty (Seq.seq isize); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range isize); + var produced : Snapshot.snap_ty (Seq.seq isize); var _17 : Core_Option_Option_Type.t_option isize; var _18 : borrowed (Core_Ops_Range_Range_Type.t_range isize); var _19 : borrowed (Core_Ops_Range_Range_Type.t_range isize); var __creusot_proc_iter_elem : isize; - var _22 : Ghost.ghost_ty (Seq.seq isize); + var _22 : Snapshot.snap_ty (Seq.seq isize); { goto BB0 } @@ -2182,11 +2183,11 @@ module C03StdIterators_SumRange goto BB1 } BB1 { - [#"../03_std_iterators.rs" 65 4 65 48] iter_old <- ([#"../03_std_iterators.rs" 65 4 65 48] Ghost.new iter); + [#"../03_std_iterators.rs" 65 4 65 48] iter_old <- ([#"../03_std_iterators.rs" 65 4 65 48] Snapshot.new iter); goto BB2 } BB2 { - [#"../03_std_iterators.rs" 65 4 65 48] produced <- ([#"../03_std_iterators.rs" 65 4 65 48] Ghost.new (Seq.empty )); + [#"../03_std_iterators.rs" 65 4 65 48] produced <- ([#"../03_std_iterators.rs" 65 4 65 48] Snapshot.new (Seq.empty )); goto BB3 } BB3 { @@ -2194,8 +2195,8 @@ module C03StdIterators_SumRange } BB4 { invariant { [#"../03_std_iterators.rs" 65 4 65 48] inv0 iter }; - invariant { [#"../03_std_iterators.rs" 65 4 65 48] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../03_std_iterators.rs" 65 16 65 46] IntSize.to_int i = Seq.length (Ghost.inner produced) /\ i <= n }; + invariant { [#"../03_std_iterators.rs" 65 4 65 48] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../03_std_iterators.rs" 65 16 65 46] IntSize.to_int i = Seq.length (Snapshot.inner produced) /\ i <= n }; goto BB5 } BB5 { @@ -2226,13 +2227,13 @@ module C03StdIterators_SumRange absurd } BB10 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _17); - [#"../03_std_iterators.rs" 65 4 65 48] _22 <- ([#"../03_std_iterators.rs" 65 4 65 48] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _17); + [#"../03_std_iterators.rs" 65 4 65 48] _22 <- ([#"../03_std_iterators.rs" 65 4 65 48] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB11 } BB11 { [#"../03_std_iterators.rs" 65 4 65 48] produced <- ([#"../03_std_iterators.rs" 65 4 65 48] _22); - [#"../03_std_iterators.rs" 65 4 65 48] _22 <- any Ghost.ghost_ty (Seq.seq isize); + [#"../03_std_iterators.rs" 65 4 65 48] _22 <- any Snapshot.snap_ty (Seq.seq isize); [#"../03_std_iterators.rs" 67 8 67 14] i <- ([#"../03_std_iterators.rs" 67 8 67 14] i + ([#"../03_std_iterators.rs" 67 13 67 14] [#"../03_std_iterators.rs" 67 13 67 14] (1 : isize))); goto BB4 } @@ -2419,7 +2420,7 @@ module C03StdIterators_EnumerateRange axiom inv0 : forall x : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . inv0 x = (invariant0 x /\ match x with | Core_Iter_Adapters_Enumerate_Enumerate_Type.C_Enumerate iter count -> true end) - use prelude.Ghost + use prelude.Snapshot predicate resolve4 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true val resolve4 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -2465,16 +2466,17 @@ module C03StdIterators_EnumerateRange end } ensures { inv4 result } - use prelude.Ghost - function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (usize, usize))) (ix : int) : (usize, usize) = - [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix - val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (usize, usize))) (ix : int) : (usize, usize) + use prelude.Snapshot + function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (usize, usize))) (ix : int) : (usize, usize) + = + [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix + val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (usize, usize))) (ix : int) : (usize, usize) ensures { result = index_logic0 self ix } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) (res : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) = @@ -2506,13 +2508,13 @@ module C03StdIterators_EnumerateRange var _0 : (); var iter : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize); var _2 : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize); - var iter_old : Ghost.ghost_ty (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)); - var produced : Ghost.ghost_ty (Seq.seq (usize, usize)); + var iter_old : Snapshot.snap_ty (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)); + var produced : Snapshot.snap_ty (Seq.seq (usize, usize)); var _12 : Core_Option_Option_Type.t_option (usize, usize); var _13 : borrowed (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)); var _14 : borrowed (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)); var __creusot_proc_iter_elem : (usize, usize); - var _17 : Ghost.ghost_ty (Seq.seq (usize, usize)); + var _17 : Snapshot.snap_ty (Seq.seq (usize, usize)); var ix : usize; var x : usize; var _21 : (usize, usize); @@ -2529,11 +2531,11 @@ module C03StdIterators_EnumerateRange goto BB2 } BB2 { - [#"../03_std_iterators.rs" 73 4 73 96] iter_old <- ([#"../03_std_iterators.rs" 73 4 73 96] Ghost.new iter); + [#"../03_std_iterators.rs" 73 4 73 96] iter_old <- ([#"../03_std_iterators.rs" 73 4 73 96] Snapshot.new iter); goto BB3 } BB3 { - [#"../03_std_iterators.rs" 73 4 73 96] produced <- ([#"../03_std_iterators.rs" 73 4 73 96] Ghost.new (Seq.empty )); + [#"../03_std_iterators.rs" 73 4 73 96] produced <- ([#"../03_std_iterators.rs" 73 4 73 96] Snapshot.new (Seq.empty )); goto BB4 } BB4 { @@ -2541,8 +2543,8 @@ module C03StdIterators_EnumerateRange } BB5 { invariant { [#"../03_std_iterators.rs" 73 4 73 96] inv0 iter }; - invariant { [#"../03_std_iterators.rs" 73 4 73 96] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../03_std_iterators.rs" 73 4 73 96] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner produced) -> (let (a, _) = index_logic0 produced i in a) = (let (_, a) = index_logic0 produced i in a) }; + invariant { [#"../03_std_iterators.rs" 73 4 73 96] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../03_std_iterators.rs" 73 4 73 96] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced) -> (let (a, _) = index_logic0 produced i in a) = (let (_, a) = index_logic0 produced i in a) }; goto BB6 } BB6 { @@ -2580,13 +2582,13 @@ module C03StdIterators_EnumerateRange absurd } BB11 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _12); - [#"../03_std_iterators.rs" 73 4 73 96] _17 <- ([#"../03_std_iterators.rs" 73 4 73 96] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _12); + [#"../03_std_iterators.rs" 73 4 73 96] _17 <- ([#"../03_std_iterators.rs" 73 4 73 96] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB12 } BB12 { [#"../03_std_iterators.rs" 73 4 73 96] produced <- ([#"../03_std_iterators.rs" 73 4 73 96] _17); - [#"../03_std_iterators.rs" 73 4 73 96] _17 <- any Ghost.ghost_ty (Seq.seq (usize, usize)); + [#"../03_std_iterators.rs" 73 4 73 96] _17 <- any Snapshot.snap_ty (Seq.seq (usize, usize)); [#"../03_std_iterators.rs" 74 9 74 11] ix <- ([#"../03_std_iterators.rs" 74 9 74 11] let (a, _) = __creusot_proc_iter_elem in a); [#"../03_std_iterators.rs" 74 13 74 14] x <- ([#"../03_std_iterators.rs" 74 13 74 14] let (_, a) = __creusot_proc_iter_elem in a); assume { resolve1 __creusot_proc_iter_elem }; @@ -2813,16 +2815,16 @@ module C03StdIterators_MyReverse ensures { result = invariant1 self } axiom inv1 : forall x : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (slice t))) - val invariant0 (self : Ghost.ghost_ty (borrowed (slice t))) : bool + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (slice t))) + val invariant0 (self : Snapshot.snap_ty (borrowed (slice t))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (slice t))) - val inv0 (_x : Ghost.ghost_ty (borrowed (slice t))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (slice t))) + val inv0 (_x : Snapshot.snap_ty (borrowed (slice t))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (slice t)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (slice t)) . inv0 x = true use seq.Seq use seq.Reverse use prelude.Slice @@ -2909,22 +2911,22 @@ module C03StdIterators_MyReverse val equiv_range0 [#"../03_std_iterators.rs" 80 0 80 65] (s1 : Seq.seq t) (s2 : Seq.seq t) (l : int) (u : int) : bool ensures { result = equiv_range0 s1 s2 l u } - use prelude.Ghost + use prelude.Snapshot function shallow_model5 (self : borrowed (slice t)) : Seq.seq t = [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self val shallow_model5 (self : borrowed (slice t)) : Seq.seq t ensures { result = shallow_model5 self } - use prelude.Ghost - function shallow_model2 (self : Ghost.ghost_ty (borrowed (slice t))) : Seq.seq t = - [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self) - val shallow_model2 (self : Ghost.ghost_ty (borrowed (slice t))) : Seq.seq t + use prelude.Snapshot + function shallow_model2 (self : Snapshot.snap_ty (borrowed (slice t))) : Seq.seq t = + [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self) + val shallow_model2 (self : Snapshot.snap_ty (borrowed (slice t))) : Seq.seq t ensures { result = shallow_model2 self } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post1 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) (res : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) = @@ -2965,11 +2967,11 @@ module C03StdIterators_MyReverse ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 125 26 125 62] into_iter_post0 other (iterb0 result) } ensures { inv1 result } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (slice t))) - val resolve0 (self : Ghost.ghost_ty (borrowed (slice t))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (slice t))) + val resolve0 (self : Snapshot.snap_ty (borrowed (slice t))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot function shallow_model4 (self : slice t) : Seq.seq t = [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self val shallow_model4 (self : slice t) : Seq.seq t @@ -2987,18 +2989,18 @@ module C03StdIterators_MyReverse var _0 : (); var slice : borrowed (slice t) = slice; var n : usize; - var old_v : Ghost.ghost_ty (borrowed (slice t)); + var old_v : Snapshot.snap_ty (borrowed (slice t)); var iter : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize); var _8 : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize); var _12 : bool; var _16 : bool; - var iter_old : Ghost.ghost_ty (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)); - var produced : Ghost.ghost_ty (Seq.seq (usize, usize)); + var iter_old : Snapshot.snap_ty (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)); + var produced : Snapshot.snap_ty (Seq.seq (usize, usize)); var _28 : Core_Option_Option_Type.t_option (usize, usize); var _29 : borrowed (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)); var _30 : borrowed (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)); var __creusot_proc_iter_elem : (usize, usize); - var _33 : Ghost.ghost_ty (Seq.seq (usize, usize)); + var _33 : Snapshot.snap_ty (Seq.seq (usize, usize)); var i : usize; var j : usize; var _37 : (); @@ -3011,7 +3013,7 @@ module C03StdIterators_MyReverse goto BB1 } BB1 { - [#"../03_std_iterators.rs" 96 33 96 46] old_v <- ([#"../03_std_iterators.rs" 96 33 96 46] Ghost.new slice); + [#"../03_std_iterators.rs" 96 36 96 55] old_v <- ([#"../03_std_iterators.rs" 96 36 96 55] Snapshot.new slice); goto BB2 } BB2 { @@ -3036,11 +3038,11 @@ module C03StdIterators_MyReverse goto BB6 } BB6 { - [#"../03_std_iterators.rs" 97 4 97 36] iter_old <- ([#"../03_std_iterators.rs" 97 4 97 36] Ghost.new iter); + [#"../03_std_iterators.rs" 97 4 97 36] iter_old <- ([#"../03_std_iterators.rs" 97 4 97 36] Snapshot.new iter); goto BB7 } BB7 { - [#"../03_std_iterators.rs" 97 4 97 36] produced <- ([#"../03_std_iterators.rs" 97 4 97 36] Ghost.new (Seq.empty )); + [#"../03_std_iterators.rs" 97 4 97 36] produced <- ([#"../03_std_iterators.rs" 97 4 97 36] Snapshot.new (Seq.empty )); goto BB8 } BB8 { @@ -3048,11 +3050,11 @@ module C03StdIterators_MyReverse } BB9 { invariant { [#"../03_std_iterators.rs" 97 4 97 36] inv1 iter }; - invariant { [#"../03_std_iterators.rs" 97 4 97 36] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; + invariant { [#"../03_std_iterators.rs" 97 4 97 36] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../03_std_iterators.rs" 97 16 97 34] UIntSize.to_int n = Seq.length (shallow_model1 slice) }; - invariant { [#"../03_std_iterators.rs" 98 16 98 78] equiv_range0 (shallow_model1 slice) (shallow_model2 old_v) (Seq.length (Ghost.inner produced)) (UIntSize.to_int n - Seq.length (Ghost.inner produced)) }; - invariant { [#"../03_std_iterators.rs" 99 16 99 76] equiv_reverse_range0 (shallow_model1 slice) (shallow_model2 old_v) 0 (Seq.length (Ghost.inner produced)) (UIntSize.to_int n - 1) }; - invariant { [#"../03_std_iterators.rs" 100 16 100 80] equiv_reverse_range0 (shallow_model1 slice) (shallow_model2 old_v) (UIntSize.to_int n - Seq.length (Ghost.inner produced)) (UIntSize.to_int n) (UIntSize.to_int n - 1) }; + invariant { [#"../03_std_iterators.rs" 98 16 98 78] equiv_range0 (shallow_model1 slice) (shallow_model2 old_v) (Seq.length (Snapshot.inner produced)) (UIntSize.to_int n - Seq.length (Snapshot.inner produced)) }; + invariant { [#"../03_std_iterators.rs" 99 16 99 76] equiv_reverse_range0 (shallow_model1 slice) (shallow_model2 old_v) 0 (Seq.length (Snapshot.inner produced)) (UIntSize.to_int n - 1) }; + invariant { [#"../03_std_iterators.rs" 100 16 100 80] equiv_reverse_range0 (shallow_model1 slice) (shallow_model2 old_v) (UIntSize.to_int n - Seq.length (Snapshot.inner produced)) (UIntSize.to_int n) (UIntSize.to_int n - 1) }; goto BB10 } BB10 { @@ -3087,13 +3089,13 @@ module C03StdIterators_MyReverse absurd } BB15 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _28); - [#"../03_std_iterators.rs" 97 4 97 36] _33 <- ([#"../03_std_iterators.rs" 97 4 97 36] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _28); + [#"../03_std_iterators.rs" 97 4 97 36] _33 <- ([#"../03_std_iterators.rs" 97 4 97 36] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB16 } BB16 { [#"../03_std_iterators.rs" 97 4 97 36] produced <- ([#"../03_std_iterators.rs" 97 4 97 36] _33); - [#"../03_std_iterators.rs" 97 4 97 36] _33 <- any Ghost.ghost_ty (Seq.seq (usize, usize)); + [#"../03_std_iterators.rs" 97 4 97 36] _33 <- any Snapshot.snap_ty (Seq.seq (usize, usize)); [#"../03_std_iterators.rs" 101 9 101 10] i <- ([#"../03_std_iterators.rs" 101 9 101 10] let (a, _) = __creusot_proc_iter_elem in a); [#"../03_std_iterators.rs" 101 12 101 13] j <- ([#"../03_std_iterators.rs" 101 12 101 13] let (_, a) = __creusot_proc_iter_elem in a); assume { resolve2 __creusot_proc_iter_elem }; diff --git a/creusot/tests/should_succeed/iterators/03_std_iterators.rs b/creusot/tests/should_succeed/iterators/03_std_iterators.rs index 9eacdb997d..48129ab740 100644 --- a/creusot/tests/should_succeed/iterators/03_std_iterators.rs +++ b/creusot/tests/should_succeed/iterators/03_std_iterators.rs @@ -93,7 +93,7 @@ fn equiv_reverse_range(s1: Seq, s2: Seq, l: Int, u: Int, n: Int) -> boo #[ensures((^slice)@.ext_eq(slice@.reverse()))] pub fn my_reverse(slice: &mut [T]) { let n = slice.len(); - let old_v: Ghost<&mut [T]> = gh! { slice }; + let old_v: Snapshot<&mut [T]> = snapshot! { slice }; #[invariant(n@ == slice@.len())] #[invariant(equiv_range(slice@, old_v@, produced.len(), n@-produced.len()))] #[invariant(equiv_reverse_range(slice@, old_v@, 0, produced.len(), n@-1))] diff --git a/creusot/tests/should_succeed/iterators/04_skip.mlcfg b/creusot/tests/should_succeed/iterators/04_skip.mlcfg index 247a964a99..c8924be797 100644 --- a/creusot/tests/should_succeed/iterators/04_skip.mlcfg +++ b/creusot/tests/should_succeed/iterators/04_skip.mlcfg @@ -296,25 +296,25 @@ module C04Skip_Impl0_Next ensures { result = produces_refl0 self } axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) - use prelude.Ghost - predicate invariant1 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant1 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + use prelude.Snapshot + predicate invariant1 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant1 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant1 self } - predicate inv1 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv1 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv1 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv1 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv1 _x } - axiom inv1 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv1 x = true - predicate invariant0 (self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i))) - val invariant0 (self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool + axiom inv1 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv1 x = true + predicate invariant0 (self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i))) + val invariant0 (self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i))) - val inv0 (_x : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i))) + val inv0 (_x : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i)) . inv0 x = true predicate resolve3 (self : item0) val resolve3 (self : item0) : bool ensures { result = resolve3 self } @@ -357,19 +357,19 @@ module C04Skip_Impl0_Next end } ensures { [#"../common.rs" 27 26 27 44] inv5 result } - use prelude.Ghost - function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq item0)) (ix : int) : item0 = - [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix - val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq item0)) (ix : int) : item0 + use prelude.Snapshot + function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq item0)) (ix : int) : item0 = + [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix + val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq item0)) (ix : int) : item0 ensures { result = index_logic0 self ix } - use prelude.Ghost - use prelude.Ghost - predicate resolve2 (self : Ghost.ghost_ty (Seq.seq item0)) - val resolve2 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + use prelude.Snapshot + use prelude.Snapshot + predicate resolve2 (self : Snapshot.snap_ty (Seq.seq item0)) + val resolve2 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = resolve2 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve1 (self : borrowed usize) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed usize) : bool @@ -386,11 +386,11 @@ module C04Skip_Impl0_Next ensures { [#"../../../../../creusot-contracts/src/std/mem.rs" 16 22 16 42] is_default0 ( ^ dest) } ensures { inv7 result } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i))) - val resolve0 (self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i))) + val resolve0 (self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg next [#"../04_skip.rs" 63 4 63 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (C04Skip_Skip_Type.t_skip i)) : Core_Option_Option_Type.t_option item0 requires {[#"../04_skip.rs" 63 17 63 21] inv2 self} ensures { [#"../04_skip.rs" 59 14 62 5] match result with @@ -402,20 +402,20 @@ module C04Skip_Impl0_Next = [@vc:do_not_keep_trace] [@vc:sp] var _0 : Core_Option_Option_Type.t_option item0; var self : borrowed (C04Skip_Skip_Type.t_skip i) = self; - var old_self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i)); + var old_self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i)); var n : usize; var _6 : borrowed usize; var _7 : borrowed usize; - var skipped : Ghost.ghost_ty (Seq.seq item0); + var skipped : Snapshot.snap_ty (Seq.seq item0); var r : Core_Option_Option_Type.t_option item0; var _18 : borrowed i; var x : item0; - var _25 : Ghost.ghost_ty (Seq.seq item0); + var _25 : Snapshot.snap_ty (Seq.seq item0); { goto BB0 } BB0 { - [#"../04_skip.rs" 64 23 64 35] old_self <- ([#"../04_skip.rs" 64 23 64 35] Ghost.new self); + [#"../04_skip.rs" 64 23 64 41] old_self <- ([#"../04_skip.rs" 64 23 64 41] Snapshot.new self); goto BB1 } BB1 { @@ -431,7 +431,7 @@ module C04Skip_Impl0_Next } BB2 { assume { resolve1 _7 }; - [#"../04_skip.rs" 66 26 66 44] skipped <- ([#"../04_skip.rs" 66 26 66 44] Ghost.new (Seq.empty )); + [#"../04_skip.rs" 66 26 66 50] skipped <- ([#"../04_skip.rs" 66 26 66 50] Snapshot.new (Seq.empty )); goto BB3 } BB3 { @@ -440,9 +440,9 @@ module C04Skip_Impl0_Next goto BB4 } BB4 { - invariant { [#"../04_skip.rs" 67 20 67 53] Seq.length (Ghost.inner skipped) + UIntSize.to_int n = UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * Ghost.inner old_self)) }; - invariant { [#"../04_skip.rs" 67 8 67 55] produces0 (C04Skip_Skip_Type.skip_iter ( * Ghost.inner old_self)) (Ghost.inner skipped) (C04Skip_Skip_Type.skip_iter ( * self)) }; - invariant { [#"../04_skip.rs" 67 8 67 55] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner skipped) -> resolve3 (index_logic0 skipped i) }; + invariant { [#"../04_skip.rs" 67 20 67 53] Seq.length (Snapshot.inner skipped) + UIntSize.to_int n = UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * Snapshot.inner old_self)) }; + invariant { [#"../04_skip.rs" 67 8 67 55] produces0 (C04Skip_Skip_Type.skip_iter ( * Snapshot.inner old_self)) (Snapshot.inner skipped) (C04Skip_Skip_Type.skip_iter ( * self)) }; + invariant { [#"../04_skip.rs" 67 8 67 55] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner skipped) -> resolve3 (index_logic0 skipped i) }; invariant { [#"../04_skip.rs" 70 20 70 35] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) = 0 }; invariant { [#"../04_skip.rs" 71 20 71 29] inv2 self }; goto BB5 @@ -491,12 +491,12 @@ module C04Skip_Impl0_Next assume { resolve3 x }; assert { [@expl:type invariant] inv5 r }; assume { resolve4 r }; - [#"../04_skip.rs" 78 26 78 67] _25 <- ([#"../04_skip.rs" 78 26 78 67] Ghost.new (Seq.(++) (Ghost.inner skipped) (Seq.singleton x))); + [#"../04_skip.rs" 78 26 78 73] _25 <- ([#"../04_skip.rs" 78 26 78 73] Snapshot.new (Seq.(++) (Snapshot.inner skipped) (Seq.singleton x))); goto BB12 } BB12 { - [#"../04_skip.rs" 78 16 78 67] skipped <- ([#"../04_skip.rs" 78 16 78 67] _25); - [#"../04_skip.rs" 78 16 78 67] _25 <- any Ghost.ghost_ty (Seq.seq item0); + [#"../04_skip.rs" 78 16 78 73] skipped <- ([#"../04_skip.rs" 78 16 78 73] _25); + [#"../04_skip.rs" 78 16 78 73] _25 <- any Snapshot.snap_ty (Seq.seq item0); assert { [@expl:type invariant] inv1 skipped }; assume { resolve2 skipped }; [#"../04_skip.rs" 79 16 79 22] n <- ([#"../04_skip.rs" 79 16 79 22] n - ([#"../04_skip.rs" 79 21 79 22] [#"../04_skip.rs" 79 21 79 22] (1 : usize))); diff --git a/creusot/tests/should_succeed/iterators/04_skip.rs b/creusot/tests/should_succeed/iterators/04_skip.rs index ff5ebbc063..792f7a31d8 100644 --- a/creusot/tests/should_succeed/iterators/04_skip.rs +++ b/creusot/tests/should_succeed/iterators/04_skip.rs @@ -18,7 +18,7 @@ where type Item = I::Item; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { (^self).n@ == 0 && @@ -32,7 +32,7 @@ where } #[open] - #[predicate] + #[predicate(prophetic)] fn produces(self, visited: Seq, o: Self) -> bool { pearlite! { visited == Seq::EMPTY && self == o || @@ -61,9 +61,9 @@ where Some(v) => (*self).produces(Seq::singleton(v), ^self) })] fn next(&mut self) -> Option { - let old_self = gh! { self }; + let old_self = snapshot! { self }; let mut n = std::mem::take(&mut self.n); - let mut skipped = gh! { Seq::EMPTY }; + let mut skipped = snapshot! { Seq::EMPTY }; #[invariant(skipped.len() + n@ == old_self.n@)] #[invariant(old_self.iter.produces(skipped.inner(), self.iter))] #[invariant(forall 0 <= i && i < skipped.len() ==> skipped[i].resolve())] @@ -75,7 +75,7 @@ where return r; } if let Some(x) = r { - skipped = gh! { skipped.concat(Seq::singleton(x)) }; + skipped = snapshot! { skipped.concat(Seq::singleton(x)) }; n -= 1 } else { return r; diff --git a/creusot/tests/should_succeed/iterators/05_map.mlcfg b/creusot/tests/should_succeed/iterators/05_map.mlcfg index e8ee06ea2e..f03f4055a9 100644 --- a/creusot/tests/should_succeed/iterators/05_map.mlcfg +++ b/creusot/tests/should_succeed/iterators/05_map.mlcfg @@ -1220,7 +1220,7 @@ module C05Map_Impl0_Next val completed0 [#"../05_map.rs" 22 4 22 35] (self : borrowed (C05Map_Map_Type.t_map i b f)) : bool ensures { result = completed0 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve2 (self : borrowed (C05Map_Map_Type.t_map i b f)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (C05Map_Map_Type.t_map i b f)) : bool @@ -1233,11 +1233,11 @@ module C05Map_Impl0_Next ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 148 0 172 1] postcondition_mut0 self args result } ensures { inv8 result } - predicate resolve1 (self : Ghost.ghost_ty ()) - val resolve1 (self : Ghost.ghost_ty ()) : bool + predicate resolve1 (self : Snapshot.snap_ty ()) + val resolve1 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve1 self } - use prelude.Ghost + use prelude.Snapshot function produces_one_invariant0 [#"../05_map.rs" 107 4 107 73] (self : C05Map_Map_Type.t_map i b f) (e : item0) (r : b) (f : borrowed f) (iter : i) : () val produces_one_invariant0 [#"../05_map.rs" 107 4 107 73] (self : C05Map_Map_Type.t_map i b f) (e : item0) (r : b) (f : borrowed f) (iter : i) : () @@ -1278,7 +1278,7 @@ module C05Map_Impl0_Next var _3 : Core_Option_Option_Type.t_option item0; var _4 : borrowed i; var v : item0; - var _9 : Ghost.ghost_ty (); + var _9 : Snapshot.snap_ty (); var _11 : b; var _12 : borrowed f; { @@ -1326,7 +1326,7 @@ module C05Map_Impl0_Next goto BB6 } BB6 { - [#"../05_map.rs" 64 16 64 52] _9 <- ([#"../05_map.rs" 64 16 64 52] Ghost.new ()); + [#"../05_map.rs" 64 16 64 58] _9 <- ([#"../05_map.rs" 64 16 64 58] Snapshot.new ()); goto BB7 } BB7 { diff --git a/creusot/tests/should_succeed/iterators/05_map.rs b/creusot/tests/should_succeed/iterators/05_map.rs index f3bd5283ab..971ea5dbe3 100644 --- a/creusot/tests/should_succeed/iterators/05_map.rs +++ b/creusot/tests/should_succeed/iterators/05_map.rs @@ -18,7 +18,7 @@ impl B> Iterator for Map { type Item = B; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { self.iter.completed() && (*self).func == (^self).func } } @@ -36,7 +36,7 @@ impl B> Iterator for Map { fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) {} #[open] - #[predicate] + #[predicate(prophetic)] #[why3::attr = "inline:trivial"] fn produces(self, visited: Seq, succ: Self) -> bool { pearlite! { @@ -61,7 +61,7 @@ impl B> Iterator for Map { match self.iter.next() { Some(v) => { proof_assert! { self.func.precondition((v,)) }; - gh! { Self::produces_one_invariant }; + snapshot! { Self::produces_one_invariant }; Some((self.func)(v)) } None => None, @@ -70,14 +70,14 @@ impl B> Iterator for Map { } impl B> Map { - #[predicate] + #[predicate(prophetic)] fn next_precondition(iter: I, func: F) -> bool { pearlite! { forall iter.produces(Seq::singleton(e), i) ==> func.precondition((e,)) } } - #[predicate] + #[predicate(prophetic)] fn preservation(iter: I, func: F) -> bool { pearlite! { forall, e1: I::Item, e2: I::Item, f: &mut F, b: B, i: I> @@ -89,7 +89,7 @@ impl B> Map { } } - #[predicate] + #[predicate(prophetic)] fn reinitialize() -> bool { pearlite! { forall @@ -98,7 +98,7 @@ impl B> Map { } } - #[ghost] + #[logic] #[requires(self.iter.produces(Seq::singleton(e), iter))] #[requires(*f == self.func)] #[requires(f.postcondition_mut((e,), r) )] @@ -112,7 +112,7 @@ impl B> Map { } } - #[predicate] + #[predicate(prophetic)] #[ensures(result == self.produces(Seq::singleton(visited), succ))] fn produces_one(self, visited: B, succ: Self) -> bool { pearlite! { @@ -126,7 +126,7 @@ impl B> Map { impl B> Invariant for Map { // Should not quantify over self or the `invariant` cannot be made into a type invariant - #[predicate] + #[predicate(prophetic)] #[open(self)] fn invariant(self) -> bool { pearlite! { diff --git a/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg b/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg index 034ca354fa..0a3bb325c0 100644 --- a/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg +++ b/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg @@ -2,11 +2,11 @@ module C06MapPrecond_Map_Type type item0 use seq.Seq - use prelude.Ghost + use prelude.Snapshot type t_map 'i 'b 'f 'proj0 = - | C_Map 'i 'f (Ghost.ghost_ty (Seq.seq 'proj0)) + | C_Map 'i 'f (Snapshot.snap_ty (Seq.seq 'proj0)) - let function map_produced (self : t_map 'i 'b 'f 'proj0) : Ghost.ghost_ty (Seq.seq 'proj0) + let function map_produced (self : t_map 'i 'b 'f 'proj0) : Snapshot.snap_ty (Seq.seq 'proj0) = [@vc:do_not_keep_trace] [@vc:sp] match self with | C_Map _ _ a -> a @@ -26,31 +26,31 @@ module C06MapPrecond_Impl1_PreservationInv_Impl type f type item0 use seq.Seq - use prelude.Ghost - predicate invariant6 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) - val invariant6 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + use prelude.Snapshot + predicate invariant6 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) + val invariant6 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = invariant6 self } - predicate inv6 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) - val inv6 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate inv6 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) + val inv6 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = inv6 _x } - axiom inv6 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv6 x = true + axiom inv6 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv6 x = true predicate resolve0 (self : f) val resolve0 (self : f) : bool ensures { result = resolve0 self } use prelude.Borrow - predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_mut0 self _2 _3 } predicate inv4 (_x : borrowed f) val inv4 (_x : borrowed f) : bool ensures { result = inv4 _x } - predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_once0 self _2 _3 } predicate inv3 (_x : b) @@ -61,14 +61,14 @@ module C06MapPrecond_Impl1_PreservationInv_Impl val inv1 (_x : f) : bool ensures { result = inv1 _x } - function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -89,15 +89,16 @@ module C06MapPrecond_Impl1_PreservationInv_Impl ensures { result = unnest_refl0 self } axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) - function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + + val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant5 (self : item0) val invariant5 (self : item0) : bool ensures { result = invariant5 self } @@ -165,14 +166,14 @@ module C06MapPrecond_Impl1_PreservationInv_Impl ensures { result = invariant0 self } axiom inv0 : forall x : i . inv0 x = true - predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) - val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) + val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = precondition0 self _2 } - use prelude.Ghost + use prelude.Snapshot use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv3 b -> inv4 f -> inv5 e2 -> inv5 e1 -> inv2 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv3 b -> inv4 f -> inv5 e2 -> inv5 e1 -> inv2 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } @@ -183,7 +184,7 @@ module C06MapPrecond_Impl1_PreservationInv_Impl ensures { [#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> result = preservation0 iter func } = [@vc:do_not_keep_trace] [@vc:sp] - [#"../06_map_precond.rs" 94 8 101 9] pure {forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv3 b -> inv4 f -> inv5 e2 -> inv5 e1 -> inv2 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))} + [#"../06_map_precond.rs" 94 8 101 9] pure {forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv3 b -> inv4 f -> inv5 e2 -> inv5 e1 -> inv2 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))} end module C06MapPrecond_Impl0_ProducesRefl_Impl type i @@ -219,16 +220,16 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl axiom inv8 : forall x : b . inv8 x = true use seq.Seq - use prelude.Ghost - predicate invariant7 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) - val invariant7 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + use prelude.Snapshot + predicate invariant7 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) + val invariant7 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = invariant7 self } - predicate inv7 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) - val inv7 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate inv7 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) + val inv7 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = inv7 _x } - axiom inv7 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv7 x = true + axiom inv7 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv7 x = true predicate invariant6 (self : borrowed f) val invariant6 (self : borrowed f) : bool ensures { result = invariant6 self } @@ -238,15 +239,15 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl ensures { result = inv6 _x } axiom inv6 : forall x : borrowed f . inv6 x = true - predicate invariant5 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant5 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate invariant5 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant5 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant5 self } - predicate inv5 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv5 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv5 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv5 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv5 _x } - axiom inv5 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv5 x = true + axiom inv5 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv5 x = true predicate invariant4 (self : f) val invariant4 (self : f) : bool ensures { result = invariant4 self } @@ -287,22 +288,22 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl val resolve0 (self : f) : bool ensures { result = resolve0 self } - predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_mut0 self _2 _3 } - predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_once0 self _2 _3 } - function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -323,15 +324,16 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl ensures { result = unnest_refl0 self } axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) - function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + + val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) use seq.Seq predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool @@ -357,25 +359,25 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl ensures { result = produces_refl0 self } axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) - predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) - val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) + val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = precondition0 self _2 } - use prelude.Ghost + use prelude.Snapshot use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv3 i -> inv10 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv3 i -> inv10 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv3 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv4 func} @@ -383,7 +385,7 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl ensures { result = preservation_inv0 iter func produced } axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv3 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv1 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) - use prelude.Ghost + use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } @@ -395,7 +397,7 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = invariant0 self } @@ -412,17 +414,17 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl use seq.Seq use prelude.Int use seq.Seq - use prelude.Ghost + use prelude.Snapshot use seq.Seq use seq.Seq predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces0 self visited succ } @@ -468,16 +470,16 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl axiom inv9 : forall x : b . inv9 x = true use seq.Seq - use prelude.Ghost - predicate invariant8 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) - val invariant8 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + use prelude.Snapshot + predicate invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) + val invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = invariant8 self } - predicate inv8 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) - val inv8 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate inv8 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) + val inv8 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = inv8 _x } - axiom inv8 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv8 x = true + axiom inv8 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv8 x = true predicate invariant7 (self : borrowed f) val invariant7 (self : borrowed f) : bool ensures { result = invariant7 self } @@ -487,15 +489,15 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl ensures { result = inv7 _x } axiom inv7 : forall x : borrowed f . inv7 x = true - predicate invariant6 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant6 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate invariant6 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant6 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant6 self } - predicate inv6 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv6 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv6 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv6 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv6 _x } - axiom inv6 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv6 x = true + axiom inv6 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv6 x = true predicate invariant5 (self : f) val invariant5 (self : f) : bool ensures { result = invariant5 self } @@ -536,22 +538,22 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl val resolve0 (self : f) : bool ensures { result = resolve0 self } - predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_mut0 self _2 _3 } - predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_once0 self _2 _3 } - function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -572,15 +574,16 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl ensures { result = unnest_refl0 self } axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) - function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + + val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) use seq.Seq predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool @@ -615,25 +618,25 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl ensures { result = inv1 _x } axiom inv1 : forall x : Seq.seq b . inv1 x = true - predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) - val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) + val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = precondition0 self _2 } - use prelude.Ghost + use prelude.Snapshot use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i -> inv11 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i -> inv11 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv4 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv5 func} @@ -641,7 +644,7 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl ensures { result = preservation_inv0 iter func produced } axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv5 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv2 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) - use prelude.Ghost + use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } @@ -653,7 +656,7 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = invariant0 self } @@ -671,17 +674,17 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl use seq.Seq use prelude.Int use seq.Seq - use prelude.Ghost + use prelude.Snapshot use seq.Seq use seq.Seq predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces0 self visited succ } @@ -725,16 +728,16 @@ module C06MapPrecond_Impl1_ProducesOne_Impl axiom inv11 : forall x : borrowed i . inv11 x = true type item0 use seq.Seq - use prelude.Ghost - predicate invariant10 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) - val invariant10 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + use prelude.Snapshot + predicate invariant10 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) + val invariant10 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = invariant10 self } - predicate inv10 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) - val inv10 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate inv10 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) + val inv10 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = inv10 _x } - axiom inv10 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv10 x = true + axiom inv10 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv10 x = true predicate invariant9 (self : Seq.seq b) val invariant9 (self : Seq.seq b) : bool ensures { result = invariant9 self } @@ -744,15 +747,15 @@ module C06MapPrecond_Impl1_ProducesOne_Impl ensures { result = inv9 _x } axiom inv9 : forall x : Seq.seq b . inv9 x = true - predicate invariant8 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant8 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate invariant8 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant8 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant8 self } - predicate inv8 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv8 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv8 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv8 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv8 _x } - axiom inv8 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv8 x = true + axiom inv8 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv8 x = true predicate invariant7 (self : f) val invariant7 (self : f) : bool ensures { result = invariant7 self } @@ -793,30 +796,30 @@ module C06MapPrecond_Impl1_ProducesOne_Impl val resolve0 (self : f) : bool ensures { result = resolve0 self } - predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_mut0 self _2 _3 } predicate inv2 (_x : borrowed f) val inv2 (_x : borrowed f) : bool ensures { result = inv2 _x } - predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_once0 self _2 _3 } predicate inv1 (_x : b) val inv1 (_x : b) : bool ensures { result = inv1 _x } - function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv10 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv10 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv10 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -837,15 +840,16 @@ module C06MapPrecond_Impl1_ProducesOne_Impl ensures { result = unnest_refl0 self } axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) - function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + + val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv10 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv10 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv10 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant3 (self : item0) val invariant3 (self : item0) : bool ensures { result = invariant3 self } @@ -892,28 +896,28 @@ module C06MapPrecond_Impl1_ProducesOne_Impl ensures { result = inv0 _x } use seq.Seq - predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) - val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) + val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = precondition0 self _2 } - use prelude.Ghost + use prelude.Snapshot use seq_ext.SeqExt use seq.Seq use seq.Seq use prelude.Int use seq.Seq - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot use seq.Seq use seq.Seq predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces0 self visited succ } @@ -947,18 +951,18 @@ module C06MapPrecond_Impl1_ProducesOne_Impl axiom inv1 : forall x : b . inv1 x = true use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv6 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv6 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv6 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv7 func} @@ -976,7 +980,7 @@ module C06MapPrecond_Impl1_ProducesOne_Impl ensures { result = reinitialize0 _1 } predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = invariant0 self } @@ -991,7 +995,7 @@ module C06MapPrecond_Impl1_ProducesOne_Impl ensures { [#"../06_map_precond.rs" 141 14 141 68] result = produces0 self (Seq.singleton visited) succ } = [@vc:do_not_keep_trace] [@vc:sp] - [#"../06_map_precond.rs" 143 8 149 9] pure {exists f : borrowed f . inv2 f /\ * f = C06MapPrecond_Map_Type.map_func self /\ ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)} + [#"../06_map_precond.rs" 143 8 149 9] pure {exists f : borrowed f . inv2 f /\ * f = C06MapPrecond_Map_Type.map_func self /\ ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)} end module C06MapPrecond_Impl1_ProducesOneInvariant_Impl type i @@ -1009,25 +1013,25 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl axiom inv9 : forall x : borrowed i . inv9 x = true type item0 use seq.Seq - use prelude.Ghost - predicate invariant8 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant8 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + use prelude.Snapshot + predicate invariant8 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant8 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant8 self } - predicate inv8 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv8 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv8 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv8 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv8 _x } - axiom inv8 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv8 x = true - predicate invariant7 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) - val invariant7 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + axiom inv8 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv8 x = true + predicate invariant7 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) + val invariant7 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = invariant7 self } - predicate inv7 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) - val inv7 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate inv7 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) + val inv7 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = inv7 _x } - axiom inv7 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv7 x = true + axiom inv7 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv7 x = true predicate invariant6 (self : f) val invariant6 (self : f) : bool ensures { result = invariant6 self } @@ -1082,23 +1086,23 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl ensures { result = inv1 _x } axiom inv1 : forall x : item0 . inv1 x = true - predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) - val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) + val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = precondition0 self _2 } - use prelude.Ghost + use prelude.Snapshot predicate produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool ensures { result = produces0 self visited o } use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } - predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_mut0 self _2 _3 } use seq.Seq @@ -1108,13 +1112,13 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl ensures { result = unnest0 self _2 } predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } use seq.Seq predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv4 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv6 func} @@ -1122,7 +1126,7 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl ensures { result = preservation_inv0 iter func produced } axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv6 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv5 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) - use prelude.Ghost + use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } @@ -1134,7 +1138,7 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = invariant0 self } @@ -1149,18 +1153,18 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl val resolve0 (self : f) : bool ensures { result = resolve0 self } - predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_once0 self _2 _3 } - function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv6 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) function unnest_trans0 (self : f) (b : f) (c : f) : () val unnest_trans0 (self : f) (b : f) (c : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b} @@ -1177,15 +1181,16 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl ensures { result = unnest_refl0 self } axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) - function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + + val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) function produces_trans0 [#"../common.rs" 21 4 21 91] (a : i) (ab : Seq.seq item0) (b : i) (bc : Seq.seq item0) (c : i) : () val produces_trans0 [#"../common.rs" 21 4 21 91] (a : i) (ab : Seq.seq item0) (b : i) (bc : Seq.seq item0) (c : i) : () @@ -1214,8 +1219,8 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl requires {[#"../06_map_precond.rs" 132 48 132 49] inv2 r} requires {[#"../06_map_precond.rs" 132 54 132 55] inv3 f} requires {[#"../06_map_precond.rs" 132 65 132 69] inv4 iter} - ensures { [#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e) } - ensures { [#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e) } + ensures { [#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e) } + ensures { [#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e) } = [@vc:do_not_keep_trace] [@vc:sp] [#"../06_map_precond.rs" 126 4 126 12] let _ = let a = pure {forall i : i . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv1 e2 -> inv1 e1 -> inv5 s -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.snoc (Seq.snoc (Seq.(++) (Seq.singleton e) s) e1) e2) i} in assert {a} in () @@ -1254,9 +1259,9 @@ module C06MapPrecond_Impl0_Next ensures { result = inv11 _x } axiom inv11 : forall x : item0 . inv11 x = true - use prelude.Ghost - predicate inv3 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv3 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + use prelude.Snapshot + predicate inv3 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv3 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv3 _x } predicate inv2 (_x : f) @@ -1267,23 +1272,23 @@ module C06MapPrecond_Impl0_Next val inv0 (_x : i) : bool ensures { result = inv0 _x } - predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) - val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) + val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = precondition0 self _2 } - use prelude.Ghost + use prelude.Snapshot predicate produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool ensures { result = produces0 self visited o } use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i -> inv11 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i -> inv11 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } - predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_mut0 self _2 _3 } use seq.Seq @@ -1301,13 +1306,13 @@ module C06MapPrecond_Impl0_Next ensures { result = inv9 _x } predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv12 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv12 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } use seq.Seq predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv12 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv12 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv0 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv2 func} @@ -1315,7 +1320,7 @@ module C06MapPrecond_Impl0_Next ensures { result = preservation_inv0 iter func produced } axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv12 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) - use prelude.Ghost + use prelude.Snapshot predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed1 self } @@ -1331,7 +1336,7 @@ module C06MapPrecond_Impl0_Next use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type predicate invariant10 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant10 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = invariant10 self } @@ -1351,22 +1356,22 @@ module C06MapPrecond_Impl0_Next val resolve4 (self : f) : bool ensures { result = resolve4 self } - predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_once0 self _2 _3 } - predicate inv8 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) - val inv8 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate inv8 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) + val inv8 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = inv8 _x } - function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve4 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve4 ( ^ s))) function unnest_trans0 (self : f) (b : f) (c : f) : () val unnest_trans0 (self : f) (b : f) (c : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b} @@ -1383,20 +1388,21 @@ module C06MapPrecond_Impl0_Next ensures { result = unnest_refl0 self } axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) - function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + + val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) - predicate invariant8 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) - val invariant8 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + predicate invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) + val invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = invariant8 self } - axiom inv8 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv8 x = true + axiom inv8 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv8 x = true predicate invariant7 (self : borrowed f) val invariant7 (self : borrowed f) : bool ensures { result = invariant7 self } @@ -1426,11 +1432,11 @@ module C06MapPrecond_Impl0_Next ensures { result = inv4 _x } axiom inv4 : forall x : borrowed (C06MapPrecond_Map_Type.t_map i b f item0) . inv4 x = (inv10 ( * x) /\ inv10 ( ^ x)) - predicate invariant3 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant3 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate invariant3 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant3 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant3 self } - axiom inv3 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv3 x = true + axiom inv3 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv3 x = true predicate invariant2 (self : f) val invariant2 (self : f) : bool ensures { result = invariant2 self } @@ -1469,7 +1475,7 @@ module C06MapPrecond_Impl0_Next ensures { result = invariant0 self } axiom inv0 : forall x : i . inv0 x = true - use prelude.Ghost + use prelude.Snapshot use seq.Seq use seq_ext.SeqExt use seq.Seq @@ -1481,11 +1487,11 @@ module C06MapPrecond_Impl0_Next predicate produces1 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv12 s /\ Seq.length s = Seq.length visited /\ produces0 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv12 s /\ Seq.length s = Seq.length visited /\ produces0 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces1 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces1 self visited succ } @@ -1493,7 +1499,7 @@ module C06MapPrecond_Impl0_Next predicate produces_one0 [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv7 f /\ * f = C06MapPrecond_Map_Type.map_func self /\ ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv11 e /\ produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited) + [#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv7 f /\ * f = C06MapPrecond_Map_Type.map_func self /\ ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv11 e /\ produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited) val produces_one0 [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool requires {[#"../06_map_precond.rs" 142 20 142 24] inv10 self} requires {[#"../06_map_precond.rs" 142 26 142 33] inv9 visited} @@ -1503,15 +1509,15 @@ module C06MapPrecond_Impl0_Next axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv10 self) -> ([#"../06_map_precond.rs" 142 26 142 33] inv9 visited) -> ([#"../06_map_precond.rs" 142 38 142 42] inv10 succ) -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces1 self (Seq.singleton visited) succ) predicate completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) = - [#"../06_map_precond.rs" 22 8 25 9] Ghost.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self) + [#"../06_map_precond.rs" 22 8 25 9] Snapshot.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self) val completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool ensures { result = completed0 self } - predicate resolve3 (self : Ghost.ghost_ty ()) - val resolve3 (self : Ghost.ghost_ty ()) : bool + predicate resolve3 (self : Snapshot.snap_ty ()) + val resolve3 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve3 self } - use prelude.Ghost + use prelude.Snapshot function produces_one_invariant0 [#"../06_map_precond.rs" 132 4 132 73] (self : C06MapPrecond_Map_Type.t_map i b f item0) (e : item0) (r : b) (f : borrowed f) (iter : i) : () val produces_one_invariant0 [#"../06_map_precond.rs" 132 4 132 73] (self : C06MapPrecond_Map_Type.t_map i b f item0) (e : item0) (r : b) (f : borrowed f) (iter : i) : () @@ -1525,17 +1531,17 @@ module C06MapPrecond_Impl0_Next requires {[#"../06_map_precond.rs" 132 65 132 69] inv0 iter} ensures { result = produces_one_invariant0 self e r f iter } - axiom produces_one_invariant0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, e : item0, r : b, f : borrowed f, iter : i . ([#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter) -> ([#"../06_map_precond.rs" 128 15 128 30] * f = C06MapPrecond_Map_Type.map_func self) -> ([#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r) -> ([#"../06_map_precond.rs" 132 30 132 34] inv10 self) -> ([#"../06_map_precond.rs" 132 36 132 37] inv11 e) -> ([#"../06_map_precond.rs" 132 48 132 49] inv9 r) -> ([#"../06_map_precond.rs" 132 54 132 55] inv7 f) -> ([#"../06_map_precond.rs" 132 65 132 69] inv0 iter) -> ([#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e)) && ([#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e)) + axiom produces_one_invariant0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, e : item0, r : b, f : borrowed f, iter : i . ([#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter) -> ([#"../06_map_precond.rs" 128 15 128 30] * f = C06MapPrecond_Map_Type.map_func self) -> ([#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r) -> ([#"../06_map_precond.rs" 132 30 132 34] inv10 self) -> ([#"../06_map_precond.rs" 132 36 132 37] inv11 e) -> ([#"../06_map_precond.rs" 132 48 132 49] inv9 r) -> ([#"../06_map_precond.rs" 132 54 132 55] inv7 f) -> ([#"../06_map_precond.rs" 132 65 132 69] inv0 iter) -> ([#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) && ([#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) predicate resolve2 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool ensures { result = resolve2 self } - predicate resolve1 (self : Ghost.ghost_ty (Seq.seq item0)) - val resolve1 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate resolve1 (self : Snapshot.snap_ty (Seq.seq item0)) + val resolve1 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = resolve1 self } - val call_mut0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) : b + val call_mut0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) : b requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 160 27 160 52] precondition0 ( * self) args} requires {inv7 self} requires {inv8 args} @@ -1568,11 +1574,11 @@ module C06MapPrecond_Impl0_Next var _3 : Core_Option_Option_Type.t_option item0; var _4 : borrowed i; var v : item0; - var produced : Ghost.ghost_ty (Seq.seq item0); + var produced : Snapshot.snap_ty (Seq.seq item0); var r : b; var _12 : borrowed f; - var _17 : Ghost.ghost_ty (); - var _20 : Ghost.ghost_ty (Seq.seq item0); + var _17 : Snapshot.snap_ty (); + var _20 : Snapshot.snap_ty (Seq.seq item0); { goto BB0 } @@ -1593,7 +1599,7 @@ module C06MapPrecond_Impl0_Next BB2 { assert { [@expl:type invariant] inv1 _3 }; assume { resolve0 _3 }; - [#"../06_map_precond.rs" 74 32 74 50] _20 <- ([#"../06_map_precond.rs" 74 32 74 50] Ghost.new (Seq.empty )); + [#"../06_map_precond.rs" 74 32 74 56] _20 <- ([#"../06_map_precond.rs" 74 32 74 56] Snapshot.new (Seq.empty )); goto BB14 } BB3 { @@ -1616,7 +1622,7 @@ module C06MapPrecond_Impl0_Next goto BB6 } BB6 { - [#"../06_map_precond.rs" 67 31 67 60] produced <- ([#"../06_map_precond.rs" 67 31 67 60] Ghost.new (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced ( * self))) v)); + [#"../06_map_precond.rs" 67 31 67 66] produced <- ([#"../06_map_precond.rs" 67 31 67 66] Snapshot.new (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced ( * self))) v)); goto BB7 } BB7 { @@ -1639,7 +1645,7 @@ module C06MapPrecond_Impl0_Next assume { resolve1 (C06MapPrecond_Map_Type.map_produced ( * self)) }; assert { [@expl:type invariant] inv4 self }; assume { resolve2 self }; - [#"../06_map_precond.rs" 70 16 70 52] _17 <- ([#"../06_map_precond.rs" 70 16 70 52] Ghost.new ()); + [#"../06_map_precond.rs" 70 16 70 58] _17 <- ([#"../06_map_precond.rs" 70 16 70 58] Snapshot.new ()); goto BB10 } BB10 { @@ -1658,8 +1664,8 @@ module C06MapPrecond_Impl0_Next goto BB15 } BB14 { - [#"../06_map_precond.rs" 74 16 74 50] self <- { self with current = (let C06MapPrecond_Map_Type.C_Map x0 x1 x2 = * self in C06MapPrecond_Map_Type.C_Map x0 x1 ([#"../06_map_precond.rs" 74 16 74 50] _20)) ; }; - [#"../06_map_precond.rs" 74 16 74 50] _20 <- any Ghost.ghost_ty (Seq.seq item0); + [#"../06_map_precond.rs" 74 16 74 56] self <- { self with current = (let C06MapPrecond_Map_Type.C_Map x0 x1 x2 = * self in C06MapPrecond_Map_Type.C_Map x0 x1 ([#"../06_map_precond.rs" 74 16 74 56] _20)) ; }; + [#"../06_map_precond.rs" 74 16 74 56] _20 <- any Snapshot.snap_ty (Seq.seq item0); assert { [@expl:type invariant] inv3 (C06MapPrecond_Map_Type.map_produced ( * self)) }; assume { resolve1 (C06MapPrecond_Map_Type.map_produced ( * self)) }; assert { [@expl:type invariant] inv4 self }; @@ -1681,40 +1687,40 @@ module C06MapPrecond_Map type f type item0 use seq.Seq - use prelude.Ghost - predicate invariant9 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) - val invariant9 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + use prelude.Snapshot + predicate invariant9 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) + val invariant9 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = invariant9 self } - predicate inv9 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) - val inv9 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate inv9 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) + val inv9 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = inv9 _x } - axiom inv9 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv9 x = true - predicate invariant8 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant8 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + axiom inv9 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv9 x = true + predicate invariant8 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant8 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant8 self } - predicate inv8 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv8 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv8 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv8 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv8 _x } - axiom inv8 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv8 x = true + axiom inv8 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv8 x = true predicate resolve0 (self : f) val resolve0 (self : f) : bool ensures { result = resolve0 self } use prelude.Borrow - predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_mut0 self _2 _3 } predicate inv6 (_x : borrowed f) val inv6 (_x : borrowed f) : bool ensures { result = inv6 _x } - predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_once0 self _2 _3 } predicate inv5 (_x : b) @@ -1725,14 +1731,14 @@ module C06MapPrecond_Map val inv2 (_x : f) : bool ensures { result = inv2 _x } - function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -1753,15 +1759,16 @@ module C06MapPrecond_Map ensures { result = unnest_refl0 self } axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) - function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () - val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : () + function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () + + val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args} requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant7 (self : Seq.seq item0) val invariant7 (self : Seq.seq item0) : bool ensures { result = invariant7 self } @@ -1794,11 +1801,11 @@ module C06MapPrecond_Map val inv0 (_x : i) : bool ensures { result = inv0 _x } - predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) - val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) + val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = precondition0 self _2 } - use prelude.Ghost + use prelude.Snapshot predicate produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool ensures { result = produces0 self visited o } @@ -1809,20 +1816,20 @@ module C06MapPrecond_Map ensures { result = inv1 _x } predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } use seq.Seq use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } use seq.Seq predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv0 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv2 func} @@ -1830,7 +1837,7 @@ module C06MapPrecond_Map ensures { result = preservation_inv0 iter func produced } axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv7 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) - use prelude.Ghost + use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } @@ -1842,7 +1849,7 @@ module C06MapPrecond_Map use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type predicate invariant3 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant3 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = invariant3 self } @@ -1888,19 +1895,19 @@ module C06MapPrecond_Map axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) let rec cfg map [#"../06_map_precond.rs" 170 0 173 17] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) (func : f) : C06MapPrecond_Map_Type.t_map i b f item0 - requires {[#"../06_map_precond.rs" 166 0 166 128] forall i2 : i . forall e : item0 . inv0 i2 -> inv1 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))} + requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : item0 . inv0 i2 -> inv1 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()} requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func} requires {[#"../06_map_precond.rs" 171 4 171 8] inv0 iter} requires {[#"../06_map_precond.rs" 172 4 172 8] inv2 func} - ensures { [#"../06_map_precond.rs" 169 10 169 72] result = C06MapPrecond_Map_Type.C_Map iter func (Ghost.new (Seq.empty )) } + ensures { [#"../06_map_precond.rs" 169 10 169 75] result = C06MapPrecond_Map_Type.C_Map iter func (Snapshot.new (Seq.empty )) } ensures { [#"../06_map_precond.rs" 173 5 173 17] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : C06MapPrecond_Map_Type.t_map i b f item0; var iter : i = iter; var func : f = func; - var _9 : Ghost.ghost_ty (Seq.seq item0); + var _9 : Snapshot.snap_ty (Seq.seq item0); { goto BB0 } @@ -1914,14 +1921,14 @@ module C06MapPrecond_Map goto BB3 } BB3 { - [#"../06_map_precond.rs" 174 32 174 48] _9 <- ([#"../06_map_precond.rs" 174 32 174 48] Ghost.new (Seq.empty )); + [#"../06_map_precond.rs" 174 32 174 54] _9 <- ([#"../06_map_precond.rs" 174 32 174 54] Snapshot.new (Seq.empty )); goto BB4 } BB4 { - [#"../06_map_precond.rs" 174 4 174 50] _0 <- ([#"../06_map_precond.rs" 174 4 174 50] C06MapPrecond_Map_Type.C_Map ([#"../06_map_precond.rs" 174 10 174 14] iter) ([#"../06_map_precond.rs" 174 16 174 20] func) _9); + [#"../06_map_precond.rs" 174 4 174 56] _0 <- ([#"../06_map_precond.rs" 174 4 174 56] C06MapPrecond_Map_Type.C_Map ([#"../06_map_precond.rs" 174 10 174 14] iter) ([#"../06_map_precond.rs" 174 16 174 20] func) _9); [#"../06_map_precond.rs" 174 10 174 14] iter <- any i; [#"../06_map_precond.rs" 174 16 174 20] func <- any f; - _9 <- any Ghost.ghost_ty (Seq.seq item0); + _9 <- any Snapshot.snap_ty (Seq.seq item0); goto BB5 } BB5 { @@ -1942,7 +1949,7 @@ module C06MapPrecond_Identity_Closure0_Type use seq.Seq use seq.Seq use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.Int16 type c06mapprecond_identity_closure0 'i = | C06MapPrecond_Identity_Closure0 @@ -1979,16 +1986,16 @@ module C06MapPrecond_Identity_Closure0 ensures { result = inv1 _x } axiom inv1 : forall x : item0 . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant0 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant0 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv0 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv0 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv0 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv0 x = true use seq.Seq predicate produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool @@ -2026,11 +2033,11 @@ module C06MapPrecond_Identity_Closure0 val resolve1 (self : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) : bool ensures { result = resolve1 self } - predicate resolve0 (self : Ghost.ghost_ty (Seq.seq item0)) - val resolve0 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate resolve0 (self : Snapshot.snap_ty (Seq.seq item0)) + val resolve0 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = resolve0 self } - let rec cfg c06MapPrecond_Identity_Closure0 [#"../06_map_precond.rs" 178 14 178 20] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) (x : item0) (_3 : Ghost.ghost_ty (Seq.seq item0)) : item0 + let rec cfg c06MapPrecond_Identity_Closure0 [#"../06_map_precond.rs" 178 14 178 20] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) (x : item0) (_3 : Snapshot.snap_ty (Seq.seq item0)) : item0 requires {[#"../06_map_precond.rs" 178 15 178 16] inv1 x} requires {inv0 _3} ensures { unnest0 ( * _1) ( ^ _1) } @@ -2040,7 +2047,7 @@ module C06MapPrecond_Identity_Closure0 var _0 : item0; var _1 : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) = _1; var x : item0 = x; - var _3 : Ghost.ghost_ty (Seq.seq item0) = _3; + var _3 : Snapshot.snap_ty (Seq.seq item0) = _3; { goto BB0 } @@ -2061,16 +2068,16 @@ module C06MapPrecond_Identity type i type item0 use seq.Seq - use prelude.Ghost - predicate invariant7 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant7 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + use prelude.Snapshot + predicate invariant7 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant7 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant7 self } - predicate inv7 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv7 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv7 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv7 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv7 _x } - axiom inv7 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv7 x = true + axiom inv7 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv7 x = true predicate invariant6 (self : Seq.seq item0) val invariant6 (self : Seq.seq item0) : bool ensures { result = invariant6 self } @@ -2153,16 +2160,16 @@ module C06MapPrecond_Identity ensures { result = produces_refl0 self } axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) - predicate precondition0 [#"../06_map_precond.rs" 178 14 178 20] (self : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) + predicate precondition0 [#"../06_map_precond.rs" 178 14 178 20] (self : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) = let (x, _3) = args in true - use prelude.Ghost + use prelude.Snapshot use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv1 i -> inv2 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv1 i -> inv2 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } @@ -2170,7 +2177,7 @@ module C06MapPrecond_Identity = true - predicate postcondition_mut0 [#"../06_map_precond.rs" 178 14 178 20] (self : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (result : item0) + predicate postcondition_mut0 [#"../06_map_precond.rs" 178 14 178 20] (self : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (result : item0) = (let (x, _3) = args in true) /\ unnest0 ( * self) ( ^ self) @@ -2178,14 +2185,14 @@ module C06MapPrecond_Identity predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i -> inv2 b -> inv5 f -> inv2 e2 -> inv2 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i -> inv2 b -> inv5 f -> inv2 e2 -> inv2 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i -> inv2 b -> inv5 f -> inv2 e2 -> inv2 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i -> inv2 b -> inv5 f -> inv2 e2 -> inv2 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv1 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv3 func} @@ -2193,7 +2200,7 @@ module C06MapPrecond_Identity ensures { result = preservation_inv0 iter func produced } axiom preservation_inv0_spec : forall iter : i, func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv1 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv3 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv6 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) - use prelude.Ghost + use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } @@ -2207,7 +2214,7 @@ module C06MapPrecond_Identity predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i item0 (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) item0) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i item0 (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) item0) : bool ensures { result = invariant0 self } @@ -2225,12 +2232,12 @@ module C06MapPrecond_Identity ensures { result = resolve0 self } val map0 [#"../06_map_precond.rs" 170 0 173 17] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) : C06MapPrecond_Map_Type.t_map i item0 (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) item0 - requires {[#"../06_map_precond.rs" 166 0 166 128] forall i2 : i . forall e : item0 . inv1 i2 -> inv2 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))} + requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : item0 . inv1 i2 -> inv2 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()} requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func} requires {[#"../06_map_precond.rs" 171 4 171 8] inv1 iter} requires {[#"../06_map_precond.rs" 172 4 172 8] inv3 func} - ensures { [#"../06_map_precond.rs" 169 10 169 72] result = C06MapPrecond_Map_Type.C_Map iter func (Ghost.new (Seq.empty )) } + ensures { [#"../06_map_precond.rs" 169 10 169 75] result = C06MapPrecond_Map_Type.C_Map iter func (Snapshot.new (Seq.empty )) } ensures { [#"../06_map_precond.rs" 173 5 173 17] inv0 result } let rec cfg identity [#"../06_map_precond.rs" 177 0 177 37] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) : () @@ -2265,7 +2272,7 @@ end module C06MapPrecond_Increment_Closure2_Type use prelude.UInt32 use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.Int16 type c06mapprecond_increment_closure2 'u = | C06MapPrecond_Increment_Closure2 @@ -2276,7 +2283,7 @@ module C06MapPrecond_Increment_Closure2 use prelude.Int16 use prelude.UInt32 use seq.Seq - use prelude.Ghost + use prelude.Snapshot use C06MapPrecond_Increment_Closure2_Type as C06MapPrecond_Increment_Closure2 predicate unnest0 [#"../06_map_precond.rs" 189 8 189 35] (self : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (_2 : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) @@ -2290,7 +2297,7 @@ module C06MapPrecond_Increment_Closure2 val resolve0 (self : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) : bool ensures { result = resolve0 self } - let rec cfg c06MapPrecond_Increment_Closure2 [#"../06_map_precond.rs" 189 8 189 35] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) (x : uint32) (_3 : Ghost.ghost_ty (Seq.seq uint32)) : uint32 + let rec cfg c06MapPrecond_Increment_Closure2 [#"../06_map_precond.rs" 189 8 189 35] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) (x : uint32) (_3 : Snapshot.snap_ty (Seq.seq uint32)) : uint32 requires {[#"../06_map_precond.rs" 188 19 188 27] UInt32.to_int x <= 15} ensures { [#"../06_map_precond.rs" 189 18 189 33] UInt32.to_int result = UInt32.to_int x + 1 } ensures { unnest0 ( * _1) ( ^ _1) } @@ -2317,17 +2324,17 @@ module C06MapPrecond_Increment type u use prelude.UInt32 use seq.Seq - use prelude.Ghost - predicate invariant8 (self : Ghost.ghost_ty (Seq.seq uint32)) = + use prelude.Snapshot + predicate invariant8 (self : Snapshot.snap_ty (Seq.seq uint32)) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true - val invariant8 (self : Ghost.ghost_ty (Seq.seq uint32)) : bool + val invariant8 (self : Snapshot.snap_ty (Seq.seq uint32)) : bool ensures { result = invariant8 self } - predicate inv8 (_x : Ghost.ghost_ty (Seq.seq uint32)) - val inv8 (_x : Ghost.ghost_ty (Seq.seq uint32)) : bool + predicate inv8 (_x : Snapshot.snap_ty (Seq.seq uint32)) + val inv8 (_x : Snapshot.snap_ty (Seq.seq uint32)) : bool ensures { result = inv8 _x } - axiom inv8 : forall x : Ghost.ghost_ty (Seq.seq uint32) . inv8 x = true + axiom inv8 : forall x : Snapshot.snap_ty (Seq.seq uint32) . inv8 x = true use prelude.Int16 use C06MapPrecond_Increment_Closure2_Type as C06MapPrecond_Increment_Closure2 use prelude.Borrow @@ -2437,30 +2444,30 @@ module C06MapPrecond_Increment true use prelude.UInt32 use prelude.Int - predicate postcondition_mut0 [#"../06_map_precond.rs" 189 8 189 35] (self : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32))) (result : uint32) + predicate postcondition_mut0 [#"../06_map_precond.rs" 189 8 189 35] (self : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32))) (result : uint32) = (let (x, _3) = args in UInt32.to_int result = UInt32.to_int x + 1) /\ unnest0 ( * self) ( ^ self) - predicate precondition0 [#"../06_map_precond.rs" 189 8 189 35] (self : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32))) + predicate precondition0 [#"../06_map_precond.rs" 189 8 189 35] (self : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32))) = [#"../06_map_precond.rs" 188 19 188 27] let (x, _3) = args in UInt32.to_int x <= 15 - use prelude.Ghost + use prelude.Snapshot use seq_ext.SeqExt use seq.Seq use seq.Seq use seq.Seq - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot use seq.Seq predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) (visited : Seq.seq uint32) (succ : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq uint32 . inv5 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) . inv6 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq uint32 . inv5 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) . inv6 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) (visited : Seq.seq uint32) (succ : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) : bool ensures { result = produces0 self visited succ } @@ -2492,7 +2499,7 @@ module C06MapPrecond_Increment predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : u . forall e : uint32 . inv2 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : u . forall e : uint32 . inv2 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) : bool ensures { result = next_precondition0 iter func produced } @@ -2500,14 +2507,14 @@ module C06MapPrecond_Increment predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv7 f -> inv3 e2 -> inv3 e1 -> inv5 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv7 f -> inv3 e2 -> inv3 e1 -> inv5 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv7 f -> inv3 e2 -> inv3 e1 -> inv5 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv7 f -> inv3 e2 -> inv3 e1 -> inv5 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv2 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv4 func} @@ -2527,7 +2534,7 @@ module C06MapPrecond_Increment predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) : bool ensures { result = invariant0 self } @@ -2540,12 +2547,12 @@ module C06MapPrecond_Increment ensures { result = resolve0 self } val map0 [#"../06_map_precond.rs" 170 0 173 17] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 - requires {[#"../06_map_precond.rs" 166 0 166 128] forall i2 : u . forall e : uint32 . inv2 i2 -> inv3 e -> produces1 iter (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))} + requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : u . forall e : uint32 . inv2 i2 -> inv3 e -> produces1 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()} requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func} requires {[#"../06_map_precond.rs" 171 4 171 8] inv2 iter} requires {[#"../06_map_precond.rs" 172 4 172 8] inv4 func} - ensures { [#"../06_map_precond.rs" 169 10 169 72] result = C06MapPrecond_Map_Type.C_Map iter func (Ghost.new (Seq.empty )) } + ensures { [#"../06_map_precond.rs" 169 10 169 75] result = C06MapPrecond_Map_Type.C_Map iter func (Snapshot.new (Seq.empty )) } ensures { [#"../06_map_precond.rs" 173 5 173 17] inv0 result } let rec cfg increment [#"../06_map_precond.rs" 185 0 185 50] [@cfg:stackify] [@cfg:subregion_analysis] (iter : u) : () @@ -2589,7 +2596,7 @@ end module C06MapPrecond_Counter_Closure2_Type use prelude.UInt32 use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.Int16 use prelude.UIntSize use prelude.Int @@ -2603,7 +2610,7 @@ module C06MapPrecond_Counter_Closure2 use prelude.Int16 use prelude.UInt32 use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.Int use prelude.UIntSize use prelude.Borrow @@ -2622,15 +2629,15 @@ module C06MapPrecond_Counter_Closure2 let constant max0 : usize = [@vc:do_not_keep_trace] [@vc:sp] (18446744073709551615 : usize) use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.UIntSize predicate resolve0 (self : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve0 (self : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) : bool ensures { result = resolve0 self } - let rec cfg c06MapPrecond_Counter_Closure2 [#"../06_map_precond.rs" 206 8 206 41] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) (x : uint32) (_prod : Ghost.ghost_ty (Seq.seq uint32)) : uint32 - requires {[#"../06_map_precond.rs" 205 19 205 61] UIntSize.to_int ( * field_00 ( * _1)) = Seq.length (Ghost.inner _prod) /\ * field_00 ( * _1) < max0} + let rec cfg c06MapPrecond_Counter_Closure2 [#"../06_map_precond.rs" 206 8 206 41] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) (x : uint32) (_prod : Snapshot.snap_ty (Seq.seq uint32)) : uint32 + requires {[#"../06_map_precond.rs" 205 19 205 61] UIntSize.to_int ( * field_00 ( * _1)) = Seq.length (Snapshot.inner _prod) /\ * field_00 ( * _1) < max0} ensures { [#"../06_map_precond.rs" 206 18 206 39] UIntSize.to_int ( * field_00 ( ^ _1)) = UIntSize.to_int ( * field_00 ( * _1)) + 1 } ensures { unnest0 ( * _1) ( ^ _1) } @@ -2657,17 +2664,17 @@ module C06MapPrecond_Counter type i use prelude.UInt32 use seq.Seq - use prelude.Ghost - predicate invariant7 (self : Ghost.ghost_ty (Seq.seq uint32)) = + use prelude.Snapshot + predicate invariant7 (self : Snapshot.snap_ty (Seq.seq uint32)) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true - val invariant7 (self : Ghost.ghost_ty (Seq.seq uint32)) : bool + val invariant7 (self : Snapshot.snap_ty (Seq.seq uint32)) : bool ensures { result = invariant7 self } - predicate inv7 (_x : Ghost.ghost_ty (Seq.seq uint32)) - val inv7 (_x : Ghost.ghost_ty (Seq.seq uint32)) : bool + predicate inv7 (_x : Snapshot.snap_ty (Seq.seq uint32)) + val inv7 (_x : Snapshot.snap_ty (Seq.seq uint32)) : bool ensures { result = inv7 _x } - axiom inv7 : forall x : Ghost.ghost_ty (Seq.seq uint32) . inv7 x = true + axiom inv7 : forall x : Snapshot.snap_ty (Seq.seq uint32) . inv7 x = true predicate invariant6 (self : Seq.seq uint32) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant6 (self : Seq.seq uint32) : bool @@ -2759,7 +2766,7 @@ module C06MapPrecond_Counter let constant max0 : usize = [@vc:do_not_keep_trace] [@vc:sp] (18446744073709551615 : usize) use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.UIntSize function field_00 [#"../06_map_precond.rs" 206 8 206 41] (self : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : borrowed usize @@ -2768,16 +2775,16 @@ module C06MapPrecond_Counter val field_00 [#"../06_map_precond.rs" 206 8 206 41] (self : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : borrowed usize ensures { result = field_00 self } - predicate precondition0 [#"../06_map_precond.rs" 206 8 206 41] (self : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32))) + predicate precondition0 [#"../06_map_precond.rs" 206 8 206 41] (self : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32))) = - [#"../06_map_precond.rs" 205 19 205 61] let (x, _prod) = args in UIntSize.to_int ( * field_00 self) = Seq.length (Ghost.inner _prod) /\ * field_00 self < max0 - use prelude.Ghost + [#"../06_map_precond.rs" 205 19 205 61] let (x, _prod) = args in UIntSize.to_int ( * field_00 self) = Seq.length (Snapshot.inner _prod) /\ * field_00 self < max0 + use prelude.Snapshot use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : uint32 . inv2 i -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : uint32 . inv2 i -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) : bool ensures { result = next_precondition0 iter func produced } @@ -2785,7 +2792,7 @@ module C06MapPrecond_Counter = ^ field_00 _2 = ^ field_00 self - predicate postcondition_mut0 [#"../06_map_precond.rs" 206 8 206 41] (self : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32))) (result : uint32) + predicate postcondition_mut0 [#"../06_map_precond.rs" 206 8 206 41] (self : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32))) (result : uint32) = (let (x, _prod) = args in UIntSize.to_int ( * field_00 ( ^ self)) = UIntSize.to_int ( * field_00 ( * self)) + 1) /\ unnest0 ( * self) ( ^ self) @@ -2793,14 +2800,14 @@ module C06MapPrecond_Counter predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv5 f -> inv3 e2 -> inv3 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv5 f -> inv3 e2 -> inv3 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv5 f -> inv3 e2 -> inv3 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv5 f -> inv3 e2 -> inv3 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv2 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv4 func} @@ -2821,7 +2828,7 @@ module C06MapPrecond_Counter predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i uint32 (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) uint32) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i uint32 (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) uint32) : bool ensures { result = invariant0 self } @@ -2839,12 +2846,12 @@ module C06MapPrecond_Counter ensures { result = resolve0 self } val map0 [#"../06_map_precond.rs" 170 0 173 17] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : C06MapPrecond_Map_Type.t_map i uint32 (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) uint32 - requires {[#"../06_map_precond.rs" 166 0 166 128] forall i2 : i . forall e : uint32 . inv2 i2 -> inv3 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))} + requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : uint32 . inv2 i2 -> inv3 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()} requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func} requires {[#"../06_map_precond.rs" 171 4 171 8] inv2 iter} requires {[#"../06_map_precond.rs" 172 4 172 8] inv4 func} - ensures { [#"../06_map_precond.rs" 169 10 169 72] result = C06MapPrecond_Map_Type.C_Map iter func (Ghost.new (Seq.empty )) } + ensures { [#"../06_map_precond.rs" 169 10 169 75] result = C06MapPrecond_Map_Type.C_Map iter func (Snapshot.new (Seq.empty )) } ensures { [#"../06_map_precond.rs" 173 5 173 17] inv0 result } let rec cfg counter [#"../06_map_precond.rs" 201 0 201 48] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) : () @@ -2903,16 +2910,16 @@ module C06MapPrecond_Impl0 axiom inv12 : forall x : borrowed i . inv12 x = true type item0 use seq.Seq - use prelude.Ghost - predicate invariant11 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant11 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + use prelude.Snapshot + predicate invariant11 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant11 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant11 self } - predicate inv11 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv11 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv11 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv11 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv11 _x } - axiom inv11 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv11 x = true + axiom inv11 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv11 x = true predicate invariant10 (self : f) val invariant10 (self : f) : bool ensures { result = invariant10 self } @@ -2985,23 +2992,23 @@ module C06MapPrecond_Impl0 ensures { result = inv3 _x } axiom inv3 : forall x : Seq.seq b . inv3 x = true - predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) - val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool + predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) + val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = precondition0 self _2 } - use prelude.Ghost + use prelude.Snapshot predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool ensures { result = produces1 self visited o } use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv9 i -> inv6 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv9 i -> inv6 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } - predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) - val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool + predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) + val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool ensures { result = postcondition_mut0 self _2 _3 } use seq.Seq @@ -3011,13 +3018,13 @@ module C06MapPrecond_Impl0 ensures { result = unnest0 self _2 } predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv4 b -> inv5 f -> inv6 e2 -> inv6 e1 -> inv7 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv4 b -> inv5 f -> inv6 e2 -> inv6 e1 -> inv7 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } use seq.Seq predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv4 b -> inv5 f -> inv6 e2 -> inv6 e1 -> inv7 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv4 b -> inv5 f -> inv6 e2 -> inv6 e1 -> inv7 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv9 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv10 func} @@ -3025,7 +3032,7 @@ module C06MapPrecond_Impl0 ensures { result = preservation_inv0 iter func produced } axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv9 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv10 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv7 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) - use prelude.Ghost + use prelude.Snapshot predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed1 self } @@ -3037,7 +3044,7 @@ module C06MapPrecond_Impl0 use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type predicate invariant2 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) + [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) val invariant2 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = invariant2 self } @@ -3076,17 +3083,17 @@ module C06MapPrecond_Impl0 use seq.Seq use prelude.Int use seq.Seq - use prelude.Ghost + use prelude.Snapshot use seq.Seq use seq.Seq predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv7 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv8 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv7 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv8 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces0 self visited succ } @@ -3094,7 +3101,7 @@ module C06MapPrecond_Impl0 predicate produces_one0 [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv5 f /\ * f = C06MapPrecond_Map_Type.map_func self /\ ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv6 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited) + [#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv5 f /\ * f = C06MapPrecond_Map_Type.map_func self /\ ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv6 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited) val produces_one0 [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool requires {[#"../06_map_precond.rs" 142 20 142 24] inv2 self} requires {[#"../06_map_precond.rs" 142 26 142 33] inv4 visited} @@ -3104,7 +3111,7 @@ module C06MapPrecond_Impl0 axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv2 self) -> ([#"../06_map_precond.rs" 142 26 142 33] inv4 visited) -> ([#"../06_map_precond.rs" 142 38 142 42] inv2 succ) -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces0 self (Seq.singleton visited) succ) predicate completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) = - [#"../06_map_precond.rs" 22 8 25 9] Ghost.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self) + [#"../06_map_precond.rs" 22 8 25 9] Snapshot.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self) val completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool ensures { result = completed0 self } diff --git a/creusot/tests/should_succeed/iterators/06_map_precond.rs b/creusot/tests/should_succeed/iterators/06_map_precond.rs index edf08f99a5..c2fccaec51 100644 --- a/creusot/tests/should_succeed/iterators/06_map_precond.rs +++ b/creusot/tests/should_succeed/iterators/06_map_precond.rs @@ -7,17 +7,17 @@ mod common; use common::Iterator; // FIXME: make it Map again -pub struct Map>) -> B> { +pub struct Map>) -> B> { iter: I, func: F, - produced: Ghost>, + produced: Snapshot>, } -impl>) -> B> Iterator for Map { +impl>) -> B> Iterator for Map { type Item = B; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { *(^self).produced == Seq::EMPTY && @@ -38,7 +38,7 @@ impl>) -> B> Iterator for M fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) {} #[open] - #[predicate] + #[predicate(prophetic)] #[why3::attr = "inline:trivial"] fn produces(self, visited: Seq, succ: Self) -> bool { pearlite! { @@ -51,8 +51,8 @@ impl>) -> B> Iterator for M else { *fs[0] == self.func && ^fs[visited.len() - 1] == succ.func } && forall 0 <= i && i < visited.len() ==> self.func.unnest(*fs[i]) - && (*fs[i]).precondition((s[i], Ghost::new(self.produced.concat(s.subsequence(0, i))))) - && fs[i].postcondition_mut((s[i], Ghost::new(self.produced.concat(s.subsequence(0, i)))), visited[i]) + && (*fs[i]).precondition((s[i], Snapshot::new(self.produced.concat(s.subsequence(0, i))))) + && fs[i].postcondition_mut((s[i], Snapshot::new(self.produced.concat(s.subsequence(0, i)))), visited[i]) } } @@ -64,56 +64,56 @@ impl>) -> B> Iterator for M match self.iter.next() { Some(v) => { proof_assert! { self.func.precondition((v, self.produced)) }; - let produced = gh! { self.produced.push(v) }; + let produced = snapshot! { self.produced.push(v) }; let r = (self.func)(v, self.produced); self.produced = produced; - gh! { Self::produces_one_invariant }; + snapshot! { Self::produces_one_invariant }; Some(r) } None => { - self.produced = gh! { Seq::EMPTY }; + self.produced = snapshot! { Seq::EMPTY }; None } } } } -impl>) -> B> Map { - #[predicate] +impl>) -> B> Map { + #[predicate(prophetic)] fn next_precondition(iter: I, func: F, produced: Seq) -> bool { pearlite! { forall iter.produces(Seq::singleton(e), i) ==> - func.precondition((e, Ghost::new(produced))) + func.precondition((e, Snapshot::new(produced))) } } - #[predicate] + #[predicate(prophetic)] #[ensures(produced == Seq::EMPTY ==> result == Self::preservation(iter, func))] fn preservation_inv(iter: I, func: F, produced: Seq) -> bool { pearlite! { forall, e1: I::Item, e2: I::Item, f: &mut F, b: B, i: I> func.unnest(*f) ==> iter.produces(s.push(e1).push(e2), i) ==> - (*f).precondition((e1, Ghost::new(produced.concat(s)))) ==> - f.postcondition_mut((e1, Ghost::new(produced.concat(s))), b) ==> - (^f).precondition((e2, Ghost::new(produced.concat(s).push(e1)))) + (*f).precondition((e1, Snapshot::new(produced.concat(s)))) ==> + f.postcondition_mut((e1, Snapshot::new(produced.concat(s))), b) ==> + (^f).precondition((e2, Snapshot::new(produced.concat(s).push(e1)))) } } - #[predicate] + #[predicate(prophetic)] fn preservation(iter: I, func: F) -> bool { pearlite! { forall, e1: I::Item, e2: I::Item, f: &mut F, b: B, i: I> func.unnest(*f) ==> iter.produces(s.push(e1).push(e2), i) ==> - (*f).precondition((e1, Ghost::new(s))) ==> - f.postcondition_mut((e1, Ghost::new(s)), b) ==> - (^f).precondition((e2, Ghost::new(s.push(e1)))) + (*f).precondition((e1, Snapshot::new(s))) ==> + f.postcondition_mut((e1, Snapshot::new(s)), b) ==> + (^f).precondition((e2, Snapshot::new(s.push(e1)))) } } - #[predicate] + #[predicate(prophetic)] fn reinitialize() -> bool { pearlite! { forall @@ -123,7 +123,7 @@ impl>) -> B> Map { } } - #[ghost] + #[logic] #[requires(self.iter.produces(Seq::singleton(e), iter))] #[requires(*f == self.func)] #[requires(f.postcondition_mut((e, self.produced), r) )] @@ -137,7 +137,7 @@ impl>) -> B> Map { } } - #[predicate] + #[predicate(prophetic)] #[ensures(result == self.produces(Seq::singleton(visited), succ))] fn produces_one(self, visited: B, succ: Self) -> bool { pearlite! { @@ -150,9 +150,9 @@ impl>) -> B> Map { } } -impl>) -> B> Invariant for Map { +impl>) -> B> Invariant for Map { // Should not quantify over self or the `invariant` cannot be made into a type invariant - #[predicate] + #[predicate(prophetic)] #[open(self)] fn invariant(self) -> bool { pearlite! { @@ -163,15 +163,15 @@ impl>) -> B> Invariant for } } -#[requires(forall iter.produces(Seq::singleton(e), i2) ==> func.precondition((e, Ghost::new(Seq::EMPTY))))] +#[requires(forall iter.produces(Seq::singleton(e), i2) ==> func.precondition((e, Snapshot::new(Seq::EMPTY))))] #[requires(Map::::reinitialize())] #[requires(Map::::preservation(iter, func))] -#[ensures(result == Map { iter, func, produced: Ghost::new(Seq::EMPTY) })] -pub fn map>) -> B>( +#[ensures(result == Map { iter, func, produced: Snapshot::new(Seq::EMPTY) })] +pub fn map>) -> B>( iter: I, func: F, ) -> Map { - Map { iter, func, produced: gh! {Seq::EMPTY} } + Map { iter, func, produced: snapshot! {Seq::EMPTY} } } pub fn identity(iter: I) { @@ -204,7 +204,7 @@ pub fn counter>(iter: I) { iter, #[requires(cnt@ == (*_prod).len() && cnt < usize::MAX)] #[ensures(cnt@ == old(cnt)@ + 1)] - |x, _prod: Ghost>| { + |x, _prod: Snapshot>| { cnt += 1; x }, diff --git a/creusot/tests/should_succeed/iterators/07_fuse.rs b/creusot/tests/should_succeed/iterators/07_fuse.rs index 878ec75dba..c8bc3eb543 100644 --- a/creusot/tests/should_succeed/iterators/07_fuse.rs +++ b/creusot/tests/should_succeed/iterators/07_fuse.rs @@ -12,7 +12,7 @@ impl Iterator for Fuse { type Item = I::Item; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { (self.iter == None || exists it.completed() && self.iter == Some(*it)) && @@ -21,7 +21,7 @@ impl Iterator for Fuse { } #[open] - #[predicate] + #[predicate(prophetic)] fn produces(self, prod: Seq, other: Self) -> bool { match self.iter { None => prod == Seq::EMPTY && other.iter == self.iter, diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg b/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg index cf85fe4f6a..ab943e1f82 100644 --- a/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg +++ b/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg @@ -157,35 +157,35 @@ module C08CollectExtend_Extend ensures { result = invariant3 self } axiom inv3 : forall x : i . inv3 x = true - use prelude.Ghost - predicate invariant2 (self : Ghost.ghost_ty (Seq.seq t)) - val invariant2 (self : Ghost.ghost_ty (Seq.seq t)) : bool + use prelude.Snapshot + predicate invariant2 (self : Snapshot.snap_ty (Seq.seq t)) + val invariant2 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = invariant2 self } - predicate inv2 (_x : Ghost.ghost_ty (Seq.seq t)) - val inv2 (_x : Ghost.ghost_ty (Seq.seq t)) : bool + predicate inv2 (_x : Snapshot.snap_ty (Seq.seq t)) + val inv2 (_x : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = inv2 _x } - axiom inv2 : forall x : Ghost.ghost_ty (Seq.seq t) . inv2 x = true - predicate invariant1 (self : Ghost.ghost_ty i) - val invariant1 (self : Ghost.ghost_ty i) : bool + axiom inv2 : forall x : Snapshot.snap_ty (Seq.seq t) . inv2 x = true + predicate invariant1 (self : Snapshot.snap_ty i) + val invariant1 (self : Snapshot.snap_ty i) : bool ensures { result = invariant1 self } - predicate inv1 (_x : Ghost.ghost_ty i) - val inv1 (_x : Ghost.ghost_ty i) : bool + predicate inv1 (_x : Snapshot.snap_ty i) + val inv1 (_x : Snapshot.snap_ty i) : bool ensures { result = inv1 _x } - axiom inv1 : forall x : Ghost.ghost_ty i . inv1 x = true - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + axiom inv1 : forall x : Snapshot.snap_ty i . inv1 x = true + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true predicate completed0 (self : borrowed i) val completed0 (self : borrowed i) : bool ensures { result = completed0 self } @@ -230,33 +230,33 @@ module C08CollectExtend_Extend ensures { inv5 result } use seq.Seq - use prelude.Ghost + use prelude.Snapshot function shallow_model3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t = [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self val shallow_model3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t ensures { result = shallow_model3 self } - use prelude.Ghost - function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + use prelude.Snapshot + function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t = - [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model3 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model3 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t ensures { result = shallow_model1 self } - use prelude.Ghost - use prelude.Ghost - predicate resolve2 (self : Ghost.ghost_ty (Seq.seq t)) - val resolve2 (self : Ghost.ghost_ty (Seq.seq t)) : bool + use prelude.Snapshot + use prelude.Snapshot + predicate resolve2 (self : Snapshot.snap_ty (Seq.seq t)) + val resolve2 (self : Snapshot.snap_ty (Seq.seq t)) : bool ensures { result = resolve2 self } - use prelude.Ghost - predicate resolve1 (self : Ghost.ghost_ty i) - val resolve1 (self : Ghost.ghost_ty i) : bool + use prelude.Snapshot + predicate resolve1 (self : Snapshot.snap_ty i) + val resolve1 (self : Snapshot.snap_ty i) : bool ensures { result = resolve1 self } - use prelude.Ghost + use prelude.Snapshot predicate into_iter_post0 (self : i) (res : i) = [#"../../../../../creusot-contracts/src/std/iter.rs" 80 8 80 19] self = res val into_iter_post0 (self : i) (res : i) : bool @@ -273,11 +273,12 @@ module C08CollectExtend_Extend ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 89 0 166 1] into_iter_post0 self result } ensures { inv3 result } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + + val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg extend [#"../08_collect_extend.rs" 25 0 25 66] [@cfg:stackify] [@cfg:subregion_analysis] (vec : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (iter : i) : () requires {[#"../08_collect_extend.rs" 25 40 25 43] inv7 vec} requires {[#"../08_collect_extend.rs" 25 58 25 62] inv3 iter} @@ -287,15 +288,15 @@ module C08CollectExtend_Extend var _0 : (); var vec : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = vec; var iter : i = iter; - var old_vec : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); + var old_vec : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); var iter1 : i; - var iter_old : Ghost.ghost_ty i; - var produced : Ghost.ghost_ty (Seq.seq t); + var iter_old : Snapshot.snap_ty i; + var produced : Snapshot.snap_ty (Seq.seq t); var _17 : Core_Option_Option_Type.t_option t; var _18 : borrowed i; var _19 : borrowed i; var __creusot_proc_iter_elem : t; - var _22 : Ghost.ghost_ty (Seq.seq t); + var _22 : Snapshot.snap_ty (Seq.seq t); var x : t; var _25 : (); var _26 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); @@ -306,7 +307,7 @@ module C08CollectExtend_Extend goto BB1 } BB1 { - [#"../08_collect_extend.rs" 26 18 26 29] old_vec <- ([#"../08_collect_extend.rs" 26 18 26 29] Ghost.new vec); + [#"../08_collect_extend.rs" 26 18 26 35] old_vec <- ([#"../08_collect_extend.rs" 26 18 26 35] Snapshot.new vec); goto BB2 } BB2 { @@ -317,13 +318,13 @@ module C08CollectExtend_Extend goto BB3 } BB3 { - [#"../08_collect_extend.rs" 27 4 27 35] iter_old <- ([#"../08_collect_extend.rs" 27 4 27 35] Ghost.new iter1); + [#"../08_collect_extend.rs" 27 4 27 35] iter_old <- ([#"../08_collect_extend.rs" 27 4 27 35] Snapshot.new iter1); goto BB4 } BB4 { assert { [@expl:type invariant] inv1 iter_old }; assume { resolve1 iter_old }; - [#"../08_collect_extend.rs" 27 4 27 35] produced <- ([#"../08_collect_extend.rs" 27 4 27 35] Ghost.new (Seq.empty )); + [#"../08_collect_extend.rs" 27 4 27 35] produced <- ([#"../08_collect_extend.rs" 27 4 27 35] Snapshot.new (Seq.empty )); goto BB5 } BB5 { @@ -339,9 +340,9 @@ module C08CollectExtend_Extend } BB8 { invariant { [#"../08_collect_extend.rs" 27 4 27 35] inv3 iter1 }; - invariant { [#"../08_collect_extend.rs" 27 4 27 35] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter1 }; - invariant { [#"../08_collect_extend.rs" 27 16 27 33] ^ Ghost.inner old_vec = ^ vec }; - invariant { [#"../08_collect_extend.rs" 27 4 27 35] Seq.(==) (shallow_model0 vec) (Seq.(++) (shallow_model1 old_vec) (Ghost.inner produced)) }; + invariant { [#"../08_collect_extend.rs" 27 4 27 35] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter1 }; + invariant { [#"../08_collect_extend.rs" 27 16 27 33] ^ Snapshot.inner old_vec = ^ vec }; + invariant { [#"../08_collect_extend.rs" 27 4 27 35] Seq.(==) (shallow_model0 vec) (Seq.(++) (shallow_model1 old_vec) (Snapshot.inner produced)) }; goto BB9 } BB9 { @@ -387,20 +388,20 @@ module C08CollectExtend_Extend absurd } BB14 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _17); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] _17 <- (let Core_Option_Option_Type.C_Some x0 = _17 in Core_Option_Option_Type.C_Some (any t)); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _17); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] _17 <- (let Core_Option_Option_Type.C_Some x0 = _17 in Core_Option_Option_Type.C_Some (any t)); assert { [@expl:type invariant] inv5 _17 }; assume { resolve4 _17 }; - [#"../08_collect_extend.rs" 27 4 27 35] _22 <- ([#"../08_collect_extend.rs" 27 4 27 35] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../08_collect_extend.rs" 27 4 27 35] _22 <- ([#"../08_collect_extend.rs" 27 4 27 35] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB15 } BB15 { [#"../08_collect_extend.rs" 27 4 27 35] produced <- ([#"../08_collect_extend.rs" 27 4 27 35] _22); - [#"../08_collect_extend.rs" 27 4 27 35] _22 <- any Ghost.ghost_ty (Seq.seq t); + [#"../08_collect_extend.rs" 27 4 27 35] _22 <- any Snapshot.snap_ty (Seq.seq t); assert { [@expl:type invariant] inv2 produced }; assume { resolve2 produced }; - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- any t; + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- any t; [#"../08_collect_extend.rs" 30 8 30 11] _26 <- Borrow.borrow_mut ( * vec); [#"../08_collect_extend.rs" 30 8 30 11] vec <- { vec with current = ( ^ _26) ; }; assume { inv6 ( ^ _26) }; @@ -540,25 +541,25 @@ module C08CollectExtend_Collect ensures { result = invariant2 self } axiom inv2 : forall x : i . inv2 x = true - use prelude.Ghost - predicate invariant1 (self : Ghost.ghost_ty (Seq.seq item0)) - val invariant1 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + use prelude.Snapshot + predicate invariant1 (self : Snapshot.snap_ty (Seq.seq item0)) + val invariant1 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = invariant1 self } - predicate inv1 (_x : Ghost.ghost_ty (Seq.seq item0)) - val inv1 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool + predicate inv1 (_x : Snapshot.snap_ty (Seq.seq item0)) + val inv1 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = inv1 _x } - axiom inv1 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv1 x = true - predicate invariant0 (self : Ghost.ghost_ty i) - val invariant0 (self : Ghost.ghost_ty i) : bool + axiom inv1 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv1 x = true + predicate invariant0 (self : Snapshot.snap_ty i) + val invariant0 (self : Snapshot.snap_ty i) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty i) - val inv0 (_x : Ghost.ghost_ty i) : bool + predicate inv0 (_x : Snapshot.snap_ty i) + val inv0 (_x : Snapshot.snap_ty i) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty i . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty i . inv0 x = true predicate completed0 (self : borrowed i) val completed0 (self : borrowed i) : bool ensures { result = completed0 self } @@ -616,19 +617,19 @@ module C08CollectExtend_Collect ensures { inv4 result } use seq.Seq - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - predicate resolve1 (self : Ghost.ghost_ty (Seq.seq item0)) - val resolve1 (self : Ghost.ghost_ty (Seq.seq item0)) : bool + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + predicate resolve1 (self : Snapshot.snap_ty (Seq.seq item0)) + val resolve1 (self : Snapshot.snap_ty (Seq.seq item0)) : bool ensures { result = resolve1 self } - use prelude.Ghost - predicate resolve0 (self : Ghost.ghost_ty i) - val resolve0 (self : Ghost.ghost_ty i) : bool + use prelude.Snapshot + predicate resolve0 (self : Snapshot.snap_ty i) + val resolve0 (self : Snapshot.snap_ty i) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot predicate into_iter_post0 (self : i) (res : i) = [#"../../../../../creusot-contracts/src/std/iter.rs" 80 8 80 19] self = res val into_iter_post0 (self : i) (res : i) : bool @@ -659,13 +660,13 @@ module C08CollectExtend_Collect var iter : i = iter; var res : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global); var iter1 : i; - var iter_old : Ghost.ghost_ty i; - var produced : Ghost.ghost_ty (Seq.seq item0); + var iter_old : Snapshot.snap_ty i; + var produced : Snapshot.snap_ty (Seq.seq item0); var _15 : Core_Option_Option_Type.t_option item0; var _16 : borrowed i; var _17 : borrowed i; var __creusot_proc_iter_elem : item0; - var _20 : Ghost.ghost_ty (Seq.seq item0); + var _20 : Snapshot.snap_ty (Seq.seq item0); var x : item0; var _23 : (); var _24 : borrowed (Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global)); @@ -685,13 +686,13 @@ module C08CollectExtend_Collect goto BB3 } BB3 { - [#"../08_collect_extend.rs" 45 4 45 40] iter_old <- ([#"../08_collect_extend.rs" 45 4 45 40] Ghost.new iter1); + [#"../08_collect_extend.rs" 45 4 45 40] iter_old <- ([#"../08_collect_extend.rs" 45 4 45 40] Snapshot.new iter1); goto BB4 } BB4 { assert { [@expl:type invariant] inv0 iter_old }; assume { resolve0 iter_old }; - [#"../08_collect_extend.rs" 45 4 45 40] produced <- ([#"../08_collect_extend.rs" 45 4 45 40] Ghost.new (Seq.empty )); + [#"../08_collect_extend.rs" 45 4 45 40] produced <- ([#"../08_collect_extend.rs" 45 4 45 40] Snapshot.new (Seq.empty )); goto BB5 } BB5 { @@ -710,8 +711,8 @@ module C08CollectExtend_Collect } BB9 { invariant { [#"../08_collect_extend.rs" 45 4 45 40] inv2 iter1 }; - invariant { [#"../08_collect_extend.rs" 45 4 45 40] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter1 }; - invariant { [#"../08_collect_extend.rs" 45 4 45 40] Seq.(==) (shallow_model0 res) (Ghost.inner produced) }; + invariant { [#"../08_collect_extend.rs" 45 4 45 40] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter1 }; + invariant { [#"../08_collect_extend.rs" 45 4 45 40] Seq.(==) (shallow_model0 res) (Snapshot.inner produced) }; goto BB10 } BB10 { @@ -754,20 +755,20 @@ module C08CollectExtend_Collect absurd } BB15 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _15); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] _15 <- (let Core_Option_Option_Type.C_Some x0 = _15 in Core_Option_Option_Type.C_Some (any item0)); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _15); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] _15 <- (let Core_Option_Option_Type.C_Some x0 = _15 in Core_Option_Option_Type.C_Some (any item0)); assert { [@expl:type invariant] inv4 _15 }; assume { resolve3 _15 }; - [#"../08_collect_extend.rs" 45 4 45 40] _20 <- ([#"../08_collect_extend.rs" 45 4 45 40] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../08_collect_extend.rs" 45 4 45 40] _20 <- ([#"../08_collect_extend.rs" 45 4 45 40] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB16 } BB16 { [#"../08_collect_extend.rs" 45 4 45 40] produced <- ([#"../08_collect_extend.rs" 45 4 45 40] _20); - [#"../08_collect_extend.rs" 45 4 45 40] _20 <- any Ghost.ghost_ty (Seq.seq item0); + [#"../08_collect_extend.rs" 45 4 45 40] _20 <- any Snapshot.snap_ty (Seq.seq item0); assert { [@expl:type invariant] inv1 produced }; assume { resolve1 produced }; - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- any item0; + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- any item0; [#"../08_collect_extend.rs" 47 8 47 11] _24 <- Borrow.borrow_mut res; [#"../08_collect_extend.rs" 47 8 47 11] res <- ^ _24; assume { inv5 ( ^ _24) }; @@ -960,7 +961,7 @@ module C08CollectExtend_ExtendIndex ensures { result = inv0 _x } axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . inv0 x = true - use prelude.Ghost + use prelude.Snapshot use seq.Seq use prelude.Slice function shallow_model6 (self : slice uint32) : Seq.seq uint32 @@ -974,10 +975,10 @@ module C08CollectExtend_ExtendIndex val shallow_model2 (self : slice uint32) : Seq.seq uint32 ensures { result = shallow_model2 self } - use prelude.Ghost - function shallow_model1 (self : Ghost.ghost_ty (slice uint32)) : Seq.seq uint32 = - [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model2 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty (slice uint32)) : Seq.seq uint32 + use prelude.Snapshot + function shallow_model1 (self : Snapshot.snap_ty (slice uint32)) : Seq.seq uint32 = + [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model2 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty (slice uint32)) : Seq.seq uint32 ensures { result = shallow_model1 self } predicate resolve2 (self : uint32) = @@ -1054,7 +1055,7 @@ module C08CollectExtend_ExtendIndex ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 89 0 166 1] into_iter_post0 self result } ensures { inv3 result } - use prelude.Ghost + use prelude.Snapshot function shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint32 = [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self val shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint32 @@ -1071,8 +1072,8 @@ module C08CollectExtend_ExtendIndex var _0 : (); var v1 : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) = v1; var v2 : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) = v2; - var oldv1 : Ghost.ghost_ty (slice uint32); - var oldv2 : Ghost.ghost_ty (slice uint32); + var oldv1 : Snapshot.snap_ty (slice uint32); + var oldv2 : Snapshot.snap_ty (slice uint32); var _7 : (); var _8 : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)); var _9 : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)); @@ -1081,11 +1082,11 @@ module C08CollectExtend_ExtendIndex goto BB0 } BB0 { - [#"../08_collect_extend.rs" 53 16 53 27] oldv1 <- ([#"../08_collect_extend.rs" 53 16 53 27] Ghost.new (deref0 v1)); + [#"../08_collect_extend.rs" 53 16 53 33] oldv1 <- ([#"../08_collect_extend.rs" 53 16 53 33] Snapshot.new (deref0 v1)); goto BB1 } BB1 { - [#"../08_collect_extend.rs" 54 16 54 27] oldv2 <- ([#"../08_collect_extend.rs" 54 16 54 27] Ghost.new (deref0 v2)); + [#"../08_collect_extend.rs" 54 16 54 33] oldv2 <- ([#"../08_collect_extend.rs" 54 16 54 33] Snapshot.new (deref0 v2)); goto BB2 } BB2 { diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend.rs b/creusot/tests/should_succeed/iterators/08_collect_extend.rs index 166950392d..1a6d1857e3 100644 --- a/creusot/tests/should_succeed/iterators/08_collect_extend.rs +++ b/creusot/tests/should_succeed/iterators/08_collect_extend.rs @@ -23,7 +23,7 @@ use creusot_contracts::{ done.completed() && iter.produces(prod, *done) && (^vec)@ == vec@.concat(prod) )] pub fn extend>(vec: &mut Vec, iter: I) { - let old_vec = gh! { vec }; + let old_vec = snapshot! { vec }; #[invariant(^*old_vec == ^vec)] #[invariant(vec@.ext_eq(old_vec@.concat(*produced)))] for x in iter { @@ -50,8 +50,8 @@ pub fn collect(iter: I) -> Vec { } pub fn extend_index(mut v1: Vec, v2: Vec) { - let oldv1 = gh! { *v1 }; - let oldv2 = gh! { *v2 }; + let oldv1 = snapshot! { *v1 }; + let oldv2 = snapshot! { *v2 }; extend(&mut v1, v2.into_iter()); proof_assert! { v1@.ext_eq(oldv1@.concat(oldv2@)) }; diff --git a/creusot/tests/should_succeed/iterators/09_empty.rs b/creusot/tests/should_succeed/iterators/09_empty.rs index 0fd5cb45f6..e0658ab9f2 100644 --- a/creusot/tests/should_succeed/iterators/09_empty.rs +++ b/creusot/tests/should_succeed/iterators/09_empty.rs @@ -11,7 +11,7 @@ impl Iterator for Empty { type Item = T; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { self.resolve() } } diff --git a/creusot/tests/should_succeed/iterators/10_once.rs b/creusot/tests/should_succeed/iterators/10_once.rs index bf2e7392ce..3562488054 100644 --- a/creusot/tests/should_succeed/iterators/10_once.rs +++ b/creusot/tests/should_succeed/iterators/10_once.rs @@ -11,7 +11,7 @@ impl Iterator for Once { type Item = T; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { *self == Once(None) && self.resolve() } } diff --git a/creusot/tests/should_succeed/iterators/12_zip.rs b/creusot/tests/should_succeed/iterators/12_zip.rs index 38e5172a97..cf9eff0d14 100644 --- a/creusot/tests/should_succeed/iterators/12_zip.rs +++ b/creusot/tests/should_succeed/iterators/12_zip.rs @@ -14,7 +14,7 @@ impl Iterator for Zip { type Item = (A::Item, B::Item); #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { (self.a.completed() && (*self).b == (^self).b) @@ -24,7 +24,7 @@ impl Iterator for Zip { } #[open] - #[predicate] + #[predicate(prophetic)] fn produces(self, visited: Seq, tl: Self) -> bool { pearlite! { // Using an `unzip` definition doesn't work well because of issues related to datatypes and `match` diff --git a/creusot/tests/should_succeed/iterators/13_cloned.rs b/creusot/tests/should_succeed/iterators/13_cloned.rs index d68f82990a..c7ec63276d 100644 --- a/creusot/tests/should_succeed/iterators/13_cloned.rs +++ b/creusot/tests/should_succeed/iterators/13_cloned.rs @@ -18,13 +18,13 @@ where type Item = T; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { self.iter.completed() } } #[open] - #[predicate] + #[predicate(prophetic)] fn produces(self, visited: Seq, o: Self) -> bool { pearlite! { exists> self.iter.produces(s, o.iter) diff --git a/creusot/tests/should_succeed/iterators/14_copied.rs b/creusot/tests/should_succeed/iterators/14_copied.rs index c29d7aa0dc..4a63babd9b 100644 --- a/creusot/tests/should_succeed/iterators/14_copied.rs +++ b/creusot/tests/should_succeed/iterators/14_copied.rs @@ -18,13 +18,13 @@ where type Item = T; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { self.iter.completed() } } #[open] - #[predicate] + #[predicate(prophetic)] fn produces(self, visited: Seq, o: Self) -> bool { pearlite! { exists> self.iter.produces(s, o.iter) diff --git a/creusot/tests/should_succeed/iterators/15_enumerate.rs b/creusot/tests/should_succeed/iterators/15_enumerate.rs index f0f7c28c7f..d800aecd7c 100644 --- a/creusot/tests/should_succeed/iterators/15_enumerate.rs +++ b/creusot/tests/should_succeed/iterators/15_enumerate.rs @@ -18,13 +18,13 @@ where type Item = (usize, I::Item); #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { self.iter.completed() } } #[open] - #[predicate] + #[predicate(prophetic)] fn produces(self, visited: Seq, o: Self) -> bool { pearlite! { visited.len() == o.count@ - self.count@ @@ -67,7 +67,7 @@ where I: Iterator, { #[open] - #[predicate] + #[predicate(prophetic)] fn invariant(self) -> bool { pearlite! { (forall, i: I> self.iter.produces(s, i) ==> self.count@ + s.len() < std::usize::MAX@) diff --git a/creusot/tests/should_succeed/iterators/16_take.rs b/creusot/tests/should_succeed/iterators/16_take.rs index 77a3350d59..7563da5509 100644 --- a/creusot/tests/should_succeed/iterators/16_take.rs +++ b/creusot/tests/should_succeed/iterators/16_take.rs @@ -18,7 +18,7 @@ where type Item = I::Item; #[open] - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool { pearlite! { (*self).n@ == 0 && self.resolve() || @@ -27,7 +27,7 @@ where } #[open] - #[predicate] + #[predicate(prophetic)] fn produces(self, visited: Seq, o: Self) -> bool { pearlite! { self.n@ == o.n@ + visited.len() && self.iter.produces(visited, o.iter) diff --git a/creusot/tests/should_succeed/iterators/common.rs b/creusot/tests/should_succeed/iterators/common.rs index fb815fb51c..17f5e5e258 100644 --- a/creusot/tests/should_succeed/iterators/common.rs +++ b/creusot/tests/should_succeed/iterators/common.rs @@ -4,10 +4,10 @@ use creusot_contracts::{logic::Seq, *}; pub trait Iterator { type Item; - #[predicate] + #[predicate(prophetic)] fn produces(self, visited: Seq, o: Self) -> bool; - #[predicate] + #[predicate(prophetic)] fn completed(&mut self) -> bool; #[law] diff --git a/creusot/tests/should_succeed/knapsack.rs b/creusot/tests/should_succeed/knapsack.rs index 90ddb4b5c0..bbbf0c160c 100644 --- a/creusot/tests/should_succeed/knapsack.rs +++ b/creusot/tests/should_succeed/knapsack.rs @@ -26,7 +26,7 @@ fn max(a: usize, b: usize) -> usize { /// * $m[0,\,w]=0$ /// * $m[i,\,w]=m[i-1,\,w]$ if $w_i > w\,\!$ (the new item is more than the current weight limit) /// * $m[i,\,w]=\max(m[i-1,\,w],\,m[i-1,w-w_i]+v_i)$ if $w_i \leqslant w$. -#[ghost] +#[logic] #[variant(i)] #[requires(0 <= i && i <= items.len())] #[requires(0 <= w)] diff --git a/creusot/tests/should_succeed/knapsack_full.mlcfg b/creusot/tests/should_succeed/knapsack_full.mlcfg index 72f2c91618..a45e9fe18e 100644 --- a/creusot/tests/should_succeed/knapsack_full.mlcfg +++ b/creusot/tests/should_succeed/knapsack_full.mlcfg @@ -666,7 +666,7 @@ module KnapsackFull_Knapsack01Dyn val index_logic4 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : KnapsackFull_Item_Type.t_item name ensures { result = index_logic4 self ix } - use prelude.Ghost + use prelude.Snapshot use seq.Seq function shallow_model10 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (KnapsackFull_Item_Type.t_item name) @@ -895,8 +895,8 @@ module KnapsackFull_Knapsack01Dyn end } ensures { inv13 result } - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post1 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (res : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) = @@ -989,11 +989,11 @@ module KnapsackFull_Knapsack01Dyn ensures { result = m0 items i w } axiom m0_spec : forall items : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int, w : int . ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i /\ i <= Seq.length items) -> ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) -> ([#"../knapsack_full.rs" 66 11 66 16] inv11 items) -> ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w -> sum_values0 s j <= m0 items i w) && ([#"../knapsack_full.rs" 62 10 62 21] m0 items i w >= 0) - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize) = @@ -1047,26 +1047,26 @@ module KnapsackFull_Knapsack01Dyn var _14 : usize; var iter : Core_Ops_Range_Range_Type.t_range usize; var _19 : usize; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced : Ghost.ghost_ty (Seq.seq usize); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced : Snapshot.snap_ty (Seq.seq usize); var _31 : (); var _32 : Core_Option_Option_Type.t_option usize; var _33 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _34 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem : usize; - var _37 : Ghost.ghost_ty (Seq.seq usize); + var _37 : Snapshot.snap_ty (Seq.seq usize); var i : usize; var it : KnapsackFull_Item_Type.t_item name; var _41 : KnapsackFull_Item_Type.t_item name; var iter1 : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize; var _45 : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize; - var iter_old1 : Ghost.ghost_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize); - var produced1 : Ghost.ghost_ty (Seq.seq usize); + var iter_old1 : Snapshot.snap_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize); + var produced1 : Snapshot.snap_ty (Seq.seq usize); var _58 : Core_Option_Option_Type.t_option usize; var _59 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize); var _60 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize); var __creusot_proc_iter_elem1 : usize; - var _63 : Ghost.ghost_ty (Seq.seq usize); + var _63 : Snapshot.snap_ty (Seq.seq usize); var w : usize; var _66 : usize; var _70 : usize; @@ -1118,11 +1118,11 @@ module KnapsackFull_Knapsack01Dyn goto BB5 } BB5 { - [#"../knapsack_full.rs" 88 4 88 55] iter_old <- ([#"../knapsack_full.rs" 88 4 88 55] Ghost.new iter); + [#"../knapsack_full.rs" 88 4 88 55] iter_old <- ([#"../knapsack_full.rs" 88 4 88 55] Snapshot.new iter); goto BB6 } BB6 { - [#"../knapsack_full.rs" 88 4 88 55] produced <- ([#"../knapsack_full.rs" 88 4 88 55] Ghost.new (Seq.empty )); + [#"../knapsack_full.rs" 88 4 88 55] produced <- ([#"../knapsack_full.rs" 88 4 88 55] Snapshot.new (Seq.empty )); goto BB7 } BB7 { @@ -1142,10 +1142,10 @@ module KnapsackFull_Knapsack01Dyn } BB12 { invariant { [#"../knapsack_full.rs" 88 4 88 55] inv0 iter }; - invariant { [#"../knapsack_full.rs" 88 4 88 55] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; + invariant { [#"../knapsack_full.rs" 88 4 88 55] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../knapsack_full.rs" 88 16 88 53] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) }; invariant { [#"../knapsack_full.rs" 88 4 88 55] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; - invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (Ghost.inner produced) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; + invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (Snapshot.inner produced) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; goto BB13 } @@ -1177,14 +1177,14 @@ module KnapsackFull_Knapsack01Dyn absurd } BB18 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _32); - [#"../knapsack_full.rs" 88 4 88 55] _37 <- ([#"../knapsack_full.rs" 88 4 88 55] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _32); + [#"../knapsack_full.rs" 88 4 88 55] _37 <- ([#"../knapsack_full.rs" 88 4 88 55] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB19 } BB19 { [#"../knapsack_full.rs" 88 4 88 55] produced <- ([#"../knapsack_full.rs" 88 4 88 55] _37); - [#"../knapsack_full.rs" 88 4 88 55] _37 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../knapsack_full.rs" 88 4 88 55] _37 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../knapsack_full.rs" 96 23 96 26] _41 <- ([#"../knapsack_full.rs" 96 23 96 26] index0 ([#"../knapsack_full.rs" 96 18 96 23] items) ([#"../knapsack_full.rs" 96 24 96 25] i)); goto BB20 } @@ -1201,11 +1201,11 @@ module KnapsackFull_Knapsack01Dyn goto BB22 } BB22 { - [#"../knapsack_full.rs" 98 8 98 59] iter_old1 <- ([#"../knapsack_full.rs" 98 8 98 59] Ghost.new iter1); + [#"../knapsack_full.rs" 98 8 98 59] iter_old1 <- ([#"../knapsack_full.rs" 98 8 98 59] Snapshot.new iter1); goto BB23 } BB23 { - [#"../knapsack_full.rs" 98 8 98 59] produced1 <- ([#"../knapsack_full.rs" 98 8 98 59] Ghost.new (Seq.empty )); + [#"../knapsack_full.rs" 98 8 98 59] produced1 <- ([#"../knapsack_full.rs" 98 8 98 59] Snapshot.new (Seq.empty )); goto BB24 } BB24 { @@ -1228,11 +1228,11 @@ module KnapsackFull_Knapsack01Dyn } BB30 { invariant { [#"../knapsack_full.rs" 98 8 98 59] inv2 iter1 }; - invariant { [#"../knapsack_full.rs" 98 8 98 59] produces1 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 }; + invariant { [#"../knapsack_full.rs" 98 8 98 59] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 }; invariant { [#"../knapsack_full.rs" 98 20 98 57] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) }; invariant { [#"../knapsack_full.rs" 98 8 98 59] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; - invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . 0 <= ww /\ ww <= Seq.length (Ghost.inner produced1) - 1 -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww }; + invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . 0 <= ww /\ ww <= Seq.length (Snapshot.inner produced1) - 1 -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww }; invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; goto BB31 } @@ -1262,14 +1262,14 @@ module KnapsackFull_Knapsack01Dyn goto BB35 } BB35 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1 <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _58); - [#"../knapsack_full.rs" 98 8 98 59] _63 <- ([#"../knapsack_full.rs" 98 8 98 59] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _58); + [#"../knapsack_full.rs" 98 8 98 59] _63 <- ([#"../knapsack_full.rs" 98 8 98 59] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); goto BB36 } BB36 { [#"../knapsack_full.rs" 98 8 98 59] produced1 <- ([#"../knapsack_full.rs" 98 8 98 59] _63); - [#"../knapsack_full.rs" 98 8 98 59] _63 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] w <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1); + [#"../knapsack_full.rs" 98 8 98 59] _63 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] w <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1); switch ([#"../knapsack_full.rs" 111 38 111 51] ([#"../knapsack_full.rs" 111 38 111 47] KnapsackFull_Item_Type.item_weight it) > ([#"../knapsack_full.rs" 111 50 111 51] w)) | False -> goto BB40 | True -> goto BB37 diff --git a/creusot/tests/should_succeed/knapsack_full.rs b/creusot/tests/should_succeed/knapsack_full.rs index 915d02bb5d..359165faae 100644 --- a/creusot/tests/should_succeed/knapsack_full.rs +++ b/creusot/tests/should_succeed/knapsack_full.rs @@ -20,7 +20,7 @@ fn max(a: usize, b: usize) -> usize { } } -#[ghost] +#[logic] #[variant(s.len()-i)] #[requires(0 <= i && i <= s.len())] #[ensures(result >= 0)] @@ -31,7 +31,7 @@ fn sum_weights(s: Seq<&Item>, i: Int) -> Int { } } -#[ghost] +#[logic] #[variant(s.len()-i)] #[requires(i >= 0 && i <= s.len())] fn sum_values(s: Seq<&Item>, i: Int) -> Int { @@ -55,7 +55,7 @@ fn subseq_rev(s1: Seq<&T>, i1: Int, s2: Seq, i2: Int) -> bool { } } -#[ghost] +#[logic] #[variant(i)] #[requires(0 <= i && i <= items.len())] #[requires(0 <= w)] diff --git a/creusot/tests/should_succeed/lang/assoc_type.rs b/creusot/tests/should_succeed/lang/assoc_type.rs index f738dba4f5..a64edf665a 100644 --- a/creusot/tests/should_succeed/lang/assoc_type.rs +++ b/creusot/tests/should_succeed/lang/assoc_type.rs @@ -43,7 +43,7 @@ pub fn uses3(_: Nested) {} // pub struct Map { // pub iter: I, -// pub produced: Ghost>, +// pub produced: Snapshot>, // } // pub fn use_map(_: Map) {} diff --git a/creusot/tests/should_succeed/list_index_mut.mlcfg b/creusot/tests/should_succeed/list_index_mut.mlcfg index 4615644180..dfacf48032 100644 --- a/creusot/tests/should_succeed/list_index_mut.mlcfg +++ b/creusot/tests/should_succeed/list_index_mut.mlcfg @@ -57,7 +57,7 @@ module ListIndexMut_IndexMut axiom inv0 : forall x : borrowed (Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list)) . inv0 x = true use prelude.UInt32 use prelude.UIntSize - use prelude.Ghost + use prelude.Snapshot predicate resolve2 (self : borrowed (ListIndexMut_List_Type.t_list)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (ListIndexMut_List_Type.t_list)) : bool @@ -92,13 +92,13 @@ module ListIndexMut_IndexMut val shallow_model2 (self : usize) : int ensures { result = shallow_model2 self } - use prelude.Ghost - function shallow_model1 (self : Ghost.ghost_ty usize) : int = - [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model2 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty usize) : int + use prelude.Snapshot + function shallow_model1 (self : Snapshot.snap_ty usize) : int = + [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model2 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty usize) : int ensures { result = shallow_model1 self } - use prelude.Ghost + use prelude.Snapshot use prelude.Int function get0 [#"../list_index_mut.rs" 18 4 18 46] (self : ListIndexMut_List_Type.t_list) (ix : int) : Core_Option_Option_Type.t_option uint32 @@ -122,8 +122,8 @@ module ListIndexMut_IndexMut val len0 [#"../list_index_mut.rs" 7 4 7 29] (self : ListIndexMut_List_Type.t_list) : int ensures { result = len0 self } - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot let rec cfg index_mut [#"../list_index_mut.rs" 37 0 37 61] [@cfg:stackify] [@cfg:subregion_analysis] (l : borrowed (ListIndexMut_List_Type.t_list)) (ix : usize) : borrowed uint32 requires {[#"../list_index_mut.rs" 32 11 32 24] UIntSize.to_int ix < len0 ( * l)} ensures { [#"../list_index_mut.rs" 33 10 33 37] Core_Option_Option_Type.C_Some ( * result) = get0 ( * l) (UIntSize.to_int ix) } @@ -136,8 +136,8 @@ module ListIndexMut_IndexMut var l : borrowed (ListIndexMut_List_Type.t_list) = l; var ix : usize = ix; var _3 : borrowed uint32; - var old_l : Ghost.ghost_ty (borrowed (ListIndexMut_List_Type.t_list)); - var old_ix : Ghost.ghost_ty usize; + var old_l : Snapshot.snap_ty (borrowed (ListIndexMut_List_Type.t_list)); + var old_ix : Snapshot.snap_ty usize; var _22 : borrowed (ListIndexMut_List_Type.t_list); var _23 : borrowed (ListIndexMut_List_Type.t_list); var _24 : Core_Option_Option_Type.t_option (borrowed (ListIndexMut_List_Type.t_list)); @@ -147,11 +147,11 @@ module ListIndexMut_IndexMut goto BB0 } BB0 { - [#"../list_index_mut.rs" 38 16 38 25] old_l <- ([#"../list_index_mut.rs" 38 16 38 25] Ghost.new l); + [#"../list_index_mut.rs" 38 16 38 31] old_l <- ([#"../list_index_mut.rs" 38 16 38 31] Snapshot.new l); goto BB1 } BB1 { - [#"../list_index_mut.rs" 39 17 39 27] old_ix <- ([#"../list_index_mut.rs" 39 17 39 27] Ghost.new ix); + [#"../list_index_mut.rs" 39 17 39 33] old_ix <- ([#"../list_index_mut.rs" 39 17 39 33] Snapshot.new ix); goto BB2 } BB2 { @@ -159,10 +159,10 @@ module ListIndexMut_IndexMut } BB3 { invariant { [#"../list_index_mut.rs" 40 16 40 45] (0 : usize) <= ix /\ UIntSize.to_int ix < len0 ( * l) }; - invariant { [#"../list_index_mut.rs" 41 16 41 52] get0 ( * l) (UIntSize.to_int ix) = get0 ( * Ghost.inner old_l) (shallow_model1 old_ix) }; - invariant { [#"../list_index_mut.rs" 42 16 42 55] get0 ( ^ l) (UIntSize.to_int ix) = get0 ( ^ Ghost.inner old_l) (shallow_model1 old_ix) }; - invariant { [#"../list_index_mut.rs" 40 4 40 47] len0 ( ^ l) = len0 ( * l) -> len0 ( ^ Ghost.inner old_l) = len0 ( * Ghost.inner old_l) }; - invariant { [#"../list_index_mut.rs" 40 4 40 47] (forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( ^ l) i = get0 ( * l) i) -> (forall i : int . 0 <= i /\ i < len0 ( * Ghost.inner old_l) /\ i <> shallow_model1 old_ix -> get0 ( ^ Ghost.inner old_l) i = get0 ( * Ghost.inner old_l) i) }; + invariant { [#"../list_index_mut.rs" 41 16 41 52] get0 ( * l) (UIntSize.to_int ix) = get0 ( * Snapshot.inner old_l) (shallow_model1 old_ix) }; + invariant { [#"../list_index_mut.rs" 42 16 42 55] get0 ( ^ l) (UIntSize.to_int ix) = get0 ( ^ Snapshot.inner old_l) (shallow_model1 old_ix) }; + invariant { [#"../list_index_mut.rs" 40 4 40 47] len0 ( ^ l) = len0 ( * l) -> len0 ( ^ Snapshot.inner old_l) = len0 ( * Snapshot.inner old_l) }; + invariant { [#"../list_index_mut.rs" 40 4 40 47] (forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( ^ l) i = get0 ( * l) i) -> (forall i : int . 0 <= i /\ i < len0 ( * Snapshot.inner old_l) /\ i <> shallow_model1 old_ix -> get0 ( ^ Snapshot.inner old_l) i = get0 ( * Snapshot.inner old_l) i) }; goto BB4 } BB4 { diff --git a/creusot/tests/should_succeed/list_index_mut.rs b/creusot/tests/should_succeed/list_index_mut.rs index 9291581962..ddf3a8a26b 100644 --- a/creusot/tests/should_succeed/list_index_mut.rs +++ b/creusot/tests/should_succeed/list_index_mut.rs @@ -3,7 +3,7 @@ use creusot_contracts::{logic::Int, *}; pub struct List(u32, Option>); impl List { - #[ghost] + #[logic] fn len(self: List) -> Int { { let List(_, ls) = self; @@ -14,7 +14,7 @@ impl List { } } - #[ghost] + #[logic] fn get(self: List, ix: Int) -> Option { { let List(i, ls) = self; @@ -35,8 +35,8 @@ impl List { #[ensures((^l).len() == (*l).len())] #[ensures(forall 0 <= i && i < l.len() && i != ix@ ==> l.get(i) == (^l).get(i))] pub fn index_mut(mut l: &mut List, mut ix: usize) -> &mut u32 { - let old_l = gh! { l }; - let old_ix = gh! { ix }; + let old_l = snapshot! { l }; + let old_ix = snapshot! { ix }; #[invariant(0usize <= ix && ix@ < l.len())] #[invariant(l.get(ix@) == (**old_l).get(old_ix@))] #[invariant((^l).get(ix@) == (^*old_l).get(old_ix@))] diff --git a/creusot/tests/should_succeed/list_reversal_lasso.mlcfg b/creusot/tests/should_succeed/list_reversal_lasso.mlcfg index d37be0a86a..a3f62bf56b 100644 --- a/creusot/tests/should_succeed/list_reversal_lasso.mlcfg +++ b/creusot/tests/should_succeed/list_reversal_lasso.mlcfg @@ -614,7 +614,7 @@ module ListReversalLasso_Impl4_ListReversalList val list0 [#"../list_reversal_lasso.rs" 91 4 91 54] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) : bool ensures { result = list0 self first s } - use prelude.Ghost + use prelude.Snapshot use prelude.Int predicate resolve1 (self : borrowed usize) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -641,20 +641,20 @@ module ListReversalLasso_Impl4_ListReversalList ensures { result = resolve0 self } use seq.Reverse - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - let rec cfg list_reversal_list [#"../list_reversal_lasso.rs" 99 4 99 79] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s : Ghost.ghost_ty (Seq.seq usize)) : usize - requires {[#"../list_reversal_lasso.rs" 97 15 97 31] list0 ( * self) l (Ghost.inner s)} - ensures { [#"../list_reversal_lasso.rs" 98 14 98 47] list0 ( ^ self) result (Reverse.reverse (Ghost.inner s)) } + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + let rec cfg list_reversal_list [#"../list_reversal_lasso.rs" 99 4 99 82] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s : Snapshot.snap_ty (Seq.seq usize)) : usize + requires {[#"../list_reversal_lasso.rs" 97 15 97 31] list0 ( * self) l (Snapshot.inner s)} + ensures { [#"../list_reversal_lasso.rs" 98 14 98 47] list0 ( ^ self) result (Reverse.reverse (Snapshot.inner s)) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : usize; var self : borrowed (ListReversalLasso_Memory_Type.t_memory) = self; var l : usize = l; - var s : Ghost.ghost_ty (Seq.seq usize) = s; + var s : Snapshot.snap_ty (Seq.seq usize) = s; var r : usize; - var n : Ghost.ghost_ty int; + var n : Snapshot.snap_ty int; var _17 : usize; var _18 : borrowed usize; var _19 : borrowed usize; @@ -663,22 +663,22 @@ module ListReversalLasso_Impl4_ListReversalList var _23 : usize; var _24 : borrowed usize; var _25 : borrowed usize; - var _27 : Ghost.ghost_ty int; + var _27 : Snapshot.snap_ty int; { goto BB0 } BB0 { [#"../list_reversal_lasso.rs" 100 20 100 24] r <- ([#"../list_reversal_lasso.rs" 100 20 100 24] [#"../list_reversal_lasso.rs" 100 20 100 24] (18446744073709551615 : usize)); - [#"../list_reversal_lasso.rs" 101 20 101 29] n <- ([#"../list_reversal_lasso.rs" 101 20 101 29] Ghost.new 0); + [#"../list_reversal_lasso.rs" 101 20 101 35] n <- ([#"../list_reversal_lasso.rs" 101 20 101 35] Snapshot.new 0); goto BB1 } BB1 { goto BB2 } BB2 { - invariant { [#"../list_reversal_lasso.rs" 103 20 103 44] 0 <= Ghost.inner n /\ Ghost.inner n <= Seq.length (Ghost.inner s) }; - invariant { [#"../list_reversal_lasso.rs" 104 20 104 59] list_seg0 ( * self) l (Ghost.inner s) null0 (Ghost.inner n) (Seq.length (Ghost.inner s)) }; - invariant { [#"../list_reversal_lasso.rs" 105 20 105 76] list_seg0 ( * self) r (Reverse.reverse (Ghost.inner s)) null0 (Seq.length (Ghost.inner s) - Ghost.inner n) (Seq.length (Ghost.inner s)) }; + invariant { [#"../list_reversal_lasso.rs" 103 20 103 44] 0 <= Snapshot.inner n /\ Snapshot.inner n <= Seq.length (Snapshot.inner s) }; + invariant { [#"../list_reversal_lasso.rs" 104 20 104 59] list_seg0 ( * self) l (Snapshot.inner s) null0 (Snapshot.inner n) (Seq.length (Snapshot.inner s)) }; + invariant { [#"../list_reversal_lasso.rs" 105 20 105 76] list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s)) null0 (Seq.length (Snapshot.inner s) - Snapshot.inner n) (Seq.length (Snapshot.inner s)) }; goto BB3 } BB3 { @@ -719,12 +719,12 @@ module ListReversalLasso_Impl4_ListReversalList assume { resolve1 _19 }; [#"../list_reversal_lasso.rs" 108 12 108 77] l <- ([#"../list_reversal_lasso.rs" 108 12 108 77] _17); [#"../list_reversal_lasso.rs" 108 12 108 77] _17 <- any usize; - [#"../list_reversal_lasso.rs" 109 16 109 30] _27 <- ([#"../list_reversal_lasso.rs" 109 16 109 30] Ghost.new (Ghost.inner n + 1)); + [#"../list_reversal_lasso.rs" 109 16 109 36] _27 <- ([#"../list_reversal_lasso.rs" 109 16 109 36] Snapshot.new (Snapshot.inner n + 1)); goto BB8 } BB8 { - [#"../list_reversal_lasso.rs" 109 12 109 30] n <- ([#"../list_reversal_lasso.rs" 109 12 109 30] _27); - [#"../list_reversal_lasso.rs" 109 12 109 30] _27 <- any Ghost.ghost_ty int; + [#"../list_reversal_lasso.rs" 109 12 109 36] n <- ([#"../list_reversal_lasso.rs" 109 12 109 36] _27); + [#"../list_reversal_lasso.rs" 109 12 109 36] _27 <- any Snapshot.snap_ty int; goto BB2 } BB9 { @@ -836,7 +836,7 @@ module ListReversalLasso_Impl4_ListReversalLoop val loop0 [#"../list_reversal_lasso.rs" 116 4 116 55] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) : bool ensures { result = loop0 self first s } - use prelude.Ghost + use prelude.Snapshot use prelude.Int predicate resolve1 (self : borrowed usize) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -866,28 +866,28 @@ module ListReversalLasso_Impl4_ListReversalLoop ensures { result = resolve0 self } use seq.Reverse - use prelude.Ghost - function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq usize)) (ix : int) : usize = - [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix - val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq usize)) (ix : int) : usize + use prelude.Snapshot + function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq usize)) (ix : int) : usize = + [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix + val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq usize)) (ix : int) : usize ensures { result = index_logic0 self ix } let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15] : usize = [@vc:do_not_keep_trace] [@vc:sp] [#"../list_reversal_lasso.rs" 13 0 13 15] [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize) - use prelude.Ghost - use prelude.Ghost - let rec cfg list_reversal_loop [#"../list_reversal_lasso.rs" 125 4 125 79] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s : Ghost.ghost_ty (Seq.seq usize)) : usize - requires {[#"../list_reversal_lasso.rs" 122 15 122 26] Seq.length (Ghost.inner s) > 0} - requires {[#"../list_reversal_lasso.rs" 123 15 123 32] loop0 ( * self) l (Ghost.inner s)} - ensures { [#"../list_reversal_lasso.rs" 124 14 124 101] loop0 ( ^ self) result (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Ghost.inner s) 1 (Seq.length (Ghost.inner s))))) } + use prelude.Snapshot + use prelude.Snapshot + let rec cfg list_reversal_loop [#"../list_reversal_lasso.rs" 125 4 125 82] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s : Snapshot.snap_ty (Seq.seq usize)) : usize + requires {[#"../list_reversal_lasso.rs" 122 15 122 26] Seq.length (Snapshot.inner s) > 0} + requires {[#"../list_reversal_lasso.rs" 123 15 123 32] loop0 ( * self) l (Snapshot.inner s)} + ensures { [#"../list_reversal_lasso.rs" 124 14 124 101] loop0 ( ^ self) result (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Snapshot.inner s) 1 (Seq.length (Snapshot.inner s))))) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : usize; var self : borrowed (ListReversalLasso_Memory_Type.t_memory) = self; var l : usize = l; - var s : Ghost.ghost_ty (Seq.seq usize) = s; + var s : Snapshot.snap_ty (Seq.seq usize) = s; var r : usize; - var n : Ghost.ghost_ty int; + var n : Snapshot.snap_ty int; var _21 : usize; var _22 : borrowed usize; var _23 : borrowed usize; @@ -896,23 +896,23 @@ module ListReversalLasso_Impl4_ListReversalLoop var _27 : usize; var _28 : borrowed usize; var _29 : borrowed usize; - var _31 : Ghost.ghost_ty int; + var _31 : Snapshot.snap_ty int; { goto BB0 } BB0 { [#"../list_reversal_lasso.rs" 126 20 126 24] r <- ([#"../list_reversal_lasso.rs" 126 20 126 24] [#"../list_reversal_lasso.rs" 126 20 126 24] (18446744073709551615 : usize)); - [#"../list_reversal_lasso.rs" 127 20 127 29] n <- ([#"../list_reversal_lasso.rs" 127 20 127 29] Ghost.new 0); + [#"../list_reversal_lasso.rs" 127 20 127 35] n <- ([#"../list_reversal_lasso.rs" 127 20 127 35] Snapshot.new 0); goto BB1 } BB1 { goto BB2 } BB2 { - invariant { [#"../list_reversal_lasso.rs" 129 20 129 48] 0 <= Ghost.inner n /\ Ghost.inner n <= Seq.length (Ghost.inner s) + 1 }; - invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Ghost.inner n = Seq.length (Ghost.inner s) + 1 -> l = null0 /\ r = index_logic0 s 0 /\ nonnull_ptr0 ( * self) r /\ index_logic1 ( * self) r = index_logic0 s (Seq.length (Ghost.inner s) - 1) /\ list_seg0 ( * self) (index_logic0 s (Seq.length (Ghost.inner s) - 1)) (Reverse.reverse (Ghost.inner s)) (index_logic0 s 0) 0 (Seq.length (Ghost.inner s) - 1) }; - invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Ghost.inner n <= Seq.length (Ghost.inner s) -> list_seg0 ( * self) l (Ghost.inner s) (index_logic0 s 0) (Ghost.inner n) (Seq.length (Ghost.inner s)) }; - invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Ghost.inner n <= Seq.length (Ghost.inner s) -> list_seg0 ( * self) r (Reverse.reverse (Ghost.inner s)) null0 (Seq.length (Ghost.inner s) - Ghost.inner n) (Seq.length (Ghost.inner s)) }; + invariant { [#"../list_reversal_lasso.rs" 129 20 129 48] 0 <= Snapshot.inner n /\ Snapshot.inner n <= Seq.length (Snapshot.inner s) + 1 }; + invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n = Seq.length (Snapshot.inner s) + 1 -> l = null0 /\ r = index_logic0 s 0 /\ nonnull_ptr0 ( * self) r /\ index_logic1 ( * self) r = index_logic0 s (Seq.length (Snapshot.inner s) - 1) /\ list_seg0 ( * self) (index_logic0 s (Seq.length (Snapshot.inner s) - 1)) (Reverse.reverse (Snapshot.inner s)) (index_logic0 s 0) 0 (Seq.length (Snapshot.inner s) - 1) }; + invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n <= Seq.length (Snapshot.inner s) -> list_seg0 ( * self) l (Snapshot.inner s) (index_logic0 s 0) (Snapshot.inner n) (Seq.length (Snapshot.inner s)) }; + invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n <= Seq.length (Snapshot.inner s) -> list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s)) null0 (Seq.length (Snapshot.inner s) - Snapshot.inner n) (Seq.length (Snapshot.inner s)) }; goto BB3 } BB3 { @@ -922,7 +922,7 @@ module ListReversalLasso_Impl4_ListReversalLoop end } BB4 { - assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 138 12 138 77] Ghost.inner n = Seq.length (Ghost.inner s) -> l = Seq.get (Reverse.reverse (Ghost.inner s)) (Seq.length (Ghost.inner s) - 1) }; + assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 138 12 138 77] Snapshot.inner n = Seq.length (Snapshot.inner s) -> l = Seq.get (Reverse.reverse (Snapshot.inner s)) (Seq.length (Snapshot.inner s) - 1) }; [#"../list_reversal_lasso.rs" 139 39 139 43] _25 <- Borrow.borrow_mut ( * self); [#"../list_reversal_lasso.rs" 139 39 139 43] self <- { self with current = ( ^ _25) ; }; [#"../list_reversal_lasso.rs" 139 43 139 46] _24 <- ([#"../list_reversal_lasso.rs" 139 43 139 46] index_mut0 _25 ([#"../list_reversal_lasso.rs" 139 44 139 45] l)); @@ -954,20 +954,20 @@ module ListReversalLasso_Impl4_ListReversalLoop assume { resolve1 _23 }; [#"../list_reversal_lasso.rs" 139 12 139 77] l <- ([#"../list_reversal_lasso.rs" 139 12 139 77] _21); [#"../list_reversal_lasso.rs" 139 12 139 77] _21 <- any usize; - [#"../list_reversal_lasso.rs" 140 16 140 30] _31 <- ([#"../list_reversal_lasso.rs" 140 16 140 30] Ghost.new (Ghost.inner n + 1)); + [#"../list_reversal_lasso.rs" 140 16 140 36] _31 <- ([#"../list_reversal_lasso.rs" 140 16 140 36] Snapshot.new (Snapshot.inner n + 1)); goto BB8 } BB8 { - [#"../list_reversal_lasso.rs" 140 12 140 30] n <- ([#"../list_reversal_lasso.rs" 140 12 140 30] _31); - [#"../list_reversal_lasso.rs" 140 12 140 30] _31 <- any Ghost.ghost_ty int; + [#"../list_reversal_lasso.rs" 140 12 140 36] n <- ([#"../list_reversal_lasso.rs" 140 12 140 36] _31); + [#"../list_reversal_lasso.rs" 140 12 140 36] _31 <- any Snapshot.snap_ty int; goto BB2 } BB9 { assume { resolve0 self }; - assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 143 8 145 54] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner s) -> Seq.get (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Ghost.inner s) 1 (Seq.length (Ghost.inner s))))) i = (if i = 0 then + assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 143 8 145 54] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner s) -> Seq.get (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Snapshot.inner s) 1 (Seq.length (Snapshot.inner s))))) i = (if i = 0 then index_logic0 s 0 else - Seq.get (Reverse.reverse (Ghost.inner s)) (i - 1) + Seq.get (Reverse.reverse (Snapshot.inner s)) (i - 1) ) }; [#"../list_reversal_lasso.rs" 146 15 146 16] _0 <- ([#"../list_reversal_lasso.rs" 146 15 146 16] r); return _0 @@ -1080,7 +1080,7 @@ module ListReversalLasso_Impl4_ListReversalLasso val lasso0 [#"../list_reversal_lasso.rs" 151 4 151 70] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s1 : Seq.seq usize) (s2 : Seq.seq usize) : bool ensures { result = lasso0 self first s1 s2 } - use prelude.Ghost + use prelude.Snapshot use prelude.Int predicate resolve1 (self : borrowed usize) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -1109,26 +1109,26 @@ module ListReversalLasso_Impl4_ListReversalLasso let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15] : usize = [@vc:do_not_keep_trace] [@vc:sp] [#"../list_reversal_lasso.rs" 13 0 13 15] [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize) use seq.Reverse - use prelude.Ghost - function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq usize)) (ix : int) : usize = - [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix - val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq usize)) (ix : int) : usize + use prelude.Snapshot + function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq usize)) (ix : int) : usize = + [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix + val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq usize)) (ix : int) : usize ensures { result = index_logic0 self ix } - use prelude.Ghost - use prelude.Ghost - let rec cfg list_reversal_lasso [#"../list_reversal_lasso.rs" 163 4 168 12] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s1 : Ghost.ghost_ty (Seq.seq usize)) (s2 : Ghost.ghost_ty (Seq.seq usize)) : usize - requires {[#"../list_reversal_lasso.rs" 161 15 161 38] lasso0 ( * self) l (Ghost.inner s1) (Ghost.inner s2)} - ensures { [#"../list_reversal_lasso.rs" 162 14 162 54] lasso0 ( ^ self) result (Ghost.inner s1) (Reverse.reverse (Ghost.inner s2)) } + use prelude.Snapshot + use prelude.Snapshot + let rec cfg list_reversal_lasso [#"../list_reversal_lasso.rs" 163 4 168 12] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s1 : Snapshot.snap_ty (Seq.seq usize)) (s2 : Snapshot.snap_ty (Seq.seq usize)) : usize + requires {[#"../list_reversal_lasso.rs" 161 15 161 38] lasso0 ( * self) l (Snapshot.inner s1) (Snapshot.inner s2)} + ensures { [#"../list_reversal_lasso.rs" 162 14 162 54] lasso0 ( ^ self) result (Snapshot.inner s1) (Reverse.reverse (Snapshot.inner s2)) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : usize; var self : borrowed (ListReversalLasso_Memory_Type.t_memory) = self; var l : usize = l; - var s1 : Ghost.ghost_ty (Seq.seq usize) = s1; - var s2 : Ghost.ghost_ty (Seq.seq usize) = s2; + var s1 : Snapshot.snap_ty (Seq.seq usize) = s1; + var s2 : Snapshot.snap_ty (Seq.seq usize) = s2; var r : usize; - var n : Ghost.ghost_ty int; + var n : Snapshot.snap_ty int; var _19 : usize; var _20 : borrowed usize; var _21 : borrowed usize; @@ -1137,31 +1137,31 @@ module ListReversalLasso_Impl4_ListReversalLasso var _25 : usize; var _26 : borrowed usize; var _27 : borrowed usize; - var _29 : Ghost.ghost_ty int; + var _29 : Snapshot.snap_ty int; { goto BB0 } BB0 { [#"../list_reversal_lasso.rs" 169 20 169 24] r <- ([#"../list_reversal_lasso.rs" 169 20 169 24] [#"../list_reversal_lasso.rs" 169 20 169 24] (18446744073709551615 : usize)); - [#"../list_reversal_lasso.rs" 170 20 170 29] n <- ([#"../list_reversal_lasso.rs" 170 20 170 29] Ghost.new 0); + [#"../list_reversal_lasso.rs" 170 20 170 35] n <- ([#"../list_reversal_lasso.rs" 170 20 170 35] Snapshot.new 0); goto BB1 } BB1 { goto BB2 } BB2 { - invariant { [#"../list_reversal_lasso.rs" 172 20 172 58] 0 <= Ghost.inner n /\ Ghost.inner n <= 2 * Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) }; - invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] let mid = if Seq.length (Ghost.inner s2) = 0 then - index_logic0 s1 (Seq.length (Ghost.inner s1) - 1) + invariant { [#"../list_reversal_lasso.rs" 172 20 172 58] 0 <= Snapshot.inner n /\ Snapshot.inner n <= 2 * Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) }; + invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] let mid = if Seq.length (Snapshot.inner s2) = 0 then + index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1) else index_logic0 s2 0 - in Ghost.inner n <= Seq.length (Ghost.inner s1) -> list_seg0 ( * self) l (Ghost.inner s1) mid (Ghost.inner n) (Seq.length (Ghost.inner s1)) /\ list_seg0 ( * self) mid (Ghost.inner s2) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) 0 (Seq.length (Ghost.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Ghost.inner s1)) null0 (Seq.length (Ghost.inner s1) - Ghost.inner n) (Seq.length (Ghost.inner s1)) }; - invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] Seq.length (Ghost.inner s1) < Ghost.inner n /\ Ghost.inner n <= Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) -> list_seg0 ( * self) l (Ghost.inner s2) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) (Ghost.inner n - Seq.length (Ghost.inner s1)) (Seq.length (Ghost.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Ghost.inner s2)) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) (Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) - Ghost.inner n) (Seq.length (Ghost.inner s2)) /\ list_seg0 ( * self) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) (Reverse.reverse (Ghost.inner s1)) null0 0 (Seq.length (Ghost.inner s1)) }; - invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] let mid = if Seq.length (Ghost.inner s2) = 0 then - index_logic0 s1 (Seq.length (Ghost.inner s1) - 1) + in Snapshot.inner n <= Seq.length (Snapshot.inner s1) -> list_seg0 ( * self) l (Snapshot.inner s1) mid (Snapshot.inner n) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) mid (Snapshot.inner s2) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) 0 (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s1)) null0 (Seq.length (Snapshot.inner s1) - Snapshot.inner n) (Seq.length (Snapshot.inner s1)) }; + invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] Seq.length (Snapshot.inner s1) < Snapshot.inner n /\ Snapshot.inner n <= Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) -> list_seg0 ( * self) l (Snapshot.inner s2) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Snapshot.inner n - Seq.length (Snapshot.inner s1)) (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s2)) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) - Snapshot.inner n) (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Reverse.reverse (Snapshot.inner s1)) null0 0 (Seq.length (Snapshot.inner s1)) }; + invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] let mid = if Seq.length (Snapshot.inner s2) = 0 then + index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1) else - index_logic0 s2 (Seq.length (Ghost.inner s2) - 1) - in Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) < Ghost.inner n -> list_seg0 ( * self) l (Reverse.reverse (Ghost.inner s1)) null0 (Ghost.inner n - Seq.length (Ghost.inner s1) - Seq.length (Ghost.inner s2)) (Seq.length (Ghost.inner s1)) /\ list_seg0 ( * self) r (Ghost.inner s1) mid (2 * Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) - Ghost.inner n) (Seq.length (Ghost.inner s1)) /\ list_seg0 ( * self) mid (Reverse.reverse (Ghost.inner s2)) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) 0 (Seq.length (Ghost.inner s2)) }; + index_logic0 s2 (Seq.length (Snapshot.inner s2) - 1) + in Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) < Snapshot.inner n -> list_seg0 ( * self) l (Reverse.reverse (Snapshot.inner s1)) null0 (Snapshot.inner n - Seq.length (Snapshot.inner s1) - Seq.length (Snapshot.inner s2)) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) r (Snapshot.inner s1) mid (2 * Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) - Snapshot.inner n) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) mid (Reverse.reverse (Snapshot.inner s2)) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) 0 (Seq.length (Snapshot.inner s2)) }; goto BB3 } BB3 { @@ -1202,12 +1202,12 @@ module ListReversalLasso_Impl4_ListReversalLasso assume { resolve1 _21 }; [#"../list_reversal_lasso.rs" 191 12 191 77] l <- ([#"../list_reversal_lasso.rs" 191 12 191 77] _19); [#"../list_reversal_lasso.rs" 191 12 191 77] _19 <- any usize; - [#"../list_reversal_lasso.rs" 192 16 192 30] _29 <- ([#"../list_reversal_lasso.rs" 192 16 192 30] Ghost.new (Ghost.inner n + 1)); + [#"../list_reversal_lasso.rs" 192 16 192 36] _29 <- ([#"../list_reversal_lasso.rs" 192 16 192 36] Snapshot.new (Snapshot.inner n + 1)); goto BB8 } BB8 { - [#"../list_reversal_lasso.rs" 192 12 192 30] n <- ([#"../list_reversal_lasso.rs" 192 12 192 30] _29); - [#"../list_reversal_lasso.rs" 192 12 192 30] _29 <- any Ghost.ghost_ty int; + [#"../list_reversal_lasso.rs" 192 12 192 36] n <- ([#"../list_reversal_lasso.rs" 192 12 192 36] _29); + [#"../list_reversal_lasso.rs" 192 12 192 36] _29 <- any Snapshot.snap_ty int; goto BB2 } BB9 { diff --git a/creusot/tests/should_succeed/list_reversal_lasso.rs b/creusot/tests/should_succeed/list_reversal_lasso.rs index 023e3d7dbc..c293c69ee0 100644 --- a/creusot/tests/should_succeed/list_reversal_lasso.rs +++ b/creusot/tests/should_succeed/list_reversal_lasso.rs @@ -16,7 +16,7 @@ impl IndexLogic for Memory { type Item = Ptr; #[open(self)] - #[ghost] + #[logic] fn index_logic(self, i: Ptr) -> Ptr { pearlite! { self.0[i] } } @@ -96,9 +96,9 @@ impl Memory { #[requires(self.list(l, *s))] #[ensures((^self).list(result, s.reverse()))] - pub fn list_reversal_list(&mut self, mut l: Ptr, s: Ghost>) -> Ptr { + pub fn list_reversal_list(&mut self, mut l: Ptr, s: Snapshot>) -> Ptr { let mut r = NULL; - let mut n = gh! { 0 }; + let mut n = snapshot! { 0 }; #[invariant(0 <= *n && *n <= s.len())] #[invariant(self.list_seg(l, *s, NULL, *n, s.len()))] @@ -106,7 +106,7 @@ impl Memory { // #[variant(s.len() - *n)] while l != NULL { l = std::mem::replace(&mut self[l], std::mem::replace(&mut r, l)); - n = gh! { *n + 1 } + n = snapshot! { *n + 1 } } return r; } @@ -122,9 +122,9 @@ impl Memory { #[requires(s.len() > 0)] #[requires(self.loop_(l, *s))] #[ensures((^self).loop_(result, Seq::singleton(s[0]).concat(s.subsequence(1, s.len()).reverse())))] - pub fn list_reversal_loop(&mut self, mut l: Ptr, s: Ghost>) -> Ptr { + pub fn list_reversal_loop(&mut self, mut l: Ptr, s: Snapshot>) -> Ptr { let mut r = NULL; - let mut n = gh! { 0 }; + let mut n = snapshot! { 0 }; #[invariant(0 <= *n && *n <= s.len() + 1)] #[invariant(*n == s.len() + 1 ==> @@ -137,7 +137,7 @@ impl Memory { while l != NULL { proof_assert! { *n == s.len() ==> l == s.reverse()[s.len() - 1] } l = std::mem::replace(&mut self[l], std::mem::replace(&mut r, l)); - n = gh! { *n + 1 } + n = snapshot! { *n + 1 } } proof_assert! { forall 0 <= i && i < s.len() ==> @@ -163,11 +163,11 @@ impl Memory { pub fn list_reversal_lasso( &mut self, mut l: Ptr, - s1: Ghost>, - s2: Ghost>, + s1: Snapshot>, + s2: Snapshot>, ) -> Ptr { let mut r = NULL; - let mut n = gh! { 0 }; + let mut n = snapshot! { 0 }; #[invariant(0 <= *n && *n <= 2*s1.len() + s2.len())] #[invariant({ @@ -189,12 +189,12 @@ impl Memory { // #[variant(2*s1.len() + s2.len() - *n)] while l != NULL { l = std::mem::replace(&mut self[l], std::mem::replace(&mut r, l)); - n = gh! { *n + 1 } + n = snapshot! { *n + 1 } } return r; } - #[ghost] + #[logic] #[requires(0 <= i && i <= s.len())] #[ensures(match result { None => forall i <= j && j < s.len() ==> s[j]@ != p, @@ -209,7 +209,7 @@ impl Memory { } } - #[ghost] + #[logic] #[requires(0 <= n)] #[requires(forall 0 <= i && i < s.len() ==> s[i]@ < n)] #[requires(forall 0 <= i && i < s.len() && 0 <= j && j < s.len() && i != j ==> s[i] != s[j])] @@ -232,7 +232,7 @@ impl Memory { } } - #[ghost] + #[logic] #[requires(self.mem_is_well_formed())] #[requires(last == NULL || self.nonnull_ptr(last))] #[requires(self.list_seg(first, s, last, 0, s.len()))] @@ -259,7 +259,7 @@ impl Memory { } } - #[ghost] + #[logic] #[open(self)] #[requires(self.mem_is_well_formed())] #[requires(first == NULL || self.nonnull_ptr(first))] diff --git a/creusot/tests/should_succeed/mapping_test.mlcfg b/creusot/tests/should_succeed/mapping_test.mlcfg index 4b3c7df8f1..e44734dd03 100644 --- a/creusot/tests/should_succeed/mapping_test.mlcfg +++ b/creusot/tests/should_succeed/mapping_test.mlcfg @@ -32,17 +32,17 @@ module MappingTest_Incr val shallow_model3 (self : borrowed (MappingTest_T_Type.t_t)) : Map.map int int ensures { result = shallow_model3 self } - use prelude.Ghost + use prelude.Snapshot use map.Map - use prelude.Ghost + use prelude.Snapshot function shallow_model4 (self : borrowed (MappingTest_T_Type.t_t)) : Map.map int int = [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self val shallow_model4 (self : borrowed (MappingTest_T_Type.t_t)) : Map.map int int ensures { result = shallow_model4 self } - function shallow_model1 (self : Ghost.ghost_ty (borrowed (MappingTest_T_Type.t_t))) : Map.map int int = - [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model4 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty (borrowed (MappingTest_T_Type.t_t))) : Map.map int int + function shallow_model1 (self : Snapshot.snap_ty (borrowed (MappingTest_T_Type.t_t))) : Map.map int int = + [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model4 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty (borrowed (MappingTest_T_Type.t_t))) : Map.map int int ensures { result = shallow_model1 self } predicate resolve0 (self : borrowed (MappingTest_T_Type.t_t)) = @@ -51,7 +51,7 @@ module MappingTest_Incr ensures { result = resolve0 self } use prelude.Int32 - use prelude.Ghost + use prelude.Snapshot let rec cfg incr [#"../mapping_test.rs" 30 0 30 18] [@cfg:stackify] [@cfg:subregion_analysis] (t : borrowed (MappingTest_T_Type.t_t)) : () requires {[#"../mapping_test.rs" 27 12 27 24] 0 <= Int32.to_int (MappingTest_T_Type.t_a ( * t))} requires {[#"../mapping_test.rs" 28 12 28 26] Int32.to_int (MappingTest_T_Type.t_a ( * t)) < 1000} @@ -60,18 +60,18 @@ module MappingTest_Incr = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var t : borrowed (MappingTest_T_Type.t_t) = t; - var old_t : Ghost.ghost_ty (borrowed (MappingTest_T_Type.t_t)); + var old_t : Snapshot.snap_ty (borrowed (MappingTest_T_Type.t_t)); { goto BB0 } BB0 { - [#"../mapping_test.rs" 31 16 31 25] old_t <- ([#"../mapping_test.rs" 31 16 31 25] Ghost.new t); + [#"../mapping_test.rs" 31 16 31 31] old_t <- ([#"../mapping_test.rs" 31 16 31 31] Snapshot.new t); goto BB1 } BB1 { [#"../mapping_test.rs" 32 4 32 15] t <- { t with current = (let MappingTest_T_Type.C_T x0 = * t in MappingTest_T_Type.C_T ([#"../mapping_test.rs" 32 4 32 15] MappingTest_T_Type.t_a ( * t) + ([#"../mapping_test.rs" 32 14 32 15] [#"../mapping_test.rs" 32 14 32 15] (1 : int32)))) ; }; assume { resolve0 t }; - assert { [@expl:assertion] [#"../mapping_test.rs" 35 19 35 50] shallow_model0 ( ^ t) = Map.set (shallow_model1 old_t) (Int32.to_int (MappingTest_T_Type.t_a ( * Ghost.inner old_t))) 1 }; + assert { [@expl:assertion] [#"../mapping_test.rs" 35 19 35 50] shallow_model0 ( ^ t) = Map.set (shallow_model1 old_t) (Int32.to_int (MappingTest_T_Type.t_a ( * Snapshot.inner old_t))) 1 }; [#"../mapping_test.rs" 30 19 36 1] _0 <- ([#"../mapping_test.rs" 30 19 36 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/mapping_test.rs b/creusot/tests/should_succeed/mapping_test.rs index 021c5084bf..a2481d3955 100644 --- a/creusot/tests/should_succeed/mapping_test.rs +++ b/creusot/tests/should_succeed/mapping_test.rs @@ -13,7 +13,7 @@ struct T { impl ShallowModel for T { type ShallowModelTy = Mapping; - #[ghost] + #[logic] #[open(self)] #[trusted] #[ensures( @@ -28,7 +28,7 @@ impl ShallowModel for T { #[requires( (*t).a@ < 1000 )] // to prevent overflow #[ensures( (^t)@ == t@.set((*t).a@,1) )] fn incr(t: &mut T) { - let old_t = gh! { t }; + let old_t = snapshot! { t }; (*t).a += 1; // proving the post-consition via extensional equality of mappings // (notice `==` versus `==`) diff --git a/creusot/tests/should_succeed/mutex.mlcfg b/creusot/tests/should_succeed/mutex.mlcfg index ba08106e93..fdb4f10ec5 100644 --- a/creusot/tests/should_succeed/mutex.mlcfg +++ b/creusot/tests/should_succeed/mutex.mlcfg @@ -16,12 +16,12 @@ module Mutex_GuardInner_Type type t_guardinner 't end module Mutex_MutexGuard_Type - use prelude.Ghost + use prelude.Snapshot use Mutex_GuardInner_Type as Mutex_GuardInner_Type type t_mutexguard 't 'i = - | C_MutexGuard (Mutex_GuardInner_Type.t_guardinner 't) (Ghost.ghost_ty 'i) + | C_MutexGuard (Mutex_GuardInner_Type.t_guardinner 't) (Snapshot.snap_ty 'i) - let function mutexguard_1 (self : t_mutexguard 't 'i) : Ghost.ghost_ty 'i = [@vc:do_not_keep_trace] [@vc:sp] + let function mutexguard_1 (self : t_mutexguard 't 'i) : Snapshot.snap_ty 'i = [@vc:do_not_keep_trace] [@vc:sp] match self with | C_MutexGuard _ a -> a end @@ -118,20 +118,20 @@ module Mutex_Impl3_Call val inv3 [#"../mutex.rs" 66 4 66 33] (self : Mutex_Even_Type.t_even) (x : uint32) : bool ensures { result = inv3 self x } - use prelude.Ghost + use prelude.Snapshot val set0 [#"../mutex.rs" 56 4 56 27] (self : borrowed (Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even))) (v : uint32) : () - requires {[#"../mutex.rs" 55 4 55 30] inv3 (Ghost.inner (Mutex_MutexGuard_Type.mutexguard_1 ( * self))) v} + requires {[#"../mutex.rs" 55 4 55 30] inv3 (Snapshot.inner (Mutex_MutexGuard_Type.mutexguard_1 ( * self))) v} requires {[#"../mutex.rs" 56 16 56 20] inv5 self} requires {[#"../mutex.rs" 56 22 56 23] inv6 v} val deref0 [#"../mutex.rs" 50 4 50 25] (self : Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even)) : uint32 requires {[#"../mutex.rs" 50 14 50 18] inv2 self} - ensures { [#"../mutex.rs" 49 4 49 35] inv3 (Ghost.inner (Mutex_MutexGuard_Type.mutexguard_1 self)) result } + ensures { [#"../mutex.rs" 49 4 49 35] inv3 (Snapshot.inner (Mutex_MutexGuard_Type.mutexguard_1 self)) result } ensures { [#"../mutex.rs" 50 23 50 25] inv4 result } val lock0 [#"../mutex.rs" 37 4 37 46] (self : Mutex_Mutex_Type.t_mutex uint32 (Mutex_Even_Type.t_even)) : Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even) requires {[#"../mutex.rs" 37 17 37 21] inv0 self} - ensures { [#"../mutex.rs" 36 14 36 33] Mutex_Mutex_Type.mutex_1 self = Ghost.inner (Mutex_MutexGuard_Type.mutexguard_1 result) } + ensures { [#"../mutex.rs" 36 14 36 33] Mutex_Mutex_Type.mutex_1 self = Snapshot.inner (Mutex_MutexGuard_Type.mutexguard_1 result) } ensures { [#"../mutex.rs" 37 26 37 46] inv1 result } use Mutex_AddsTwo_Type as Mutex_AddsTwo_Type @@ -205,12 +205,12 @@ module Mutex_JoinHandleInner_Type type t_joinhandleinner 't end module Mutex_JoinHandle_Type - use prelude.Ghost + use prelude.Snapshot use Mutex_JoinHandleInner_Type as Mutex_JoinHandleInner_Type type t_joinhandle 't 'i = - | C_JoinHandle (Mutex_JoinHandleInner_Type.t_joinhandleinner 't) (Ghost.ghost_ty 'i) + | C_JoinHandle (Mutex_JoinHandleInner_Type.t_joinhandleinner 't) (Snapshot.snap_ty 'i) - let function joinhandle_1 (self : t_joinhandle 't 'i) : Ghost.ghost_ty 'i = [@vc:do_not_keep_trace] [@vc:sp] + let function joinhandle_1 (self : t_joinhandle 't 'i) : Snapshot.snap_ty 'i = [@vc:do_not_keep_trace] [@vc:sp] match self with | C_JoinHandle _ a -> a end @@ -358,11 +358,11 @@ module Mutex_Concurrent val inv8 [#"../mutex.rs" 150 4 150 39] (self : Mutex_SpawnPostCond_Type.t_spawnpostcond (Mutex_AddsTwo_Type.t_addstwo)) (v : ()) : bool ensures { result = inv8 self v } - use prelude.Ghost + use prelude.Snapshot val join0 [#"../mutex.rs" 121 4 121 34] (self : Mutex_JoinHandle_Type.t_joinhandle () (Mutex_SpawnPostCond_Type.t_spawnpostcond (Mutex_AddsTwo_Type.t_addstwo))) : Core_Result_Result_Type.t_result () () requires {[#"../mutex.rs" 121 12 121 16] inv7 self} ensures { [#"../mutex.rs" 117 14 120 5] match result with - | Core_Result_Result_Type.C_Ok v -> inv8 (Ghost.inner (Mutex_JoinHandle_Type.joinhandle_1 self)) v + | Core_Result_Result_Type.C_Ok v -> inv8 (Snapshot.inner (Mutex_JoinHandle_Type.joinhandle_1 self)) v | _ -> true end } ensures { [#"../mutex.rs" 121 21 121 34] inv9 result } diff --git a/creusot/tests/should_succeed/mutex.rs b/creusot/tests/should_succeed/mutex.rs index cafe5e1924..afea3c3895 100644 --- a/creusot/tests/should_succeed/mutex.rs +++ b/creusot/tests/should_succeed/mutex.rs @@ -35,14 +35,14 @@ impl> Mutex { #[trusted] #[ensures(self.1 == *result.1)] pub fn lock(&self) -> MutexGuard<'_, T, I> { - MutexGuard(GuardInner(self.0 .0.lock().unwrap()), gh! { self.1 }) + MutexGuard(GuardInner(self.0 .0.lock().unwrap()), snapshot! { self.1 }) } } #[trusted] struct GuardInner<'a, T: ?Sized + 'a>(std::sync::MutexGuard<'a, T>); -pub struct MutexGuard<'a, T: ?Sized + 'a, I>(GuardInner<'a, T>, Ghost); +pub struct MutexGuard<'a, T: ?Sized + 'a, I>(GuardInner<'a, T>, Snapshot); impl<'a, T, I: Inv> MutexGuard<'a, T, I> { #[trusted] @@ -110,7 +110,7 @@ impl<'a> FakeFnOnce for AddsTwo<'a> { #[trusted] struct JoinHandleInner(std::thread::JoinHandle); -struct JoinHandle(JoinHandleInner, Ghost); +struct JoinHandle(JoinHandleInner, Snapshot); impl> JoinHandle { #[trusted] @@ -136,7 +136,7 @@ fn spawn>( #[creusot::no_translate] || f.call(), )), - gh! { SpawnPostCond { f } }, + snapshot! { SpawnPostCond { f } }, ) } diff --git a/creusot/tests/should_succeed/red_black_tree.mlcfg b/creusot/tests/should_succeed/red_black_tree.mlcfg index 7d943341c6..5a1b50dfbf 100644 --- a/creusot/tests/should_succeed/red_black_tree.mlcfg +++ b/creusot/tests/should_succeed/red_black_tree.mlcfg @@ -1300,16 +1300,16 @@ module RedBlackTree_Impl14_RotateRight ensures { result = inv1 _x } axiom inv1 : forall x : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) - val invariant0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) + val invariant0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) - val inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) + val inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)) . inv0 x = true use prelude.Int function height1 [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int = [#"../red_black_tree.rs" 298 12 306 13] match self with @@ -1426,7 +1426,7 @@ module RedBlackTree_Impl14_RotateRight val resolve5 (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = resolve5 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve4 (self : borrowed (RedBlackTree_Color_Type.t_color)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve4 (self : borrowed (RedBlackTree_Color_Type.t_color)) : bool @@ -1482,11 +1482,11 @@ module RedBlackTree_Impl14_RotateRight ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 16 22 16 42] is_default0 ( ^ dest) } ensures { inv1 result } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) - val resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) + val resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg rotate_right [#"../red_black_tree.rs" 412 4 412 30] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : () requires {[#"../red_black_tree.rs" 400 15 400 43] internal_invariant0 ( * self)} requires {[#"../red_black_tree.rs" 401 15 401 42] color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red} @@ -1502,7 +1502,7 @@ module RedBlackTree_Impl14_RotateRight = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var self : borrowed (RedBlackTree_Node_Type.t_node k v) = self; - var old_self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)); + var old_self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)); var x : RedBlackTree_Node_Type.t_node k v; var _14 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v); var _15 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)); @@ -1525,7 +1525,7 @@ module RedBlackTree_Impl14_RotateRight goto BB0 } BB0 { - [#"../red_black_tree.rs" 413 23 413 35] old_self <- ([#"../red_black_tree.rs" 413 23 413 35] Ghost.new self); + [#"../red_black_tree.rs" 413 23 413 41] old_self <- ([#"../red_black_tree.rs" 413 23 413 41] Snapshot.new self); goto BB1 } BB1 { @@ -1604,7 +1604,7 @@ module RedBlackTree_Impl14_RotateRight BB6 { assume { resolve4 _30 }; assume { resolve4 _28 }; - assert { [@expl:assertion] [#"../red_black_tree.rs" 441 8 441 90] has_mapping0 (RedBlackTree_Node_Type.node_left ( * Ghost.inner old_self)) (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) (RedBlackTree_Node_Type.node_val ( * self)) }; + assert { [@expl:assertion] [#"../red_black_tree.rs" 441 8 441 90] has_mapping0 (RedBlackTree_Node_Type.node_left ( * Snapshot.inner old_self)) (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) (RedBlackTree_Node_Type.node_val ( * self)) }; goto BB7 } BB7 { @@ -1830,16 +1830,16 @@ module RedBlackTree_Impl14_RotateLeft ensures { result = inv1 _x } axiom inv1 : forall x : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) - val invariant0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) + val invariant0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) - val inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) + val inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)) . inv0 x = true use prelude.Int function height1 [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int = [#"../red_black_tree.rs" 298 12 306 13] match self with @@ -1956,7 +1956,7 @@ module RedBlackTree_Impl14_RotateLeft val resolve5 (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = resolve5 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve4 (self : borrowed (RedBlackTree_Color_Type.t_color)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve4 (self : borrowed (RedBlackTree_Color_Type.t_color)) : bool @@ -2012,11 +2012,11 @@ module RedBlackTree_Impl14_RotateLeft ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 16 22 16 42] is_default0 ( ^ dest) } ensures { inv1 result } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) - val resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) + val resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg rotate_left [#"../red_black_tree.rs" 462 4 462 29] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : () requires {[#"../red_black_tree.rs" 450 15 450 43] internal_invariant0 ( * self)} requires {[#"../red_black_tree.rs" 451 15 451 43] color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red} @@ -2032,7 +2032,7 @@ module RedBlackTree_Impl14_RotateLeft = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var self : borrowed (RedBlackTree_Node_Type.t_node k v) = self; - var old_self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)); + var old_self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)); var x : RedBlackTree_Node_Type.t_node k v; var _14 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v); var _15 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)); @@ -2055,7 +2055,7 @@ module RedBlackTree_Impl14_RotateLeft goto BB0 } BB0 { - [#"../red_black_tree.rs" 463 23 463 35] old_self <- ([#"../red_black_tree.rs" 463 23 463 35] Ghost.new self); + [#"../red_black_tree.rs" 463 23 463 41] old_self <- ([#"../red_black_tree.rs" 463 23 463 41] Snapshot.new self); goto BB1 } BB1 { @@ -2134,7 +2134,7 @@ module RedBlackTree_Impl14_RotateLeft BB6 { assume { resolve4 _30 }; assume { resolve4 _28 }; - assert { [@expl:assertion] [#"../red_black_tree.rs" 468 8 468 91] has_mapping0 (RedBlackTree_Node_Type.node_right ( * Ghost.inner old_self)) (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) (RedBlackTree_Node_Type.node_val ( * self)) }; + assert { [@expl:assertion] [#"../red_black_tree.rs" 468 8 468 91] has_mapping0 (RedBlackTree_Node_Type.node_right ( * Snapshot.inner old_self)) (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) (RedBlackTree_Node_Type.node_val ( * self)) }; goto BB7 } BB7 { @@ -5447,12 +5447,12 @@ module RedBlackTree_Impl15_Insert val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = invariant0 self } - use prelude.Ghost - predicate resolve2 (self : Ghost.ghost_ty ()) - val resolve2 (self : Ghost.ghost_ty ()) : bool + use prelude.Snapshot + predicate resolve2 (self : Snapshot.snap_ty ()) + val resolve2 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve2 self } - use prelude.Ghost + use prelude.Snapshot use map.Map function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () @@ -5564,7 +5564,7 @@ module RedBlackTree_Impl15_Insert var _12 : borrowed (RedBlackTree_Node_Type.t_node k v); var _13 : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)); var _14 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)); - var _15 : Ghost.ghost_ty (); + var _15 : Snapshot.snap_ty (); { goto BB0 } @@ -5600,7 +5600,7 @@ module RedBlackTree_Impl15_Insert assume { resolve0 _12 }; assert { [@expl:type invariant] inv3 self }; assume { resolve1 self }; - [#"../red_black_tree.rs" 629 8 629 39] _15 <- ([#"../red_black_tree.rs" 629 8 629 39] Ghost.new ()); + [#"../red_black_tree.rs" 629 8 629 45] _15 <- ([#"../red_black_tree.rs" 629 8 629 45] Snapshot.new ()); goto BB5 } BB5 { @@ -6594,16 +6594,16 @@ module RedBlackTree_Impl15_DeleteMax ensures { result = inv1 _x } axiom inv1 : forall x : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) . inv1 x = true - use prelude.Ghost - predicate invariant1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) - val invariant1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool + use prelude.Snapshot + predicate invariant1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) + val invariant1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool ensures { result = invariant1 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) - val inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) + val inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)) . inv0 x = true use map.Const use map.Map function deep_model0 (self : k) : deep_model_ty0 @@ -6719,11 +6719,11 @@ module RedBlackTree_Impl15_DeleteMax val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = invariant0 self } - predicate resolve4 (self : Ghost.ghost_ty ()) - val resolve4 (self : Ghost.ghost_ty ()) : bool + predicate resolve4 (self : Snapshot.snap_ty ()) + val resolve4 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve4 self } - use prelude.Ghost + use prelude.Snapshot function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -6819,7 +6819,7 @@ module RedBlackTree_Impl15_DeleteMax val same_mappings0 [#"../red_black_tree.rs" 42 4 42 43] (self : RedBlackTree_Tree_Type.t_tree k v) (o : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = same_mappings0 self o } - use prelude.Ghost + use prelude.Snapshot predicate resolve2 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : bool @@ -6834,11 +6834,11 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../red_black_tree.rs" 388 15 388 19] inv9 self} ensures { [#"../red_black_tree.rs" 387 14 387 45] result = (color0 self = RedBlackTree_Color_Type.C_Red) } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) - val resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) + val resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg delete_max [#"../red_black_tree.rs" 667 4 667 50] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) : Core_Option_Option_Type.t_option (k, v) requires {[#"../red_black_tree.rs" 660 15 660 34] invariant0 ( * self)} requires {[#"../red_black_tree.rs" 667 27 667 31] inv6 self} @@ -6852,7 +6852,7 @@ module RedBlackTree_Impl15_DeleteMax = [@vc:do_not_keep_trace] [@vc:sp] var _0 : Core_Option_Option_Type.t_option (k, v); var self : borrowed (RedBlackTree_Tree_Type.t_tree k v) = self; - var old_self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)); + var old_self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)); var _7 : (); var _8 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)); var node : borrowed (RedBlackTree_Node_Type.t_node k v); @@ -6864,12 +6864,12 @@ module RedBlackTree_Impl15_DeleteMax var _23 : borrowed (RedBlackTree_Node_Type.t_node k v); var _24 : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)); var _25 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)); - var _26 : Ghost.ghost_ty (); + var _26 : Snapshot.snap_ty (); { goto BB0 } BB0 { - [#"../red_black_tree.rs" 668 23 668 35] old_self <- ([#"../red_black_tree.rs" 668 23 668 35] Ghost.new self); + [#"../red_black_tree.rs" 668 23 668 41] old_self <- ([#"../red_black_tree.rs" 668 23 668 41] Snapshot.new self); goto BB1 } BB1 { @@ -6917,7 +6917,7 @@ module RedBlackTree_Impl15_DeleteMax goto BB7 } BB7 { - assert { [@expl:assertion] [#"../red_black_tree.rs" 676 24 676 53] same_mappings0 ( * Ghost.inner old_self) ( * self) }; + assert { [@expl:assertion] [#"../red_black_tree.rs" 676 24 676 53] same_mappings0 ( * Snapshot.inner old_self) ( * self) }; [#"../red_black_tree.rs" 677 16 677 20] _18 <- Borrow.borrow_mut ( * self); [#"../red_black_tree.rs" 677 16 677 20] self <- { self with current = ( ^ _18) ; }; assume { inv5 ( ^ _18) }; @@ -6972,7 +6972,7 @@ module RedBlackTree_Impl15_DeleteMax goto BB15 } BB15 { - [#"../red_black_tree.rs" 681 8 681 39] _26 <- ([#"../red_black_tree.rs" 681 8 681 39] Ghost.new ()); + [#"../red_black_tree.rs" 681 8 681 45] _26 <- ([#"../red_black_tree.rs" 681 8 681 45] Snapshot.new ()); goto BB16 } BB16 { @@ -8045,7 +8045,7 @@ module RedBlackTree_Impl15_DeleteMin val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = invariant0 self } - use prelude.Ghost + use prelude.Snapshot val unwrap0 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))) : borrowed (RedBlackTree_Node_Type.t_node k v) requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None} requires {inv11 self} @@ -8108,11 +8108,11 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../red_black_tree.rs" 388 15 388 19] inv9 self} ensures { [#"../red_black_tree.rs" 387 14 387 45] result = (color0 self = RedBlackTree_Color_Type.C_Red) } - predicate resolve0 (self : Ghost.ghost_ty ()) - val resolve0 (self : Ghost.ghost_ty ()) : bool + predicate resolve0 (self : Snapshot.snap_ty ()) + val resolve0 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -8166,7 +8166,7 @@ module RedBlackTree_Impl15_DeleteMin = [@vc:do_not_keep_trace] [@vc:sp] var _0 : Core_Option_Option_Type.t_option (k, v); var self : borrowed (RedBlackTree_Tree_Type.t_tree k v) = self; - var _5 : Ghost.ghost_ty (); + var _5 : Snapshot.snap_ty (); var _7 : (); var _8 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)); var node : borrowed (RedBlackTree_Node_Type.t_node k v); @@ -8182,7 +8182,7 @@ module RedBlackTree_Impl15_DeleteMin goto BB0 } BB0 { - [#"../red_black_tree.rs" 720 8 720 39] _5 <- ([#"../red_black_tree.rs" 720 8 720 39] Ghost.new ()); + [#"../red_black_tree.rs" 720 8 720 45] _5 <- ([#"../red_black_tree.rs" 720 8 720 45] Snapshot.new ()); goto BB1 } BB1 { @@ -8701,7 +8701,7 @@ module RedBlackTree_Impl15_DeleteRec val internal_invariant0 [#"../red_black_tree.rs" 356 4 356 43] (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = internal_invariant0 self } - use prelude.Ghost + use prelude.Snapshot predicate color_invariant1 [#"../red_black_tree.rs" 286 4 286 36] (self : RedBlackTree_Node_Type.t_node k v) = [#"../red_black_tree.rs" 287 8 287 112] color_invariant_here0 self /\ color_invariant0 (RedBlackTree_Node_Type.node_left self) /\ color_invariant0 (RedBlackTree_Node_Type.node_right self) val color_invariant1 [#"../red_black_tree.rs" 286 4 286 36] (self : RedBlackTree_Node_Type.t_node k v) : bool @@ -8840,11 +8840,11 @@ module RedBlackTree_Impl15_DeleteRec ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 11 22 11 30] ^ x = * y } ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 12 22 12 30] ^ y = * x } - predicate resolve5 (self : Ghost.ghost_ty ()) - val resolve5 (self : Ghost.ghost_ty ()) : bool + predicate resolve5 (self : Snapshot.snap_ty ()) + val resolve5 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve5 self } - use prelude.Ghost + use prelude.Snapshot use map.Map use map.Map function model_acc0 [#"../red_black_tree.rs" 49 4 52 47] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v) @@ -9094,7 +9094,7 @@ module RedBlackTree_Impl15_DeleteRec var _71 : borrowed (RedBlackTree_Node_Type.t_node k v); var kv : (k, v); var _74 : borrowed (RedBlackTree_Tree_Type.t_tree k v); - var _75 : Ghost.ghost_ty (); + var _75 : Snapshot.snap_ty (); var _77 : (); var _78 : borrowed k; var _79 : borrowed k; @@ -9428,7 +9428,7 @@ module RedBlackTree_Impl15_DeleteRec goto BB54 } BB54 { - [#"../red_black_tree.rs" 778 24 778 53] _75 <- ([#"../red_black_tree.rs" 778 24 778 53] Ghost.new ()); + [#"../red_black_tree.rs" 778 24 778 59] _75 <- ([#"../red_black_tree.rs" 778 24 778 59] Snapshot.new ()); goto BB55 } BB55 { @@ -9892,7 +9892,7 @@ module RedBlackTree_Impl15_Delete val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = invariant0 self } - use prelude.Ghost + use prelude.Snapshot val unwrap0 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))) : borrowed (RedBlackTree_Node_Type.t_node k v) requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None} requires {inv11 self} @@ -9962,11 +9962,11 @@ module RedBlackTree_Impl15_Delete requires {[#"../red_black_tree.rs" 388 15 388 19] inv10 self} ensures { [#"../red_black_tree.rs" 387 14 387 45] result = (color0 self = RedBlackTree_Color_Type.C_Red) } - predicate resolve0 (self : Ghost.ghost_ty ()) - val resolve0 (self : Ghost.ghost_ty ()) : bool + predicate resolve0 (self : Snapshot.snap_ty ()) + val resolve0 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -10023,7 +10023,7 @@ module RedBlackTree_Impl15_Delete var _0 : Core_Option_Option_Type.t_option (k, v); var self : borrowed (RedBlackTree_Tree_Type.t_tree k v) = self; var key : k = key; - var _7 : Ghost.ghost_ty (); + var _7 : Snapshot.snap_ty (); var _9 : (); var _10 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)); var node : borrowed (RedBlackTree_Node_Type.t_node k v); @@ -10039,7 +10039,7 @@ module RedBlackTree_Impl15_Delete goto BB0 } BB0 { - [#"../red_black_tree.rs" 801 8 801 39] _7 <- ([#"../red_black_tree.rs" 801 8 801 39] Ghost.new ()); + [#"../red_black_tree.rs" 801 8 801 45] _7 <- ([#"../red_black_tree.rs" 801 8 801 45] Snapshot.new ()); goto BB1 } BB1 { @@ -10459,7 +10459,7 @@ module RedBlackTree_Impl15_Get val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = invariant0 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve5 (self : v) val resolve5 (self : v) : bool ensures { result = resolve5 self } @@ -10490,11 +10490,11 @@ module RedBlackTree_Impl15_Get val resolve1 (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = resolve1 self } - predicate resolve0 (self : Ghost.ghost_ty ()) - val resolve0 (self : Ghost.ghost_ty ()) : bool + predicate resolve0 (self : Snapshot.snap_ty ()) + val resolve0 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -10549,7 +10549,7 @@ module RedBlackTree_Impl15_Get var _0 : Core_Option_Option_Type.t_option v; var self : RedBlackTree_Tree_Type.t_tree k v = self; var key : k = key; - var _6 : Ghost.ghost_ty (); + var _6 : Snapshot.snap_ty (); var tree : RedBlackTree_Tree_Type.t_tree k v; var _12 : (); var _13 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v); @@ -10563,7 +10563,7 @@ module RedBlackTree_Impl15_Get goto BB0 } BB0 { - [#"../red_black_tree.rs" 823 8 823 39] _6 <- ([#"../red_black_tree.rs" 823 8 823 39] Ghost.new ()); + [#"../red_black_tree.rs" 823 8 823 45] _6 <- ([#"../red_black_tree.rs" 823 8 823 45] Snapshot.new ()); goto BB1 } BB1 { @@ -10875,16 +10875,16 @@ module RedBlackTree_Impl15_GetMut ensures { result = inv1 _x } axiom inv1 : forall x : v . inv1 x = true - use prelude.Ghost - predicate invariant1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) - val invariant1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool + use prelude.Snapshot + predicate invariant1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) + val invariant1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool ensures { result = invariant1 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) - val inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) + val inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)) . inv0 x = true use map.Map function deep_model1 (self : k) : deep_model_ty0 val deep_model1 (self : k) : deep_model_ty0 @@ -11040,22 +11040,22 @@ module RedBlackTree_Impl15_GetMut val match_t0 [#"../red_black_tree.rs" 232 4 232 52] (self : RedBlackTree_Cp_Type.t_cp) (tree : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = match_t0 self tree } - use prelude.Ghost + use prelude.Snapshot function deep_model0 (self : k) : deep_model_ty0 = [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model1 self val deep_model0 (self : k) : deep_model_ty0 ensures { result = deep_model0 self } - predicate resolve1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) - val resolve1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool + predicate resolve1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) + val resolve1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool ensures { result = resolve1 self } - use prelude.Ghost - predicate resolve0 (self : Ghost.ghost_ty ()) - val resolve0 (self : Ghost.ghost_ty ()) : bool + use prelude.Snapshot + predicate resolve0 (self : Snapshot.snap_ty ()) + val resolve0 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -11111,8 +11111,8 @@ module RedBlackTree_Impl15_GetMut var _0 : Core_Option_Option_Type.t_option (borrowed v); var self : borrowed (RedBlackTree_Tree_Type.t_tree k v) = self; var key : k = key; - var _7 : Ghost.ghost_ty (); - var old_self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)); + var _7 : Snapshot.snap_ty (); + var old_self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)); var tree : borrowed (RedBlackTree_Tree_Type.t_tree k v); var _22 : (); var _23 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)); @@ -11129,12 +11129,12 @@ module RedBlackTree_Impl15_GetMut goto BB0 } BB0 { - [#"../red_black_tree.rs" 845 8 845 39] _7 <- ([#"../red_black_tree.rs" 845 8 845 39] Ghost.new ()); + [#"../red_black_tree.rs" 845 8 845 45] _7 <- ([#"../red_black_tree.rs" 845 8 845 45] Snapshot.new ()); goto BB1 } BB1 { assume { resolve0 _7 }; - [#"../red_black_tree.rs" 847 23 847 35] old_self <- ([#"../red_black_tree.rs" 847 23 847 35] Ghost.new self); + [#"../red_black_tree.rs" 847 23 847 41] old_self <- ([#"../red_black_tree.rs" 847 23 847 41] Snapshot.new self); goto BB2 } BB2 { @@ -11148,12 +11148,12 @@ module RedBlackTree_Impl15_GetMut invariant { [#"../red_black_tree.rs" 850 20 850 43] bst_invariant0 ( * tree) }; invariant { [#"../red_black_tree.rs" 851 20 851 46] height_invariant0 ( * tree) }; invariant { [#"../red_black_tree.rs" 852 20 852 45] color_invariant0 ( * tree) }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v -> has_mapping0 ( ^ tree) (deep_model0 key) v = has_mapping0 ( ^ Ghost.inner old_self) (deep_model0 key) v }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v -> has_mapping0 ( * tree) (deep_model0 key) v = has_mapping0 ( * Ghost.inner old_self) (deep_model0 key) v }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> k = deep_model0 key \/ has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v) -> bst_invariant0 ( ^ tree) -> bst_invariant0 ( ^ Ghost.inner old_self) }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] height0 ( * tree) = height0 ( ^ tree) /\ height_invariant0 ( ^ tree) -> height_invariant0 ( ^ Ghost.inner old_self) }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] match_t0 (RedBlackTree_Cp_Type.C_CPL (color0 ( * tree))) ( ^ tree) -> match_t0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) ( ^ Ghost.inner old_self) }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v -> has_mapping0 ( * Ghost.inner old_self) k v = has_mapping0 ( ^ Ghost.inner old_self) k v }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v -> has_mapping0 ( ^ tree) (deep_model0 key) v = has_mapping0 ( ^ Snapshot.inner old_self) (deep_model0 key) v }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v -> has_mapping0 ( * tree) (deep_model0 key) v = has_mapping0 ( * Snapshot.inner old_self) (deep_model0 key) v }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> k = deep_model0 key \/ has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v) -> bst_invariant0 ( ^ tree) -> bst_invariant0 ( ^ Snapshot.inner old_self) }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] height0 ( * tree) = height0 ( ^ tree) /\ height_invariant0 ( ^ tree) -> height_invariant0 ( ^ Snapshot.inner old_self) }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] match_t0 (RedBlackTree_Cp_Type.C_CPL (color0 ( * tree))) ( ^ tree) -> match_t0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) ( ^ Snapshot.inner old_self) }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v -> has_mapping0 ( * Snapshot.inner old_self) k v = has_mapping0 ( ^ Snapshot.inner old_self) k v }; goto BB4 } BB4 { diff --git a/creusot/tests/should_succeed/red_black_tree.rs b/creusot/tests/should_succeed/red_black_tree.rs index cf67597fd2..9fb3f15fd7 100644 --- a/creusot/tests/should_succeed/red_black_tree.rs +++ b/creusot/tests/should_succeed/red_black_tree.rs @@ -45,7 +45,7 @@ impl Tree { } } - #[ghost] + #[logic] fn model_acc( self, accu: ::ShallowModelTy, @@ -62,7 +62,7 @@ impl Tree { } } - #[ghost] + #[logic] #[ensures(self.model_acc(accu).get(k) == accu.get(k) || exists self.model_acc(accu).get(k) == Some(v) && self.has_mapping(k, v))] fn model_acc_has_mapping( @@ -83,7 +83,7 @@ impl Tree { } } - #[ghost] + #[logic] #[requires(self.bst_invariant())] #[ensures(forall self.has_mapping(k, v) ==> self.model_acc(accu).get(k) == Some(v))] fn has_mapping_model_acc(self, accu: ::ShallowModelTy, k: K::DeepModelTy) @@ -104,7 +104,7 @@ impl Tree { } } - #[ghost] + #[logic] #[requires(self.bst_invariant())] #[ensures(forall self.has_mapping(k, v) == (self@.get(k) == Some(v)))] fn has_mapping_model(self, k: K::DeepModelTy) @@ -117,7 +117,7 @@ impl Tree { } } } - #[ghost] + #[logic] #[requires(self.bst_invariant())] #[requires(self.has_mapping(k, v1))] #[requires(self.has_mapping(k, v2))] @@ -155,7 +155,7 @@ impl Node { impl ShallowModel for Node { type ShallowModelTy = Mapping>; - #[ghost] + #[logic] #[open(self)] fn shallow_model(self) -> Self::ShallowModelTy { pearlite! { @@ -167,7 +167,7 @@ impl ShallowModel for Node { impl ShallowModel for Tree { type ShallowModelTy = Mapping>; - #[ghost] + #[logic] #[open(self)] fn shallow_model(self) -> Self::ShallowModelTy { pearlite! { self.model_acc(Mapping::cst(None)) } @@ -222,7 +222,7 @@ enum CP { } use CP::*; -#[ghost] +#[logic] fn cpn(c: Color, l: CP, r: CP) -> CP { pearlite! { CPN(c, Box::new(l), Box::new(r)) } } @@ -252,7 +252,7 @@ impl CP { } impl Tree { - #[ghost] + #[logic] fn color(self) -> Color { pearlite! { match self.node { @@ -291,7 +291,7 @@ impl Node { /***************************** The height invariant *************************/ impl Tree { - #[ghost] + #[logic] #[ensures(result >= 0)] fn height(self) -> Int { pearlite! { @@ -322,7 +322,7 @@ impl Tree { } impl Node { - #[ghost] + #[logic] #[ensures(forall>> self == *node ==> result == Tree{ node: Some(node) }.height())] fn height(self) -> Int { @@ -410,7 +410,7 @@ where ((^self).left, r.left, r.right) == (l.left, l.right, (*self).right) && r.key == (*self).key)] fn rotate_right(&mut self) { - let old_self = gh! { self }; + let old_self = snapshot! { self }; // self // / \ @@ -460,7 +460,7 @@ where (l.left, l.right, (^self).right) == ((*self).left, r.left, r.right) && l.key == (*self).key)] fn rotate_left(&mut self) { - let old_self = gh! { self }; + let old_self = snapshot! { self }; let mut x = std::mem::take(&mut self.right.node).unwrap(); std::mem::swap(&mut self.right, &mut x.left); std::mem::swap(self, &mut x); @@ -626,7 +626,7 @@ where pub fn insert(&mut self, key: K, val: V) { self.insert_rec(key, val); self.node.as_mut().unwrap().color = Black; - gh! { Self::has_mapping_model }; + snapshot! { Self::has_mapping_model }; } #[requires((*self).internal_invariant())] @@ -665,7 +665,7 @@ where (^self)@ == self@.set(k.deep_model(), None), None => (^self)@ == self@ && self@ == Mapping::cst(None)})] pub fn delete_max(&mut self) -> Option<(K, V)> { - let old_self = gh! { self }; + let old_self = snapshot! { self }; if let Some(node) = &mut self.node { if !node.left.is_red() { node.color = Red; @@ -678,7 +678,7 @@ where if self.is_red() { self.node.as_mut().unwrap().color = Black; } - gh! { Self::has_mapping_model }; + snapshot! { Self::has_mapping_model }; Some(r) } @@ -717,7 +717,7 @@ where None => (^self)@ == self@ && self@ == Mapping::cst(None) })] pub fn delete_min(&mut self) -> Option<(K, V)> { - gh! { Self::has_mapping_model }; + snapshot! { Self::has_mapping_model }; if let Some(node) = &mut self.node { if !node.left.is_red() { @@ -775,7 +775,7 @@ where } if let Equal = ord { let mut kv = node.right.delete_min_rec(); - gh! { Self::has_mapping_inj }; + snapshot! { Self::has_mapping_inj }; std::mem::swap(&mut node.key, &mut kv.0); std::mem::swap(&mut node.val, &mut kv.1); r = Some(kv) @@ -798,7 +798,7 @@ where })] #[ensures((^self)@ == self@.set(key.deep_model(), None))] pub fn delete(&mut self, key: &K) -> Option<(K, V)> { - gh! { Self::has_mapping_model }; + snapshot! { Self::has_mapping_model }; if let Some(node) = &mut self.node { if !node.left.is_red() { @@ -820,7 +820,7 @@ where None => self@.get(key.deep_model()) == None })] pub fn get(&self, key: &K) -> Option<&V> { - gh! { Self::has_mapping_model }; + snapshot! { Self::has_mapping_model }; let mut tree = self; #[invariant((*tree).bst_invariant())] @@ -842,9 +842,9 @@ where None => self@.get(key.deep_model()) == None && (^self)@ == self@ })] pub fn get_mut(&mut self, key: &K) -> Option<&mut V> { - gh! { Self::has_mapping_model }; + snapshot! { Self::has_mapping_model }; - let old_self = gh! { self }; + let old_self = snapshot! { self }; let mut tree = self; #[invariant((*tree).bst_invariant())] diff --git a/creusot/tests/should_succeed/result/own.rs b/creusot/tests/should_succeed/result/own.rs index 9d3b333910..a4ca0bf952 100644 --- a/creusot/tests/should_succeed/result/own.rs +++ b/creusot/tests/should_succeed/result/own.rs @@ -11,7 +11,7 @@ pub enum OwnResult { #[trusted] impl Resolve for OwnResult { #[open] - #[predicate] + #[predicate(prophetic)] fn resolve(self) -> bool { match self { OwnResult::Ok(t) => t.resolve(), diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg index 450906744d..adeffc0c7b 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg @@ -167,7 +167,7 @@ module IncMaxRepeat_IncMaxRepeat ensures { result = invariant0 self } axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range uint32 . inv0 x = true - use prelude.Ghost + use prelude.Snapshot predicate resolve1 (self : borrowed uint32) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed uint32) : bool @@ -199,11 +199,11 @@ module IncMaxRepeat_IncMaxRepeat end } ensures { inv2 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range uint32) (res : Core_Ops_Range_Range_Type.t_range uint32) = @@ -231,13 +231,13 @@ module IncMaxRepeat_IncMaxRepeat var b : uint32 = b; var n : uint32 = n; var iter : Core_Ops_Range_Range_Type.t_range uint32; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range uint32); - var produced : Ghost.ghost_ty (Seq.seq uint32); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range uint32); + var produced : Snapshot.snap_ty (Seq.seq uint32); var _18 : Core_Option_Option_Type.t_option uint32; var _19 : borrowed (Core_Ops_Range_Range_Type.t_range uint32); var _20 : borrowed (Core_Ops_Range_Range_Type.t_range uint32); var __creusot_proc_iter_elem : uint32; - var _23 : Ghost.ghost_ty (Seq.seq uint32); + var _23 : Snapshot.snap_ty (Seq.seq uint32); var mc : borrowed uint32; var _26 : borrowed uint32; var _27 : borrowed uint32; @@ -251,11 +251,11 @@ module IncMaxRepeat_IncMaxRepeat goto BB1 } BB1 { - [#"../inc_max_repeat.rs" 16 4 16 86] iter_old <- ([#"../inc_max_repeat.rs" 16 4 16 86] Ghost.new iter); + [#"../inc_max_repeat.rs" 16 4 16 86] iter_old <- ([#"../inc_max_repeat.rs" 16 4 16 86] Snapshot.new iter); goto BB2 } BB2 { - [#"../inc_max_repeat.rs" 16 4 16 86] produced <- ([#"../inc_max_repeat.rs" 16 4 16 86] Ghost.new (Seq.empty )); + [#"../inc_max_repeat.rs" 16 4 16 86] produced <- ([#"../inc_max_repeat.rs" 16 4 16 86] Snapshot.new (Seq.empty )); goto BB3 } BB3 { @@ -263,9 +263,9 @@ module IncMaxRepeat_IncMaxRepeat } BB4 { invariant { [#"../inc_max_repeat.rs" 16 4 16 86] inv0 iter }; - invariant { [#"../inc_max_repeat.rs" 16 4 16 86] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../inc_max_repeat.rs" 16 16 16 84] UInt32.to_int a <= 1000000 + Seq.length (Ghost.inner produced) /\ UInt32.to_int b <= 1000000 + Seq.length (Ghost.inner produced) }; - invariant { [#"../inc_max_repeat.rs" 17 16 17 70] UInt32.to_int a >= UInt32.to_int b + Seq.length (Ghost.inner produced) \/ UInt32.to_int b >= UInt32.to_int a + Seq.length (Ghost.inner produced) }; + invariant { [#"../inc_max_repeat.rs" 16 4 16 86] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../inc_max_repeat.rs" 16 16 16 84] UInt32.to_int a <= 1000000 + Seq.length (Snapshot.inner produced) /\ UInt32.to_int b <= 1000000 + Seq.length (Snapshot.inner produced) }; + invariant { [#"../inc_max_repeat.rs" 17 16 17 70] UInt32.to_int a >= UInt32.to_int b + Seq.length (Snapshot.inner produced) \/ UInt32.to_int b >= UInt32.to_int a + Seq.length (Snapshot.inner produced) }; goto BB5 } BB5 { @@ -298,13 +298,13 @@ module IncMaxRepeat_IncMaxRepeat absurd } BB10 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _18); - [#"../inc_max_repeat.rs" 16 4 16 86] _23 <- ([#"../inc_max_repeat.rs" 16 4 16 86] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _18); + [#"../inc_max_repeat.rs" 16 4 16 86] _23 <- ([#"../inc_max_repeat.rs" 16 4 16 86] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB11 } BB11 { [#"../inc_max_repeat.rs" 16 4 16 86] produced <- ([#"../inc_max_repeat.rs" 16 4 16 86] _23); - [#"../inc_max_repeat.rs" 16 4 16 86] _23 <- any Ghost.ghost_ty (Seq.seq uint32); + [#"../inc_max_repeat.rs" 16 4 16 86] _23 <- any Snapshot.snap_ty (Seq.seq uint32); [#"../inc_max_repeat.rs" 19 26 19 32] _27 <- Borrow.borrow_mut a; [#"../inc_max_repeat.rs" 19 26 19 32] a <- ^ _27; [#"../inc_max_repeat.rs" 19 26 19 32] _26 <- Borrow.borrow_final ( * _27) (Borrow.get_id _27); diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg index 8a31fb3c75..cec949ebd3 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg @@ -120,7 +120,7 @@ module IncSome2List_Impl0_TakeSomeRest val sum0 [#"../inc_some_2_list.rs" 21 4 21 23] (self : IncSome2List_List_Type.t_list) : int ensures { result = sum0 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve2 (self : borrowed (IncSome2List_List_Type.t_list)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (IncSome2List_List_Type.t_list)) : bool @@ -137,7 +137,7 @@ module IncSome2List_Impl0_TakeSomeRest ensures { result = resolve0 self } val random0 [#"../inc_some_2_list.rs" 15 0 15 19] (_1 : ()) : bool - use prelude.Ghost + use prelude.Snapshot function lemma_sum_nonneg0 [#"../inc_some_2_list.rs" 34 4 34 30] (self : IncSome2List_List_Type.t_list) : () axiom lemma_sum_nonneg0_def : forall self : IncSome2List_List_Type.t_list . lemma_sum_nonneg0 self = ([#"../inc_some_2_list.rs" 35 8 38 9] match self with | IncSome2List_List_Type.C_Cons _ l -> lemma_sum_nonneg0 l @@ -157,7 +157,7 @@ module IncSome2List_Impl0_TakeSomeRest var self : borrowed (IncSome2List_List_Type.t_list) = self; var ma : borrowed uint32; var ml : borrowed (IncSome2List_List_Type.t_list); - var _8 : Ghost.ghost_ty (); + var _8 : Snapshot.snap_ty (); var _10 : bool; var _11 : borrowed uint32; var _12 : borrowed (IncSome2List_List_Type.t_list); @@ -188,7 +188,7 @@ module IncSome2List_Impl0_TakeSomeRest [#"../inc_some_2_list.rs" 56 17 56 19] self <- { self with current = (let IncSome2List_List_Type.C_Cons x0 x1 = * self in IncSome2List_List_Type.C_Cons ( ^ ma) x1) ; }; [#"../inc_some_2_list.rs" 56 21 56 23] ml <- Borrow.borrow_final (IncSome2List_List_Type.cons_1 ( * self)) (Borrow.inherit_id (Borrow.get_id self) 2); [#"../inc_some_2_list.rs" 56 21 56 23] self <- { self with current = (let IncSome2List_List_Type.C_Cons x0 x1 = * self in IncSome2List_List_Type.C_Cons x0 ( ^ ml)) ; }; - [#"../inc_some_2_list.rs" 57 16 57 45] _8 <- ([#"../inc_some_2_list.rs" 57 16 57 45] Ghost.new (lemma_sum_nonneg0 ( * ml))); + [#"../inc_some_2_list.rs" 57 16 57 51] _8 <- ([#"../inc_some_2_list.rs" 57 16 57 51] Snapshot.new (lemma_sum_nonneg0 ( * ml))); goto BB5 } BB5 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.rs b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.rs index 9b6c99adf9..e440b224d1 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.rs +++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.rs @@ -17,7 +17,7 @@ fn random() -> bool { } impl List { - #[ghost] + #[logic] fn sum(self) -> Int { pearlite! { match self { @@ -28,7 +28,7 @@ impl List { } // TODO: Make this ghost - #[ghost] + #[logic] #[variant(*self)] #[ensures(self.sum() >= 0)] fn lemma_sum_nonneg(&self) { @@ -54,7 +54,7 @@ impl List { fn take_some_rest(&mut self) -> (&mut u32, &mut List) { match self { Cons(ma, ml) => { - gh! { ml.lemma_sum_nonneg() }; + snapshot! { ml.lemma_sum_nonneg() }; if random() { (ma, ml) } else { diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.rs b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.rs index 3074f94c8f..059d409e9e 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.rs +++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.rs @@ -17,7 +17,7 @@ fn random() -> bool { } impl Tree { - #[ghost] + #[logic] fn sum(self) -> Int { pearlite! { match self { @@ -27,7 +27,7 @@ impl Tree { } } - #[ghost] + #[logic] #[variant(*self)] #[ensures(self.sum() >= 0)] fn lemma_sum_nonneg(&self) { diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg index 6ec52c1e83..e1d6374a94 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg @@ -120,7 +120,7 @@ module IncSomeList_Impl0_TakeSome val sum0 [#"../inc_some_list.rs" 21 4 21 23] (self : IncSomeList_List_Type.t_list) : int ensures { result = sum0 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve2 (self : borrowed (IncSomeList_List_Type.t_list)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (IncSomeList_List_Type.t_list)) : bool @@ -137,7 +137,7 @@ module IncSomeList_Impl0_TakeSome ensures { result = resolve0 self } val random0 [#"../inc_some_list.rs" 15 0 15 19] (_1 : ()) : bool - use prelude.Ghost + use prelude.Snapshot function lemma_sum_nonneg0 [#"../inc_some_list.rs" 33 4 33 30] (self : IncSomeList_List_Type.t_list) : () axiom lemma_sum_nonneg0_def : forall self : IncSomeList_List_Type.t_list . lemma_sum_nonneg0 self = ([#"../inc_some_list.rs" 34 8 37 9] match self with | IncSomeList_List_Type.C_Cons _ l -> lemma_sum_nonneg0 l @@ -159,7 +159,7 @@ module IncSomeList_Impl0_TakeSome var ma : borrowed uint32; var ml : borrowed (IncSomeList_List_Type.t_list); var _9 : borrowed uint32; - var _10 : Ghost.ghost_ty (); + var _10 : Snapshot.snap_ty (); var _12 : borrowed uint32; var _13 : bool; var _14 : borrowed uint32; @@ -191,7 +191,7 @@ module IncSomeList_Impl0_TakeSome [#"../inc_some_list.rs" 53 17 53 19] self <- { self with current = (let IncSomeList_List_Type.C_Cons x0 x1 = * self in IncSomeList_List_Type.C_Cons ( ^ ma) x1) ; }; [#"../inc_some_list.rs" 53 21 53 23] ml <- Borrow.borrow_final (IncSomeList_List_Type.cons_1 ( * self)) (Borrow.inherit_id (Borrow.get_id self) 2); [#"../inc_some_list.rs" 53 21 53 23] self <- { self with current = (let IncSomeList_List_Type.C_Cons x0 x1 = * self in IncSomeList_List_Type.C_Cons x0 ( ^ ml)) ; }; - [#"../inc_some_list.rs" 54 16 54 45] _10 <- ([#"../inc_some_list.rs" 54 16 54 45] Ghost.new (lemma_sum_nonneg0 ( * ml))); + [#"../inc_some_list.rs" 54 16 54 51] _10 <- ([#"../inc_some_list.rs" 54 16 54 51] Snapshot.new (lemma_sum_nonneg0 ( * ml))); goto BB5 } BB5 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_list.rs b/creusot/tests/should_succeed/rusthorn/inc_some_list.rs index 5f865b043f..36a4b51e37 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_list.rs +++ b/creusot/tests/should_succeed/rusthorn/inc_some_list.rs @@ -17,7 +17,7 @@ fn random() -> bool { } impl List { - #[ghost] + #[logic] fn sum(self) -> Int { pearlite! { match self { @@ -27,7 +27,7 @@ impl List { } } - #[ghost] + #[logic] #[variant(*self)] #[ensures(self.sum() >= 0)] fn lemma_sum_nonneg(&self) { @@ -51,7 +51,7 @@ impl List { fn take_some(&mut self) -> &mut u32 { match self { Cons(ma, ml) => { - gh! { ml.lemma_sum_nonneg() }; + snapshot! { ml.lemma_sum_nonneg() }; if random() { ma } else { diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_tree.rs b/creusot/tests/should_succeed/rusthorn/inc_some_tree.rs index ece870a132..908c02e973 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_tree.rs +++ b/creusot/tests/should_succeed/rusthorn/inc_some_tree.rs @@ -17,7 +17,7 @@ fn random() -> bool { } impl Tree { - #[ghost] + #[logic] fn sum(self) -> Int { pearlite! { match self { @@ -27,7 +27,7 @@ impl Tree { } } - #[ghost] + #[logic] #[variant(*self)] #[ensures(self.sum() >= 0)] fn lemma_sum_nonneg(&self) { diff --git a/creusot/tests/should_succeed/selection_sort_generic.mlcfg b/creusot/tests/should_succeed/selection_sort_generic.mlcfg index 4b2adbf524..bc06c2fc5f 100644 --- a/creusot/tests/should_succeed/selection_sort_generic.mlcfg +++ b/creusot/tests/should_succeed/selection_sort_generic.mlcfg @@ -348,17 +348,17 @@ module SelectionSortGeneric_SelectionSort ensures { result = invariant1 self } axiom inv1 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true use seq.Seq predicate sorted_range0 [#"../selection_sort_generic.rs" 10 0 10 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) = @@ -491,7 +491,7 @@ module SelectionSortGeneric_SelectionSort val partition0 [#"../selection_sort_generic.rs" 24 0 24 52] (v : Seq.seq deep_model_ty0) (i : int) : bool ensures { result = partition0 v i } - use prelude.Ghost + use prelude.Snapshot function deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0 = @@ -511,18 +511,18 @@ module SelectionSortGeneric_SelectionSort val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t ensures { result = shallow_model5 self } - use prelude.Ghost - function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + use prelude.Snapshot + function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t = - [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t ensures { result = shallow_model1 self } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize) = @@ -545,11 +545,12 @@ module SelectionSortGeneric_SelectionSort requires {inv7 self} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model4 self) } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + + val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg selection_sort [#"../selection_sort_generic.rs" 30 0 32 29] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : () requires {[#"../selection_sort_generic.rs" 30 42 30 43] inv6 v} ensures { [#"../selection_sort_generic.rs" 28 10 28 35] sorted0 (deep_model1 ( ^ v)) } @@ -558,28 +559,28 @@ module SelectionSortGeneric_SelectionSort = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v; - var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); + var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); var iter : Core_Ops_Range_Range_Type.t_range usize; var _8 : usize; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced : Ghost.ghost_ty (Seq.seq usize); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced : Snapshot.snap_ty (Seq.seq usize); var _19 : (); var _20 : Core_Option_Option_Type.t_option usize; var _21 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _22 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem : usize; - var _25 : Ghost.ghost_ty (Seq.seq usize); + var _25 : Snapshot.snap_ty (Seq.seq usize); var i : usize; var min : usize; var iter1 : Core_Ops_Range_Range_Type.t_range usize; var _34 : usize; - var iter_old1 : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced1 : Ghost.ghost_ty (Seq.seq usize); + var iter_old1 : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced1 : Snapshot.snap_ty (Seq.seq usize); var _44 : Core_Option_Option_Type.t_option usize; var _45 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _46 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem1 : usize; - var _49 : Ghost.ghost_ty (Seq.seq usize); + var _49 : Snapshot.snap_ty (Seq.seq usize); var j : usize; var _52 : bool; var _54 : t; @@ -592,7 +593,7 @@ module SelectionSortGeneric_SelectionSort goto BB0 } BB0 { - [#"../selection_sort_generic.rs" 34 16 34 25] old_v <- ([#"../selection_sort_generic.rs" 34 16 34 25] Ghost.new v); + [#"../selection_sort_generic.rs" 34 16 34 31] old_v <- ([#"../selection_sort_generic.rs" 34 16 34 31] Snapshot.new v); goto BB1 } BB1 { @@ -607,11 +608,11 @@ module SelectionSortGeneric_SelectionSort goto BB3 } BB3 { - [#"../selection_sort_generic.rs" 35 4 35 43] iter_old <- ([#"../selection_sort_generic.rs" 35 4 35 43] Ghost.new iter); + [#"../selection_sort_generic.rs" 35 4 35 43] iter_old <- ([#"../selection_sort_generic.rs" 35 4 35 43] Snapshot.new iter); goto BB4 } BB4 { - [#"../selection_sort_generic.rs" 35 4 35 43] produced <- ([#"../selection_sort_generic.rs" 35 4 35 43] Ghost.new (Seq.empty )); + [#"../selection_sort_generic.rs" 35 4 35 43] produced <- ([#"../selection_sort_generic.rs" 35 4 35 43] Snapshot.new (Seq.empty )); goto BB5 } BB5 { @@ -619,10 +620,10 @@ module SelectionSortGeneric_SelectionSort } BB6 { invariant { [#"../selection_sort_generic.rs" 35 4 35 43] inv1 iter }; - invariant { [#"../selection_sort_generic.rs" 35 4 35 43] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; + invariant { [#"../selection_sort_generic.rs" 35 4 35 43] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../selection_sort_generic.rs" 35 4 35 43] permutation_of0 (shallow_model0 v) (shallow_model1 old_v) }; - invariant { [#"../selection_sort_generic.rs" 36 16 36 63] sorted_range0 (deep_model0 v) 0 (Seq.length (Ghost.inner produced)) }; - invariant { [#"../selection_sort_generic.rs" 37 16 37 57] partition0 (deep_model0 v) (Seq.length (Ghost.inner produced)) }; + invariant { [#"../selection_sort_generic.rs" 36 16 36 63] sorted_range0 (deep_model0 v) 0 (Seq.length (Snapshot.inner produced)) }; + invariant { [#"../selection_sort_generic.rs" 37 16 37 57] partition0 (deep_model0 v) (Seq.length (Snapshot.inner produced)) }; goto BB7 } BB7 { @@ -655,14 +656,14 @@ module SelectionSortGeneric_SelectionSort absurd } BB12 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _20); - [#"../selection_sort_generic.rs" 35 4 35 43] _25 <- ([#"../selection_sort_generic.rs" 35 4 35 43] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _20); + [#"../selection_sort_generic.rs" 35 4 35 43] _25 <- ([#"../selection_sort_generic.rs" 35 4 35 43] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB13 } BB13 { [#"../selection_sort_generic.rs" 35 4 35 43] produced <- ([#"../selection_sort_generic.rs" 35 4 35 43] _25); - [#"../selection_sort_generic.rs" 35 4 35 43] _25 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../selection_sort_generic.rs" 35 4 35 43] _25 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../selection_sort_generic.rs" 39 22 39 23] min <- ([#"../selection_sort_generic.rs" 39 22 39 23] i); [#"../selection_sort_generic.rs" 43 26 43 33] _34 <- ([#"../selection_sort_generic.rs" 43 26 43 33] len0 ([#"../selection_sort_generic.rs" 43 26 43 27] * v)); goto BB14 @@ -673,11 +674,11 @@ module SelectionSortGeneric_SelectionSort goto BB15 } BB15 { - [#"../selection_sort_generic.rs" 41 8 41 121] iter_old1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Ghost.new iter1); + [#"../selection_sort_generic.rs" 41 8 41 121] iter_old1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Snapshot.new iter1); goto BB16 } BB16 { - [#"../selection_sort_generic.rs" 41 8 41 121] produced1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Ghost.new (Seq.empty )); + [#"../selection_sort_generic.rs" 41 8 41 121] produced1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Snapshot.new (Seq.empty )); goto BB17 } BB17 { @@ -685,9 +686,9 @@ module SelectionSortGeneric_SelectionSort } BB18 { invariant { [#"../selection_sort_generic.rs" 41 8 41 121] inv1 iter1 }; - invariant { [#"../selection_sort_generic.rs" 41 8 41 121] produces0 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 }; - invariant { [#"../selection_sort_generic.rs" 41 8 41 121] forall k : int . UIntSize.to_int i <= k /\ k < Seq.length (Ghost.inner produced1) + UIntSize.to_int i + 1 -> le_log0 (Seq.get (deep_model0 v) (UIntSize.to_int min)) (Seq.get (deep_model0 v) k) }; - invariant { [#"../selection_sort_generic.rs" 42 20 42 64] UIntSize.to_int i <= UIntSize.to_int min /\ UIntSize.to_int min < Seq.length (Ghost.inner produced1) + UIntSize.to_int i + 1 }; + invariant { [#"../selection_sort_generic.rs" 41 8 41 121] produces0 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 }; + invariant { [#"../selection_sort_generic.rs" 41 8 41 121] forall k : int . UIntSize.to_int i <= k /\ k < Seq.length (Snapshot.inner produced1) + UIntSize.to_int i + 1 -> le_log0 (Seq.get (deep_model0 v) (UIntSize.to_int min)) (Seq.get (deep_model0 v) k) }; + invariant { [#"../selection_sort_generic.rs" 42 20 42 64] UIntSize.to_int i <= UIntSize.to_int min /\ UIntSize.to_int min < Seq.length (Snapshot.inner produced1) + UIntSize.to_int i + 1 }; goto BB19 } BB19 { @@ -718,14 +719,14 @@ module SelectionSortGeneric_SelectionSort goto BB23 } BB23 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1 <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _44); - [#"../selection_sort_generic.rs" 41 8 41 121] _49 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _44); + [#"../selection_sort_generic.rs" 41 8 41 121] _49 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); goto BB24 } BB24 { [#"../selection_sort_generic.rs" 41 8 41 121] produced1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] _49); - [#"../selection_sort_generic.rs" 41 8 41 121] _49 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] j <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1); + [#"../selection_sort_generic.rs" 41 8 41 121] _49 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] j <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1); [#"../selection_sort_generic.rs" 44 16 44 19] _54 <- ([#"../selection_sort_generic.rs" 44 16 44 19] index0 ([#"../selection_sort_generic.rs" 44 15 44 16] * v) ([#"../selection_sort_generic.rs" 44 17 44 18] j)); goto BB25 } @@ -770,7 +771,7 @@ module SelectionSortGeneric_SelectionSort BB32 { assert { [@expl:type invariant] inv5 _65 }; assume { resolve3 _65 }; - assert { [@expl:assertion] [#"../selection_sort_generic.rs" 49 8 50 63] let i = Seq.length (Ghost.inner produced) in forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length (deep_model0 v) -> le_log0 (Seq.get (deep_model0 v) k1) (Seq.get (deep_model0 v) k2) }; + assert { [@expl:assertion] [#"../selection_sort_generic.rs" 49 8 50 63] let i = Seq.length (Snapshot.inner produced) in forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length (deep_model0 v) -> le_log0 (Seq.get (deep_model0 v) k1) (Seq.get (deep_model0 v) k2) }; [#"../selection_sort_generic.rs" 38 24 51 5] _19 <- ([#"../selection_sort_generic.rs" 38 24 51 5] ()); goto BB6 } diff --git a/creusot/tests/should_succeed/selection_sort_generic.rs b/creusot/tests/should_succeed/selection_sort_generic.rs index 6beb8d5349..47a92baa7d 100644 --- a/creusot/tests/should_succeed/selection_sort_generic.rs +++ b/creusot/tests/should_succeed/selection_sort_generic.rs @@ -31,7 +31,7 @@ pub fn selection_sort(v: &mut Vec) where T::DeepModelTy: OrdLogic, { - let old_v = gh! { v }; + let old_v = snapshot! { v }; #[invariant(v@.permutation_of(old_v@))] #[invariant(sorted_range(v.deep_model(), 0, produced.len()))] #[invariant(partition(v.deep_model(), produced.len()))] diff --git a/creusot/tests/should_succeed/sparse_array.mlcfg b/creusot/tests/should_succeed/sparse_array.mlcfg index f0ab87c15d..05784a95c2 100644 --- a/creusot/tests/should_succeed/sparse_array.mlcfg +++ b/creusot/tests/should_succeed/sparse_array.mlcfg @@ -729,7 +729,7 @@ module SparseArray_Impl2_Set val shallow_model1 (self : borrowed (SparseArray_Sparse_Type.t_sparse t)) : Seq.seq (Core_Option_Option_Type.t_option t) ensures { result = shallow_model1 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve4 (self : borrowed (SparseArray_Sparse_Type.t_sparse t)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve4 (self : borrowed (SparseArray_Sparse_Type.t_sparse t)) : bool @@ -773,11 +773,11 @@ module SparseArray_Impl2_Set ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 136 26 136 55] Seq.length (shallow_model7 ( ^ self)) = Seq.length (shallow_model6 self) } ensures { inv10 result } - predicate resolve2 (self : Ghost.ghost_ty ()) - val resolve2 (self : Ghost.ghost_ty ()) : bool + predicate resolve2 (self : Snapshot.snap_ty ()) + val resolve2 (self : Snapshot.snap_ty ()) : bool ensures { result = resolve2 self } - use prelude.Ghost + use prelude.Snapshot function lemma_permutation0 [#"../sparse_array.rs" 104 4 104 38] (self : SparseArray_Sparse_Type.t_sparse t) (i : int) : () = @@ -859,7 +859,7 @@ module SparseArray_Impl2_Set var index : usize; var _13 : usize; var _21 : usize; - var _25 : Ghost.ghost_ty (); + var _25 : Snapshot.snap_ty (); var _30 : borrowed usize; var _31 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)); var _34 : borrowed usize; @@ -924,7 +924,7 @@ module SparseArray_Impl2_Set goto BB12 } BB12 { - [#"../sparse_array.rs" 117 12 117 40] _25 <- ([#"../sparse_array.rs" 117 12 117 40] Ghost.new ()); + [#"../sparse_array.rs" 117 12 117 46] _25 <- ([#"../sparse_array.rs" 117 12 117 46] Snapshot.new ()); goto BB13 } BB13 { diff --git a/creusot/tests/should_succeed/sparse_array.rs b/creusot/tests/should_succeed/sparse_array.rs index cff884529a..20fd0adb32 100644 --- a/creusot/tests/should_succeed/sparse_array.rs +++ b/creusot/tests/should_succeed/sparse_array.rs @@ -33,7 +33,7 @@ pub struct Sparse { impl ShallowModel for Sparse { type ShallowModelTy = Seq>; - #[ghost] + #[logic] #[open(self)] fn shallow_model(self) -> Self::ShallowModelTy { pearlite! { @@ -68,7 +68,7 @@ impl Sparse { * (1) check that array `idx` maps `i` to a index `j` between 0 and `n` (excluded) * (2) check that `back[j]` is `i` */ - #[ghost] + #[logic] fn is_elt(&self, i: Int) -> bool { pearlite! { self.idx[i]@ < self.n@ && self.back[self.idx[i]@]@ == i @@ -97,7 +97,7 @@ impl Sparse { /* A key lemma to prove for safety of access in `set()` */ - #[ghost] + #[logic] #[requires(self.n == self.size)] #[requires(0 <= i && i < self.size@)] #[ensures(self.is_elt(i))] @@ -114,7 +114,7 @@ impl Sparse { let index = self.idx[i]; if !(index < self.n && self.back[index] == i) { // the hard assertion! - gh!(Self::lemma_permutation); + snapshot!(Self::lemma_permutation); proof_assert!(self.n@ < self.size@); // assert!(self.n < self.size); self.idx[i] = self.n; diff --git a/creusot/tests/should_succeed/specification/logic_call.rs b/creusot/tests/should_succeed/specification/logic_call.rs index 9d75253f5d..db19f7db1f 100644 --- a/creusot/tests/should_succeed/specification/logic_call.rs +++ b/creusot/tests/should_succeed/specification/logic_call.rs @@ -2,7 +2,7 @@ extern crate creusot_contracts; use creusot_contracts::*; -#[ghost] +#[logic] fn reflexive(x: T) -> bool { pearlite! { x == x } } diff --git a/creusot/tests/should_succeed/specification/logic_functions.rs b/creusot/tests/should_succeed/specification/logic_functions.rs index b0b2ae096d..553dcb2f8c 100644 --- a/creusot/tests/should_succeed/specification/logic_functions.rs +++ b/creusot/tests/should_succeed/specification/logic_functions.rs @@ -1,7 +1,7 @@ extern crate creusot_contracts; use creusot_contracts::{logic::Int, *}; -#[ghost] +#[logic] fn logic() -> bool { true } @@ -10,7 +10,7 @@ fn logic() -> bool { pub fn use_logic() {} // When we want to use pearlite syntax, we use pearlite! macro -#[ghost] +#[logic] fn logic_pearlite() -> bool { pearlite! { 0 == 0 } } @@ -21,7 +21,7 @@ pub fn use_logic_pearlite() {} pub mod nested { use creusot_contracts::*; - #[ghost] + #[logic] #[open] pub fn nested() -> bool { true @@ -29,7 +29,7 @@ pub mod nested { } #[open] -#[ghost] +#[logic] pub fn arith(n: Int, b: bool) -> Int { if !b { -n + n - n * n @@ -39,7 +39,7 @@ pub fn arith(n: Int, b: bool) -> Int { } #[open] -#[ghost] +#[logic] pub fn deref_pat<'a>(o: &'a Option) -> Int { match o { Some(a) => *a, diff --git a/creusot/tests/should_succeed/specification/model.rs b/creusot/tests/should_succeed/specification/model.rs index 2f93c5f6d7..5407192a21 100644 --- a/creusot/tests/should_succeed/specification/model.rs +++ b/creusot/tests/should_succeed/specification/model.rs @@ -6,7 +6,7 @@ pub struct Seven(); impl ShallowModel for Seven { type ShallowModelTy = Int; - #[ghost] + #[logic] #[open] #[trusted] fn shallow_model(self) -> Self::ShallowModelTy { @@ -25,7 +25,7 @@ pub struct Pair(T, U); impl ShallowModel for Pair { type ShallowModelTy = (T, U); - #[ghost] + #[logic] #[open] #[trusted] fn shallow_model(self) -> Self::ShallowModelTy { diff --git a/creusot/tests/should_succeed/sum.mlcfg b/creusot/tests/should_succeed/sum.mlcfg index 535bf2c8e5..f2f32e7f16 100644 --- a/creusot/tests/should_succeed/sum.mlcfg +++ b/creusot/tests/should_succeed/sum.mlcfg @@ -145,7 +145,7 @@ module Sum_SumFirstN ensures { result = invariant0 self } axiom inv0 : forall x : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . inv0 x = true - use prelude.Ghost + use prelude.Snapshot use seq.Seq predicate resolve0 (self : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -165,11 +165,11 @@ module Sum_SumFirstN end } ensures { inv3 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) (res : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) = @@ -206,13 +206,13 @@ module Sum_SumFirstN var sum : uint32; var iter : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32; var _7 : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32); - var produced : Ghost.ghost_ty (Seq.seq uint32); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32); + var produced : Snapshot.snap_ty (Seq.seq uint32); var _17 : Core_Option_Option_Type.t_option uint32; var _18 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32); var _19 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32); var __creusot_proc_iter_elem : uint32; - var _22 : Ghost.ghost_ty (Seq.seq uint32); + var _22 : Snapshot.snap_ty (Seq.seq uint32); var i : uint32; { goto BB0 @@ -228,11 +228,11 @@ module Sum_SumFirstN goto BB2 } BB2 { - [#"../sum.rs" 8 4 8 67] iter_old <- ([#"../sum.rs" 8 4 8 67] Ghost.new iter); + [#"../sum.rs" 8 4 8 67] iter_old <- ([#"../sum.rs" 8 4 8 67] Snapshot.new iter); goto BB3 } BB3 { - [#"../sum.rs" 8 4 8 67] produced <- ([#"../sum.rs" 8 4 8 67] Ghost.new (Seq.empty )); + [#"../sum.rs" 8 4 8 67] produced <- ([#"../sum.rs" 8 4 8 67] Snapshot.new (Seq.empty )); goto BB4 } BB4 { @@ -240,8 +240,8 @@ module Sum_SumFirstN } BB5 { invariant { [#"../sum.rs" 8 4 8 67] inv0 iter }; - invariant { [#"../sum.rs" 8 4 8 67] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../sum.rs" 8 16 8 65] UInt32.to_int sum = div (Seq.length (Ghost.inner produced) * (Seq.length (Ghost.inner produced) + 1)) 2 }; + invariant { [#"../sum.rs" 8 4 8 67] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../sum.rs" 8 16 8 65] UInt32.to_int sum = div (Seq.length (Snapshot.inner produced) * (Seq.length (Snapshot.inner produced) + 1)) 2 }; goto BB6 } BB6 { @@ -272,14 +272,14 @@ module Sum_SumFirstN absurd } BB11 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _17); - [#"../sum.rs" 8 4 8 67] _22 <- ([#"../sum.rs" 8 4 8 67] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _17); + [#"../sum.rs" 8 4 8 67] _22 <- ([#"../sum.rs" 8 4 8 67] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB12 } BB12 { [#"../sum.rs" 8 4 8 67] produced <- ([#"../sum.rs" 8 4 8 67] _22); - [#"../sum.rs" 8 4 8 67] _22 <- any Ghost.ghost_ty (Seq.seq uint32); - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../sum.rs" 8 4 8 67] _22 <- any Snapshot.snap_ty (Seq.seq uint32); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../sum.rs" 10 8 10 16] sum <- ([#"../sum.rs" 10 8 10 16] sum + ([#"../sum.rs" 10 15 10 16] i)); goto BB5 } diff --git a/creusot/tests/should_succeed/sum_of_odds.mlcfg b/creusot/tests/should_succeed/sum_of_odds.mlcfg index d1612b4d8f..06a4f1687d 100644 --- a/creusot/tests/should_succeed/sum_of_odds.mlcfg +++ b/creusot/tests/should_succeed/sum_of_odds.mlcfg @@ -139,7 +139,7 @@ module SumOfOdds_ComputeSumOfOdd ensures { result = invariant0 self } axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range uint32 . inv0 x = true - use prelude.Ghost + use prelude.Snapshot function sqr0 [#"../sum_of_odds.rs" 7 0 7 21] (x : int) : int = [#"../sum_of_odds.rs" 8 4 8 9] x * x val sqr0 [#"../sum_of_odds.rs" 7 0 7 21] (x : int) : int @@ -184,11 +184,11 @@ module SumOfOdds_ComputeSumOfOdd end } ensures { inv2 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range uint32) (res : Core_Ops_Range_Range_Type.t_range uint32) = @@ -216,13 +216,13 @@ module SumOfOdds_ComputeSumOfOdd var x : uint32 = x; var s : uint32; var iter : Core_Ops_Range_Range_Type.t_range uint32; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range uint32); - var produced : Ghost.ghost_ty (Seq.seq uint32); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range uint32); + var produced : Snapshot.snap_ty (Seq.seq uint32); var _18 : Core_Option_Option_Type.t_option uint32; var _19 : borrowed (Core_Ops_Range_Range_Type.t_range uint32); var _20 : borrowed (Core_Ops_Range_Range_Type.t_range uint32); var __creusot_proc_iter_elem : uint32; - var _23 : Ghost.ghost_ty (Seq.seq uint32); + var _23 : Snapshot.snap_ty (Seq.seq uint32); var i : uint32; { goto BB0 @@ -233,11 +233,11 @@ module SumOfOdds_ComputeSumOfOdd goto BB1 } BB1 { - [#"../sum_of_odds.rs" 38 4 38 50] iter_old <- ([#"../sum_of_odds.rs" 38 4 38 50] Ghost.new iter); + [#"../sum_of_odds.rs" 38 4 38 50] iter_old <- ([#"../sum_of_odds.rs" 38 4 38 50] Snapshot.new iter); goto BB2 } BB2 { - [#"../sum_of_odds.rs" 38 4 38 50] produced <- ([#"../sum_of_odds.rs" 38 4 38 50] Ghost.new (Seq.empty )); + [#"../sum_of_odds.rs" 38 4 38 50] produced <- ([#"../sum_of_odds.rs" 38 4 38 50] Snapshot.new (Seq.empty )); goto BB3 } BB3 { @@ -245,8 +245,8 @@ module SumOfOdds_ComputeSumOfOdd } BB4 { invariant { [#"../sum_of_odds.rs" 38 4 38 50] inv0 iter }; - invariant { [#"../sum_of_odds.rs" 38 4 38 50] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../sum_of_odds.rs" 38 16 38 48] UInt32.to_int s = sum_of_odd0 (Seq.length (Ghost.inner produced)) }; + invariant { [#"../sum_of_odds.rs" 38 4 38 50] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../sum_of_odds.rs" 38 16 38 48] UInt32.to_int s = sum_of_odd0 (Seq.length (Snapshot.inner produced)) }; goto BB5 } BB5 { @@ -277,14 +277,14 @@ module SumOfOdds_ComputeSumOfOdd absurd } BB10 { - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _18); - [#"../sum_of_odds.rs" 38 4 38 50] _23 <- ([#"../sum_of_odds.rs" 38 4 38 50] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _18); + [#"../sum_of_odds.rs" 38 4 38 50] _23 <- ([#"../sum_of_odds.rs" 38 4 38 50] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB11 } BB11 { [#"../sum_of_odds.rs" 38 4 38 50] produced <- ([#"../sum_of_odds.rs" 38 4 38 50] _23); - [#"../sum_of_odds.rs" 38 4 38 50] _23 <- any Ghost.ghost_ty (Seq.seq uint32); - [#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../sum_of_odds.rs" 38 4 38 50] _23 <- any Snapshot.snap_ty (Seq.seq uint32); + [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); assert { [@expl:assertion] [#"../sum_of_odds.rs" 41 12 41 33] let _ = sum_of_odd_is_sqr0 (UInt32.to_int i) in true }; [#"../sum_of_odds.rs" 44 8 44 22] s <- ([#"../sum_of_odds.rs" 44 8 44 22] s + ([#"../sum_of_odds.rs" 44 13 44 22] ([#"../sum_of_odds.rs" 44 13 44 18] ([#"../sum_of_odds.rs" 44 13 44 14] [#"../sum_of_odds.rs" 44 13 44 14] (2 : uint32)) * ([#"../sum_of_odds.rs" 44 17 44 18] i)) + ([#"../sum_of_odds.rs" 44 21 44 22] [#"../sum_of_odds.rs" 44 21 44 22] (1 : uint32)))); goto BB4 diff --git a/creusot/tests/should_succeed/sum_of_odds.rs b/creusot/tests/should_succeed/sum_of_odds.rs index f16c467ade..971972807b 100644 --- a/creusot/tests/should_succeed/sum_of_odds.rs +++ b/creusot/tests/should_succeed/sum_of_odds.rs @@ -3,7 +3,7 @@ extern crate creusot_contracts; use creusot_contracts::{logic::Int, *}; -#[ghost] +#[logic] fn sqr(x: Int) -> Int { x * x } @@ -13,7 +13,7 @@ fn is_square(y: Int) -> bool { pearlite! { exists y == sqr(z) } } -#[ghost] +#[logic] #[variant(x)] fn sum_of_odd(x: Int) -> Int { if x <= 0 { @@ -23,7 +23,7 @@ fn sum_of_odd(x: Int) -> Int { } } -#[ghost] +#[logic] #[requires(x >= 0)] #[ensures(sum_of_odd(x) == sqr(x))] #[variant(x)] diff --git a/creusot/tests/should_succeed/syntax/02_operators.rs b/creusot/tests/should_succeed/syntax/02_operators.rs index df0b14bc17..7b0ebbe17f 100644 --- a/creusot/tests/should_succeed/syntax/02_operators.rs +++ b/creusot/tests/should_succeed/syntax/02_operators.rs @@ -9,12 +9,12 @@ fn division(x: usize, y: usize) -> usize { x / y } -// #[ghost] +// #[logic] // fn division_logic(x : usize, y : usize) -> usize { // x / y // } -#[ghost] +#[logic] fn division_int(x: Int, y: Int) -> Int { x / y } @@ -24,12 +24,12 @@ fn modulus(x: usize, y: usize) -> usize { x % y } -// #[ghost] +// #[logic] // fn modulus_logic(x : usize, y : usize) -> usize { // x % y // } -#[ghost] +#[logic] fn modulus_int(x: Int, y: Int) -> Int { x % y } @@ -39,7 +39,7 @@ fn multiply(x: usize, y: usize) -> usize { x * y } -#[ghost] +#[logic] fn multiply_int(x: Int, y: Int) -> Int { x * y } @@ -49,12 +49,12 @@ fn add(x: usize, y: usize) -> usize { x + y } -#[ghost] +#[logic] fn add_int(x: Int, y: Int) -> Int { x + y } -// #[ghost] +// #[logic] // fn add_logic(x : usize, y : usize) -> usize { // x + y // } @@ -64,7 +64,7 @@ fn sub(x: usize, y: usize) -> usize { x - y } -#[ghost] +#[logic] fn sub_int(x: Int, y: Int) -> Int { x - y } @@ -78,7 +78,7 @@ fn expression(x: usize, y: usize, z: usize) -> bool { x / y * z == (x / y) * z } -#[ghost] +#[logic] #[ensures(result)] fn expression_logic(x: usize, y: usize, z: usize) -> bool { x / y * z == (x / y) * z diff --git a/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg b/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg index 02cec69d8c..9f91579208 100644 --- a/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg +++ b/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg @@ -101,19 +101,19 @@ end module C05Pearlite_GhostClosure use prelude.UInt32 use map.Map - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot use prelude.Mapping use prelude.Int let rec cfg ghost_closure [#"../05_pearlite.rs" 48 0 48 22] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); - var _x : Ghost.ghost_ty (Map.map uint32 uint32); + var _x : Snapshot.snap_ty (Map.map uint32 uint32); { goto BB0 } BB0 { - [#"../05_pearlite.rs" 49 13 49 32] _x <- ([#"../05_pearlite.rs" 49 13 49 32] Ghost.new (Mapping.from_fn (fun (a : uint32) -> a))); + [#"../05_pearlite.rs" 49 13 49 38] _x <- ([#"../05_pearlite.rs" 49 13 49 38] Snapshot.new (Mapping.from_fn (fun (a : uint32) -> a))); goto BB1 } BB1 { @@ -126,8 +126,8 @@ module C05Pearlite_PearliteClosure use prelude.UInt32 use prelude.Int use map.Map - use prelude.Ghost - let rec cfg pearlite_closure [#"../05_pearlite.rs" 52 0 52 54] [@cfg:stackify] [@cfg:subregion_analysis] (_x : Ghost.ghost_ty (Map.map uint32 bool)) : () + use prelude.Snapshot + let rec cfg pearlite_closure [#"../05_pearlite.rs" 52 0 52 57] [@cfg:stackify] [@cfg:subregion_analysis] (_x : Snapshot.snap_ty (Map.map uint32 bool)) : () = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -135,7 +135,7 @@ module C05Pearlite_PearliteClosure goto BB0 } BB0 { - [#"../05_pearlite.rs" 52 55 52 57] _0 <- ([#"../05_pearlite.rs" 52 55 52 57] ()); + [#"../05_pearlite.rs" 52 58 52 60] _0 <- ([#"../05_pearlite.rs" 52 58 52 60] ()); return _0 } @@ -143,26 +143,26 @@ end module C05Pearlite_Caller use prelude.UInt32 use map.Map - use prelude.Ghost + use prelude.Snapshot use prelude.Int - val pearlite_closure0 [#"../05_pearlite.rs" 52 0 52 54] (_x : Ghost.ghost_ty (Map.map uint32 bool)) : () - use prelude.Ghost + val pearlite_closure0 [#"../05_pearlite.rs" 52 0 52 57] (_x : Snapshot.snap_ty (Map.map uint32 bool)) : () + use prelude.Snapshot use prelude.Mapping let rec cfg caller [#"../05_pearlite.rs" 54 0 54 15] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var _1 : (); - var _2 : Ghost.ghost_ty (Map.map uint32 bool); + var _2 : Snapshot.snap_ty (Map.map uint32 bool); { goto BB0 } BB0 { - [#"../05_pearlite.rs" 55 21 55 38] _2 <- ([#"../05_pearlite.rs" 55 21 55 38] Ghost.new (Mapping.from_fn (fun (_a : uint32) -> true))); + [#"../05_pearlite.rs" 55 21 55 44] _2 <- ([#"../05_pearlite.rs" 55 21 55 44] Snapshot.new (Mapping.from_fn (fun (_a : uint32) -> true))); goto BB1 } BB1 { - [#"../05_pearlite.rs" 55 4 55 39] _1 <- ([#"../05_pearlite.rs" 55 4 55 39] pearlite_closure0 _2); - _2 <- any Ghost.ghost_ty (Map.map uint32 bool); + [#"../05_pearlite.rs" 55 4 55 45] _1 <- ([#"../05_pearlite.rs" 55 4 55 45] pearlite_closure0 _2); + _2 <- any Snapshot.snap_ty (Map.map uint32 bool); goto BB2 } BB2 { diff --git a/creusot/tests/should_succeed/syntax/05_pearlite.rs b/creusot/tests/should_succeed/syntax/05_pearlite.rs index 4fb2ab7010..5a9a7612f9 100644 --- a/creusot/tests/should_succeed/syntax/05_pearlite.rs +++ b/creusot/tests/should_succeed/syntax/05_pearlite.rs @@ -46,13 +46,13 @@ pub fn field1_is_true(x: B) -> bool { } pub fn ghost_closure() { - let _x = gh! { |a : u32| a }; + let _x = snapshot! { |a : u32| a }; } -pub fn pearlite_closure(_x: Ghost>) {} +pub fn pearlite_closure(_x: Snapshot>) {} pub fn caller() { - pearlite_closure(gh! { |_a| true }); + pearlite_closure(snapshot! { |_a| true }); } // Implicit logical reborrows @@ -61,20 +61,20 @@ pub struct S {} impl S { #[open] - #[ghost] + #[logic] pub fn x(&mut self) -> bool { true } } #[open] -#[ghost] +#[logic] pub fn proj(x: &mut (S, S)) -> bool { x.0.x() } #[open] -#[ghost] +#[logic] pub fn proj2(x: &mut &mut (S, S)) -> bool { x.0.x() } @@ -82,43 +82,43 @@ pub fn proj2(x: &mut &mut (S, S)) -> bool { // Unnesting through an index projection #[open(self)] -#[ghost] +#[logic] pub fn reborrow_index_projection<'a, 'b, T>(a: &'a mut &'b mut [T]) -> &'a mut T { &mut a[0] } #[open(self)] -#[ghost] +#[logic] pub fn reborrow_index_projection2<'a, 'b, T>(a: &'a &'b [T]) -> &'a T { &a[0] } #[open(self)] -#[ghost] -pub fn test3<'a, T>(a: Ghost<&'a mut Vec>) -> &'a mut T { +#[logic] +pub fn test3<'a, T>(a: Snapshot<&'a mut Vec>) -> &'a mut T { &mut a[0] } #[open(self)] -#[ghost] -pub fn test4<'a, T>(a: &'a mut Ghost>) -> &'a mut T { +#[logic] +pub fn test4<'a, T>(a: &'a mut Snapshot>) -> &'a mut T { &mut a[0] } #[open(self)] -#[ghost] +#[logic] pub fn test5<'a, T>(a: &'a mut &mut &mut Vec) -> &'a mut T { &mut a[0] } #[open(self)] -#[ghost] +#[logic] pub fn test6<'a>(a: &'a mut &&mut u32) -> &'a mut u32 { &mut ***a } // Left out until I understand the semantics of `Deref` patterns. -// #[ghost] +// #[logic] // pub fn proj_opt(x : &mut Option) -> bool { // match x { // Some(a) => a.x(), diff --git a/creusot/tests/should_succeed/syntax/06_logic_function_contracts.rs b/creusot/tests/should_succeed/syntax/06_logic_function_contracts.rs index c50a5713e1..83e05c9327 100644 --- a/creusot/tests/should_succeed/syntax/06_logic_function_contracts.rs +++ b/creusot/tests/should_succeed/syntax/06_logic_function_contracts.rs @@ -5,7 +5,7 @@ use creusot_contracts::{ }; #[open] -#[ghost] +#[logic] #[variant(seq.len())] pub fn sum(seq: Seq) -> Int { pearlite! { diff --git a/creusot/tests/should_succeed/syntax/08_const.rs b/creusot/tests/should_succeed/syntax/08_const.rs index 64a8d80210..97410d4ccb 100644 --- a/creusot/tests/should_succeed/syntax/08_const.rs +++ b/creusot/tests/should_succeed/syntax/08_const.rs @@ -2,7 +2,7 @@ extern crate creusot_contracts; use creusot_contracts::{logic::Seq, *}; #[open] -#[ghost] +#[logic] pub fn omg() -> Seq { Seq::EMPTY } diff --git a/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg b/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg index 804220981f..f9dfc6f983 100644 --- a/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg +++ b/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg @@ -2,24 +2,24 @@ module C12GhostCode_GhostArg use prelude.UInt32 use prelude.Int - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - let rec cfg ghost_arg [#"../12_ghost_code.rs" 4 0 4 31] [@cfg:stackify] [@cfg:subregion_analysis] (g : Ghost.ghost_ty uint32) : () + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + let rec cfg ghost_arg [#"../12_ghost_code.rs" 4 0 4 34] [@cfg:stackify] [@cfg:subregion_analysis] (g : Snapshot.snap_ty uint32) : () = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); - var g : Ghost.ghost_ty uint32 = g; - var _x : Ghost.ghost_ty uint32; + var g : Snapshot.snap_ty uint32 = g; + var _x : Snapshot.snap_ty uint32; { goto BB0 } BB0 { - [#"../12_ghost_code.rs" 5 25 5 35] _x <- ([#"../12_ghost_code.rs" 5 25 5 35] Ghost.new (Ghost.inner g)); + [#"../12_ghost_code.rs" 5 28 5 44] _x <- ([#"../12_ghost_code.rs" 5 28 5 44] Snapshot.new (Snapshot.inner g)); goto BB1 } BB1 { - [#"../12_ghost_code.rs" 4 32 6 1] _0 <- ([#"../12_ghost_code.rs" 4 32 6 1] ()); + [#"../12_ghost_code.rs" 4 35 6 1] _0 <- ([#"../12_ghost_code.rs" 4 35 6 1] ()); return _0 } @@ -100,8 +100,8 @@ module C12GhostCode_GhostVec ensures { result = invariant0 self } axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . inv0 x = true - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot predicate resolve1 (self : uint32) = [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true val resolve1 (self : uint32) : bool @@ -128,7 +128,7 @@ module C12GhostCode_GhostVec = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var x : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global); - var _s : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)); + var _s : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)); { goto BB0 } @@ -138,7 +138,7 @@ module C12GhostCode_GhostVec } BB1 { assume { resolve0 x }; - [#"../12_ghost_code.rs" 10 32 10 41] _s <- ([#"../12_ghost_code.rs" 10 32 10 41] Ghost.new x); + [#"../12_ghost_code.rs" 10 35 10 50] _s <- ([#"../12_ghost_code.rs" 10 35 10 50] Snapshot.new x); goto BB2 } BB2 { @@ -153,9 +153,9 @@ end module C12GhostCode_GhostCopy use prelude.Int32 use seq.Seq - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot use seq.Seq use seq.Seq use prelude.Int @@ -163,23 +163,23 @@ module C12GhostCode_GhostCopy = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var a : int32; - var _s : Ghost.ghost_ty (Seq.seq int32); - var _4 : Ghost.ghost_ty (Seq.seq int32); + var _s : Snapshot.snap_ty (Seq.seq int32); + var _4 : Snapshot.snap_ty (Seq.seq int32); { goto BB0 } BB0 { [#"../12_ghost_code.rs" 18 12 18 13] a <- ([#"../12_ghost_code.rs" 18 12 18 13] [#"../12_ghost_code.rs" 18 12 18 13] (0 : int32)); - [#"../12_ghost_code.rs" 19 17 19 46] _s <- ([#"../12_ghost_code.rs" 19 17 19 46] Ghost.new (Seq.snoc (Seq.empty ) (0 : int32))); + [#"../12_ghost_code.rs" 19 17 19 52] _s <- ([#"../12_ghost_code.rs" 19 17 19 52] Snapshot.new (Seq.snoc (Seq.empty ) (0 : int32))); goto BB1 } BB1 { - [#"../12_ghost_code.rs" 20 9 20 27] _4 <- ([#"../12_ghost_code.rs" 20 9 20 27] Ghost.new (Seq.snoc (Ghost.inner _s) a)); + [#"../12_ghost_code.rs" 20 9 20 33] _4 <- ([#"../12_ghost_code.rs" 20 9 20 33] Snapshot.new (Seq.snoc (Snapshot.inner _s) a)); goto BB2 } BB2 { - [#"../12_ghost_code.rs" 20 4 20 27] _s <- ([#"../12_ghost_code.rs" 20 4 20 27] _4); - [#"../12_ghost_code.rs" 20 4 20 27] _4 <- any Ghost.ghost_ty (Seq.seq int32); + [#"../12_ghost_code.rs" 20 4 20 33] _s <- ([#"../12_ghost_code.rs" 20 4 20 33] _4); + [#"../12_ghost_code.rs" 20 4 20 33] _4 <- any Snapshot.snap_ty (Seq.seq int32); [#"../12_ghost_code.rs" 17 20 21 1] _0 <- ([#"../12_ghost_code.rs" 17 20 21 1] ()); return _0 } @@ -188,8 +188,8 @@ end module C12GhostCode_GhostIsCopy use prelude.Int32 use prelude.Borrow - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot predicate resolve0 (self : borrowed int32) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve0 (self : borrowed int32) : bool @@ -201,9 +201,9 @@ module C12GhostCode_GhostIsCopy var _0 : (); var x : int32; var r : borrowed int32; - var g : Ghost.ghost_ty (borrowed int32); - var g1 : Ghost.ghost_ty (borrowed int32); - var g2 : Ghost.ghost_ty (borrowed int32); + var g : Snapshot.snap_ty (borrowed int32); + var g1 : Snapshot.snap_ty (borrowed int32); + var g2 : Snapshot.snap_ty (borrowed int32); { goto BB0 } @@ -212,7 +212,7 @@ module C12GhostCode_GhostIsCopy [#"../12_ghost_code.rs" 25 12 25 18] r <- Borrow.borrow_mut x; [#"../12_ghost_code.rs" 25 12 25 18] x <- ^ r; assume { resolve0 r }; - [#"../12_ghost_code.rs" 26 12 26 21] g <- ([#"../12_ghost_code.rs" 26 12 26 21] Ghost.new r); + [#"../12_ghost_code.rs" 26 12 26 27] g <- ([#"../12_ghost_code.rs" 26 12 26 27] Snapshot.new r); goto BB1 } BB1 { @@ -292,7 +292,7 @@ module C12GhostCode_GhostCheck ensures { result = invariant0 self } axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . inv0 x = true - use prelude.Ghost + use prelude.Snapshot predicate resolve1 (self : int32) = [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true val resolve1 (self : int32) : bool @@ -333,7 +333,7 @@ module C12GhostCode_GhostCheck requires {inv2 value} ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 78 26 78 51] shallow_model0 ( ^ self) = Seq.snoc (shallow_model1 self) value } - use prelude.Ghost + use prelude.Snapshot function logi_drop0 [#"../12_ghost_code.rs" 33 0 33 21] (_1 : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : () = @@ -349,7 +349,7 @@ module C12GhostCode_GhostCheck = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var x : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global); - var _2 : Ghost.ghost_ty (); + var _2 : Snapshot.snap_ty (); var _4 : (); var _5 : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); var _8 : usize; @@ -361,7 +361,7 @@ module C12GhostCode_GhostCheck goto BB1 } BB1 { - [#"../12_ghost_code.rs" 39 4 39 25] _2 <- ([#"../12_ghost_code.rs" 39 4 39 25] Ghost.new (let _ = logi_drop0 x in ())); + [#"../12_ghost_code.rs" 39 4 39 31] _2 <- ([#"../12_ghost_code.rs" 39 4 39 31] Snapshot.new (let _ = logi_drop0 x in ())); goto BB2 } BB2 { @@ -397,16 +397,16 @@ module C12GhostCode_GhostCheck end module C12GhostCode_MyStruct_Type use prelude.UInt32 - use prelude.Ghost + use prelude.Snapshot use prelude.Int type t_mystruct = - | C_MyStruct uint32 (Ghost.ghost_ty uint32) + | C_MyStruct uint32 (Snapshot.snap_ty uint32) let function mystruct_f (self : t_mystruct) : uint32 = [@vc:do_not_keep_trace] [@vc:sp] match self with | C_MyStruct a _ -> a end - let function mystruct_g (self : t_mystruct) : Ghost.ghost_ty uint32 = [@vc:do_not_keep_trace] [@vc:sp] + let function mystruct_g (self : t_mystruct) : Snapshot.snap_ty uint32 = [@vc:do_not_keep_trace] [@vc:sp] match self with | C_MyStruct _ a -> a end @@ -421,15 +421,15 @@ module C12GhostCode_TakesStruct val shallow_model1 (self : uint32) : int ensures { result = shallow_model1 self } - use prelude.Ghost - use prelude.Ghost - function shallow_model0 (self : Ghost.ghost_ty uint32) : int = - [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model1 (Ghost.inner self) - val shallow_model0 (self : Ghost.ghost_ty uint32) : int + use prelude.Snapshot + use prelude.Snapshot + function shallow_model0 (self : Snapshot.snap_ty uint32) : int = + [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model1 (Snapshot.inner self) + val shallow_model0 (self : Snapshot.snap_ty uint32) : int ensures { result = shallow_model0 self } use prelude.Int - use prelude.Ghost + use prelude.Snapshot use C12GhostCode_MyStruct_Type as C12GhostCode_MyStruct_Type let rec cfg takes_struct [#"../12_ghost_code.rs" 52 0 52 36] [@cfg:stackify] [@cfg:subregion_analysis] (x : C12GhostCode_MyStruct_Type.t_mystruct) : () requires {[#"../12_ghost_code.rs" 51 11 51 20] shallow_model0 (C12GhostCode_MyStruct_Type.mystruct_g x) = 0} @@ -437,17 +437,17 @@ module C12GhostCode_TakesStruct = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var x : C12GhostCode_MyStruct_Type.t_mystruct = x; - var _3 : Ghost.ghost_ty uint32; + var _3 : Snapshot.snap_ty uint32; { goto BB0 } BB0 { - [#"../12_ghost_code.rs" 53 10 53 21] _3 <- ([#"../12_ghost_code.rs" 53 10 53 21] Ghost.new (C12GhostCode_MyStruct_Type.mystruct_f x)); + [#"../12_ghost_code.rs" 53 10 53 27] _3 <- ([#"../12_ghost_code.rs" 53 10 53 27] Snapshot.new (C12GhostCode_MyStruct_Type.mystruct_f x)); goto BB1 } BB1 { - [#"../12_ghost_code.rs" 53 4 53 21] x <- (let C12GhostCode_MyStruct_Type.C_MyStruct x0 x1 = x in C12GhostCode_MyStruct_Type.C_MyStruct x0 ([#"../12_ghost_code.rs" 53 4 53 21] _3)); - [#"../12_ghost_code.rs" 53 4 53 21] _3 <- any Ghost.ghost_ty uint32; + [#"../12_ghost_code.rs" 53 4 53 27] x <- (let C12GhostCode_MyStruct_Type.C_MyStruct x0 x1 = x in C12GhostCode_MyStruct_Type.C_MyStruct x0 ([#"../12_ghost_code.rs" 53 4 53 27] _3)); + [#"../12_ghost_code.rs" 53 4 53 27] _3 <- any Snapshot.snap_ty uint32; [#"../12_ghost_code.rs" 52 37 54 1] _0 <- ([#"../12_ghost_code.rs" 52 37 54 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/syntax/12_ghost_code.rs b/creusot/tests/should_succeed/syntax/12_ghost_code.rs index a4dfc8143b..206fed9302 100644 --- a/creusot/tests/should_succeed/syntax/12_ghost_code.rs +++ b/creusot/tests/should_succeed/syntax/12_ghost_code.rs @@ -1,42 +1,42 @@ extern crate creusot_contracts; use creusot_contracts::{logic::Seq, *}; -pub fn ghost_arg(g: Ghost) { - let _x: Ghost = gh! { *g }; +pub fn ghost_arg(g: Snapshot) { + let _x: Snapshot = snapshot! { *g }; } pub fn ghost_vec() { let x: Vec = Vec::new(); - let mut _s: Ghost> = gh! { x }; + let mut _s: Snapshot> = snapshot! { x }; } #[open] -#[ghost] +#[logic] pub fn omg() {} pub fn ghost_copy() { let a = 0; - let mut _s = gh! { Seq::EMPTY.push(0i32) }; - _s = gh! { _s.push(a) }; + let mut _s = snapshot! { Seq::EMPTY.push(0i32) }; + _s = snapshot! { _s.push(a) }; } pub fn ghost_is_copy() { let mut x = 0; let r = &mut x; - let g = gh! { r }; + let g = snapshot! { r }; let g1 = g; let g2 = g; proof_assert!(g1 == g2); } -#[ghost] +#[logic] fn logi_drop(_: T) {} pub fn ghost_check() { let mut x = Vec::new(); // We ghost capture the value and then drop it without affecting program - gh! { logi_drop(x); }; + snapshot! { logi_drop(x); }; x.push(0); @@ -45,10 +45,10 @@ pub fn ghost_check() { pub struct MyStruct { f: u32, - g: Ghost, + g: Snapshot, } #[requires(x.g@ == 0)] pub fn takes_struct(mut x: MyStruct) { - x.g = gh! { x.f }; + x.g = snapshot! { x.f }; } diff --git a/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg b/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg index f71e01f3b3..9a00153f23 100644 --- a/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg +++ b/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg @@ -237,7 +237,7 @@ module C13VecMacro_X goto BB6 } BB6 { - [#"../13_vec_macro.rs" 12 13 12 26] v2 <- ([#"../13_vec_macro.rs" 12 13 12 26] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 254 47 254 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../13_vec_macro.rs" 12 18 12 19] [#"../13_vec_macro.rs" 12 18 12 19] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../13_vec_macro.rs" 12 21 12 22] [#"../13_vec_macro.rs" 12 21 12 22] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../13_vec_macro.rs" 12 24 12 25] [#"../13_vec_macro.rs" 12 24 12 25] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp)); + [#"../13_vec_macro.rs" 12 13 12 26] v2 <- ([#"../13_vec_macro.rs" 12 13 12 26] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../13_vec_macro.rs" 12 18 12 19] [#"../13_vec_macro.rs" 12 18 12 19] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../13_vec_macro.rs" 12 21 12 22] [#"../13_vec_macro.rs" 12 21 12 22] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../13_vec_macro.rs" 12 24 12 25] [#"../13_vec_macro.rs" 12 24 12 25] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp)); goto BB7 } BB7 { diff --git a/creusot/tests/should_succeed/syntax/derive_macros.rs b/creusot/tests/should_succeed/syntax/derive_macros.rs index fc85641c23..063e18b6ff 100644 --- a/creusot/tests/should_succeed/syntax/derive_macros.rs +++ b/creusot/tests/should_succeed/syntax/derive_macros.rs @@ -19,7 +19,7 @@ where type DeepModelTy = Product; #[open] - #[ghost] + #[logic] fn deep_model(self) -> Self::DeepModelTy { Product { a: self.a.deep_model(), b: self.b.deep_model() } } @@ -35,7 +35,7 @@ impl DeepModel for Sum { type DeepModelTy = Sum; #[open] - #[ghost] + #[logic] fn deep_model(self) -> Self::DeepModelTy { match self { Sum::A(a) => Sum::A(a.deep_model()), diff --git a/creusot/tests/should_succeed/traits/08.rs b/creusot/tests/should_succeed/traits/08.rs index 850aa34efb..4d3040d412 100644 --- a/creusot/tests/should_succeed/traits/08.rs +++ b/creusot/tests/should_succeed/traits/08.rs @@ -5,7 +5,7 @@ use creusot_contracts::{logic::Int, *}; // Ensure that different kinds of functions are translated to the // correct abstract symbol in Rust pub trait Tr { - #[ghost] + #[logic] fn logical(&self) -> Int; #[predicate] fn predicate(&self) -> bool; diff --git a/creusot/tests/should_succeed/traits/11.rs b/creusot/tests/should_succeed/traits/11.rs index 0a8a8ef20f..faf81bba58 100644 --- a/creusot/tests/should_succeed/traits/11.rs +++ b/creusot/tests/should_succeed/traits/11.rs @@ -3,7 +3,7 @@ extern crate creusot_contracts; use creusot_contracts::*; #[open] -#[ghost] +#[logic] pub fn id(x: T) -> T { x } diff --git a/creusot/tests/should_succeed/traits/12_default_method.rs b/creusot/tests/should_succeed/traits/12_default_method.rs index fd408f3743..963d97a8d2 100644 --- a/creusot/tests/should_succeed/traits/12_default_method.rs +++ b/creusot/tests/should_succeed/traits/12_default_method.rs @@ -8,7 +8,7 @@ pub trait T { } #[open] - #[ghost] + #[logic] fn logic_default(self) -> bool { true } diff --git a/creusot/tests/should_succeed/traits/14_assoc_in_logic.rs b/creusot/tests/should_succeed/traits/14_assoc_in_logic.rs index 7c51cac64c..021306e5fa 100644 --- a/creusot/tests/should_succeed/traits/14_assoc_in_logic.rs +++ b/creusot/tests/should_succeed/traits/14_assoc_in_logic.rs @@ -6,13 +6,13 @@ pub trait Assoc { type Ty; } -#[ghost] +#[logic] #[trusted] fn from_ty(_x: T::Ty) -> T { absurd } -#[ghost] +#[logic] #[trusted] fn to_ty(_x: T) -> T::Ty { absurd diff --git a/creusot/tests/should_succeed/traits/15_impl_interfaces.rs b/creusot/tests/should_succeed/traits/15_impl_interfaces.rs index a2bf356bc0..e02030aff1 100644 --- a/creusot/tests/should_succeed/traits/15_impl_interfaces.rs +++ b/creusot/tests/should_succeed/traits/15_impl_interfaces.rs @@ -14,7 +14,7 @@ impl Tr for () { } #[trusted] -#[ghost] +#[logic] fn x(_x: T) -> T::A { absurd } diff --git a/creusot/tests/should_succeed/traits/16_impl_cloning.rs b/creusot/tests/should_succeed/traits/16_impl_cloning.rs index 9fbe4d93aa..d9e0ab5aaa 100644 --- a/creusot/tests/should_succeed/traits/16_impl_cloning.rs +++ b/creusot/tests/should_succeed/traits/16_impl_cloning.rs @@ -6,7 +6,7 @@ pub struct Vec(std::vec::Vec); impl ShallowModel for Vec { type ShallowModelTy = Seq; #[open] - #[ghost] + #[logic] #[trusted] fn shallow_model(self) -> Self::ShallowModelTy { absurd diff --git a/creusot/tests/should_succeed/traits/18_trait_laws.rs b/creusot/tests/should_succeed/traits/18_trait_laws.rs index c03d1b3103..b63d2eca86 100644 --- a/creusot/tests/should_succeed/traits/18_trait_laws.rs +++ b/creusot/tests/should_succeed/traits/18_trait_laws.rs @@ -2,7 +2,7 @@ extern crate creusot_contracts; use creusot_contracts::*; pub trait Symmetric { - #[ghost] + #[logic] fn op(self, _: Self) -> Self; #[law] @@ -11,7 +11,7 @@ pub trait Symmetric { } #[open] -#[ghost] +#[logic] #[ensures(result == true)] pub fn uses_op(x: T, y: T) -> bool { pearlite! { x.op(y) == y.op(x) } @@ -19,7 +19,7 @@ pub fn uses_op(x: T, y: T) -> bool { impl Symmetric for () { #[open] - #[ghost] + #[logic] fn op(self, _: Self) -> Self { () } @@ -31,7 +31,7 @@ impl Symmetric for () { } #[open] -#[ghost] +#[logic] #[ensures(result == true)] pub fn impl_laws() -> bool { pearlite! { ().op(()) == ().op(()) } diff --git a/creusot/tests/should_succeed/vector/01.mlcfg b/creusot/tests/should_succeed/vector/01.mlcfg index c58d4a4ba2..3312b54666 100644 --- a/creusot/tests/should_succeed/vector/01.mlcfg +++ b/creusot/tests/should_succeed/vector/01.mlcfg @@ -218,7 +218,7 @@ module C01_AllZero ensures { result = invariant0 self } axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv0 x = true - use prelude.Ghost + use prelude.Snapshot predicate resolve2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : bool @@ -289,7 +289,7 @@ module C01_AllZero val index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) (ix : int) : uint32 ensures { result = index_logic0 self ix } - use prelude.Ghost + use prelude.Snapshot function shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32 = @@ -297,18 +297,18 @@ module C01_AllZero val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32 ensures { result = shallow_model5 self } - use prelude.Ghost - function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq uint32 + use prelude.Snapshot + function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq uint32 = - [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq uint32 + [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq uint32 ensures { result = shallow_model1 self } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize) = @@ -336,7 +336,7 @@ module C01_AllZero requires {inv1 self} ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model4 self) } - use prelude.Ghost + use prelude.Snapshot let rec cfg all_zero [#"../01.rs" 7 0 7 33] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : () ensures { [#"../01.rs" 5 0 5 73] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 ( ^ v)) -> index_logic0 ( ^ v) i = (0 : uint32) } ensures { [#"../01.rs" 6 10 6 33] Seq.length (shallow_model0 v) = Seq.length (shallow_model2 ( ^ v)) } @@ -344,16 +344,16 @@ module C01_AllZero = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var v : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = v; - var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))); + var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))); var iter : Core_Ops_Range_Range_Type.t_range usize; var _8 : usize; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced : Ghost.ghost_ty (Seq.seq usize); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced : Snapshot.snap_ty (Seq.seq usize); var _19 : Core_Option_Option_Type.t_option usize; var _20 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _21 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem : usize; - var _24 : Ghost.ghost_ty (Seq.seq usize); + var _24 : Snapshot.snap_ty (Seq.seq usize); var i : usize; var _27 : borrowed uint32; var _28 : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)); @@ -361,7 +361,7 @@ module C01_AllZero goto BB0 } BB0 { - [#"../01.rs" 8 16 8 25] old_v <- ([#"../01.rs" 8 16 8 25] Ghost.new v); + [#"../01.rs" 8 16 8 31] old_v <- ([#"../01.rs" 8 16 8 31] Snapshot.new v); goto BB1 } BB1 { @@ -374,11 +374,11 @@ module C01_AllZero goto BB3 } BB3 { - [#"../01.rs" 9 4 9 42] iter_old <- ([#"../01.rs" 9 4 9 42] Ghost.new iter); + [#"../01.rs" 9 4 9 42] iter_old <- ([#"../01.rs" 9 4 9 42] Snapshot.new iter); goto BB4 } BB4 { - [#"../01.rs" 9 4 9 42] produced <- ([#"../01.rs" 9 4 9 42] Ghost.new (Seq.empty )); + [#"../01.rs" 9 4 9 42] produced <- ([#"../01.rs" 9 4 9 42] Snapshot.new (Seq.empty )); goto BB5 } BB5 { @@ -386,9 +386,9 @@ module C01_AllZero } BB6 { invariant { [#"../01.rs" 9 4 9 42] inv0 iter }; - invariant { [#"../01.rs" 9 4 9 42] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; + invariant { [#"../01.rs" 9 4 9 42] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../01.rs" 9 16 9 40] Seq.length (shallow_model0 v) = Seq.length (shallow_model1 old_v) }; - invariant { [#"../01.rs" 9 4 9 42] forall j : int . 0 <= j /\ j < Seq.length (Ghost.inner produced) -> index_logic0 ( * v) j = (0 : uint32) }; + invariant { [#"../01.rs" 9 4 9 42] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced) -> index_logic0 ( * v) j = (0 : uint32) }; goto BB7 } BB7 { @@ -421,14 +421,14 @@ module C01_AllZero absurd } BB12 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _19); - [#"../01.rs" 9 4 9 42] _24 <- ([#"../01.rs" 9 4 9 42] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _19); + [#"../01.rs" 9 4 9 42] _24 <- ([#"../01.rs" 9 4 9 42] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB13 } BB13 { [#"../01.rs" 9 4 9 42] produced <- ([#"../01.rs" 9 4 9 42] _24); - [#"../01.rs" 9 4 9 42] _24 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] i <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../01.rs" 9 4 9 42] _24 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../01.rs" 12 8 12 9] _28 <- Borrow.borrow_mut ( * v); [#"../01.rs" 12 8 12 9] v <- { v with current = ( ^ _28) ; }; [#"../01.rs" 12 9 12 12] _27 <- ([#"../01.rs" 12 9 12 12] index_mut0 _28 ([#"../01.rs" 12 10 12 11] i)); diff --git a/creusot/tests/should_succeed/vector/01.rs b/creusot/tests/should_succeed/vector/01.rs index 2e01e398f1..89966fb772 100644 --- a/creusot/tests/should_succeed/vector/01.rs +++ b/creusot/tests/should_succeed/vector/01.rs @@ -5,7 +5,7 @@ use creusot_contracts::{logic::Int, *}; #[ensures(forall 0 <= i && i < (^v)@.len() ==> (^v)[i] == 0u32)] #[ensures(v@.len() == (^v)@.len())] pub fn all_zero(v: &mut Vec) { - let old_v = gh! { v }; + let old_v = snapshot! { v }; #[invariant(v@.len() == old_v@.len())] #[invariant(forall 0 <= j && j < produced.len() ==> v[j] == 0u32)] for i in 0..v.len() { diff --git a/creusot/tests/should_succeed/vector/02_gnome.mlcfg b/creusot/tests/should_succeed/vector/02_gnome.mlcfg index 1701594573..92097f2ad8 100644 --- a/creusot/tests/should_succeed/vector/02_gnome.mlcfg +++ b/creusot/tests/should_succeed/vector/02_gnome.mlcfg @@ -246,17 +246,17 @@ module C02Gnome_GnomeSort ensures { result = inv1 _x } axiom inv1 : forall x : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true use seq.Seq predicate sorted_range0 [#"../02_gnome.rs" 9 0 9 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) = [#"../02_gnome.rs" 10 4 12 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j) @@ -380,12 +380,12 @@ module C02Gnome_GnomeSort val shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t ensures { result = shallow_model4 self } - use prelude.Ghost - function shallow_model2 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + use prelude.Snapshot + function shallow_model2 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t = - [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model4 (Ghost.inner self) - val shallow_model2 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model4 (Snapshot.inner self) + val shallow_model2 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t ensures { result = shallow_model2 self } function deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0 @@ -395,11 +395,12 @@ module C02Gnome_GnomeSort val deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0 ensures { result = deep_model0 self } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + + val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg gnome_sort [#"../02_gnome.rs" 22 0 24 29] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : () requires {[#"../02_gnome.rs" 22 38 22 39] inv1 v} ensures { [#"../02_gnome.rs" 20 10 20 35] sorted0 (deep_model1 ( ^ v)) } @@ -408,7 +409,7 @@ module C02Gnome_GnomeSort = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v; - var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); + var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); var i : usize; var _9 : (); var _12 : usize; @@ -424,7 +425,7 @@ module C02Gnome_GnomeSort goto BB0 } BB0 { - [#"../02_gnome.rs" 26 16 26 25] old_v <- ([#"../02_gnome.rs" 26 16 26 25] Ghost.new v); + [#"../02_gnome.rs" 26 16 26 31] old_v <- ([#"../02_gnome.rs" 26 16 26 31] Snapshot.new v); goto BB1 } BB1 { diff --git a/creusot/tests/should_succeed/vector/02_gnome.rs b/creusot/tests/should_succeed/vector/02_gnome.rs index 208058d019..02171fbeff 100644 --- a/creusot/tests/should_succeed/vector/02_gnome.rs +++ b/creusot/tests/should_succeed/vector/02_gnome.rs @@ -23,7 +23,7 @@ pub fn gnome_sort(v: &mut Vec) where T::DeepModelTy: OrdLogic, { - let old_v = gh! { v }; + let old_v = snapshot! { v }; let mut i = 0; #[invariant(sorted_range(v.deep_model(), 0, i@))] #[invariant(v@.permutation_of(old_v@))] diff --git a/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg b/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg index 5620a338cb..727bb57ea0 100644 --- a/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg +++ b/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg @@ -214,17 +214,17 @@ module C03KnuthShuffle_KnuthShuffle ensures { result = invariant1 self } axiom inv1 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv1 x = true - use prelude.Ghost - predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + use prelude.Snapshot + predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = invariant0 self } - predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = inv0 _x } - axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true + axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true predicate resolve3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool @@ -301,18 +301,18 @@ module C03KnuthShuffle_KnuthShuffle val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t ensures { result = shallow_model5 self } - use prelude.Ghost - function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + use prelude.Snapshot + function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t = - [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self) - val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t + [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self) + val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t ensures { result = shallow_model1 self } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize) = @@ -340,11 +340,12 @@ module C03KnuthShuffle_KnuthShuffle requires {inv6 self} ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model4 self) } - predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) - val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool + predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) + + val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool ensures { result = resolve0 self } - use prelude.Ghost + use prelude.Snapshot let rec cfg knuth_shuffle [#"../03_knuth_shuffle.rs" 13 0 13 39] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : () requires {[#"../03_knuth_shuffle.rs" 13 24 13 25] inv5 v} ensures { [#"../03_knuth_shuffle.rs" 12 0 12 36] permutation_of0 (shallow_model2 ( ^ v)) (shallow_model0 v) } @@ -352,16 +353,16 @@ module C03KnuthShuffle_KnuthShuffle = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v; - var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); + var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))); var iter : Core_Ops_Range_Range_Type.t_range usize; var _7 : usize; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced : Ghost.ghost_ty (Seq.seq usize); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced : Snapshot.snap_ty (Seq.seq usize); var _17 : Core_Option_Option_Type.t_option usize; var _18 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _19 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem : usize; - var _22 : Ghost.ghost_ty (Seq.seq usize); + var _22 : Snapshot.snap_ty (Seq.seq usize); var n : usize; var upper : usize; var _26 : usize; @@ -374,7 +375,7 @@ module C03KnuthShuffle_KnuthShuffle goto BB0 } BB0 { - [#"../03_knuth_shuffle.rs" 14 16 14 25] old_v <- ([#"../03_knuth_shuffle.rs" 14 16 14 25] Ghost.new v); + [#"../03_knuth_shuffle.rs" 14 16 14 31] old_v <- ([#"../03_knuth_shuffle.rs" 14 16 14 31] Snapshot.new v); goto BB1 } BB1 { @@ -389,11 +390,11 @@ module C03KnuthShuffle_KnuthShuffle goto BB3 } BB3 { - [#"../03_knuth_shuffle.rs" 16 4 16 43] iter_old <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Ghost.new iter); + [#"../03_knuth_shuffle.rs" 16 4 16 43] iter_old <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Snapshot.new iter); goto BB4 } BB4 { - [#"../03_knuth_shuffle.rs" 16 4 16 43] produced <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Ghost.new (Seq.empty )); + [#"../03_knuth_shuffle.rs" 16 4 16 43] produced <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Snapshot.new (Seq.empty )); goto BB5 } BB5 { @@ -401,7 +402,7 @@ module C03KnuthShuffle_KnuthShuffle } BB6 { invariant { [#"../03_knuth_shuffle.rs" 16 4 16 43] inv1 iter }; - invariant { [#"../03_knuth_shuffle.rs" 16 4 16 43] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; + invariant { [#"../03_knuth_shuffle.rs" 16 4 16 43] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../03_knuth_shuffle.rs" 16 4 16 43] permutation_of0 (shallow_model0 v) (shallow_model1 old_v) }; goto BB7 } @@ -437,14 +438,14 @@ module C03KnuthShuffle_KnuthShuffle absurd } BB12 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _17); - [#"../03_knuth_shuffle.rs" 16 4 16 43] _22 <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _17); + [#"../03_knuth_shuffle.rs" 16 4 16 43] _22 <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB13 } BB13 { [#"../03_knuth_shuffle.rs" 16 4 16 43] produced <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] _22); - [#"../03_knuth_shuffle.rs" 16 4 16 43] _22 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] n <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../03_knuth_shuffle.rs" 16 4 16 43] _22 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] n <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../03_knuth_shuffle.rs" 20 20 20 27] _26 <- ([#"../03_knuth_shuffle.rs" 20 20 20 27] len0 ([#"../03_knuth_shuffle.rs" 20 20 20 21] * v)); goto BB14 } diff --git a/creusot/tests/should_succeed/vector/03_knuth_shuffle.rs b/creusot/tests/should_succeed/vector/03_knuth_shuffle.rs index ae6d15918c..c93b1e2313 100644 --- a/creusot/tests/should_succeed/vector/03_knuth_shuffle.rs +++ b/creusot/tests/should_succeed/vector/03_knuth_shuffle.rs @@ -11,7 +11,7 @@ fn rand_in_range(l: usize, u: usize) -> usize { #[ensures((^v)@.permutation_of(v@))] pub fn knuth_shuffle(v: &mut Vec) { - let old_v = gh! { v }; + let old_v = snapshot! { v }; #[invariant(v@.permutation_of(old_v@))] for n in 0..v.len() { diff --git a/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg b/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg index ecdfc5f9da..b59ce41797 100644 --- a/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg +++ b/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg @@ -140,9 +140,9 @@ module C06KnightsTour_Board_Type end module CreusotContracts_Std1_Iter_MapInv_MapInv_Type use seq.Seq - use prelude.Ghost + use prelude.Snapshot type t_mapinv 'i 'b 'f = - | C_MapInv 'i 'f (Ghost.ghost_ty (Seq.seq 'b)) + | C_MapInv 'i 'f (Snapshot.snap_ty (Seq.seq 'b)) let function mapinv_iter (self : t_mapinv 'i 'b 'f) : 'i = [@vc:do_not_keep_trace] [@vc:sp] match self with @@ -152,7 +152,7 @@ module CreusotContracts_Std1_Iter_MapInv_MapInv_Type match self with | C_MapInv _ a _ -> a end - let function mapinv_produced (self : t_mapinv 'i 'b 'f) : Ghost.ghost_ty (Seq.seq 'b) + let function mapinv_produced (self : t_mapinv 'i 'b 'f) : Snapshot.snap_ty (Seq.seq 'b) = [@vc:do_not_keep_trace] [@vc:sp] match self with | C_MapInv _ _ a -> a @@ -176,7 +176,7 @@ module C06KnightsTour_Impl1_New_Closure3_Type use prelude.UIntSize use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type use seq.Seq - use prelude.Ghost + use prelude.Snapshot use prelude.Int16 use prelude.Int use prelude.Borrow @@ -231,7 +231,7 @@ module C06KnightsTour_Impl1_New_Closure3 axiom inv0 : forall x : usize . inv0 x = true use prelude.Int16 - use prelude.Ghost + use prelude.Snapshot use prelude.Borrow use C06KnightsTour_Impl1_New_Closure3_Type as C06KnightsTour_Impl1_New_Closure3 function field_00 [#"../06_knights_tour.rs" 43 16 43 50] (self : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : usize @@ -264,7 +264,7 @@ module C06KnightsTour_Impl1_New_Closure3 val resolve0 (self : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool ensures { result = resolve0 self } - let rec cfg c06KnightsTour_Impl1_New_Closure3 [#"../06_knights_tour.rs" 43 16 43 50] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (_2 : usize) (_3 : Ghost.ghost_ty (Seq.seq usize)) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) + let rec cfg c06KnightsTour_Impl1_New_Closure3 [#"../06_knights_tour.rs" 43 16 43 50] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (_2 : usize) (_3 : Snapshot.snap_ty (Seq.seq usize)) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) ensures { [#"../06_knights_tour.rs" 43 26 43 48] Seq.length (shallow_model0 result) = UIntSize.to_int (field_00 ( ^ _1)) } ensures { unnest0 ( * _1) ( ^ _1) } @@ -296,17 +296,17 @@ end module C06KnightsTour_Impl1_New use prelude.UIntSize use seq.Seq - use prelude.Ghost - predicate invariant12 (self : Ghost.ghost_ty (Seq.seq usize)) = + use prelude.Snapshot + predicate invariant12 (self : Snapshot.snap_ty (Seq.seq usize)) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true - val invariant12 (self : Ghost.ghost_ty (Seq.seq usize)) : bool + val invariant12 (self : Snapshot.snap_ty (Seq.seq usize)) : bool ensures { result = invariant12 self } - predicate inv12 (_x : Ghost.ghost_ty (Seq.seq usize)) - val inv12 (_x : Ghost.ghost_ty (Seq.seq usize)) : bool + predicate inv12 (_x : Snapshot.snap_ty (Seq.seq usize)) + val inv12 (_x : Snapshot.snap_ty (Seq.seq usize)) : bool ensures { result = inv12 _x } - axiom inv12 : forall x : Ghost.ghost_ty (Seq.seq usize) . inv12 x = true + axiom inv12 : forall x : Snapshot.snap_ty (Seq.seq usize) . inv12 x = true use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type use prelude.Int16 @@ -418,23 +418,23 @@ module C06KnightsTour_Impl1_New = field_00 _2 = field_00 self - predicate postcondition_mut0 [#"../06_knights_tour.rs" 43 16 43 50] (self : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (args : (usize, Ghost.ghost_ty (Seq.seq usize))) (result : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) + predicate postcondition_mut0 [#"../06_knights_tour.rs" 43 16 43 50] (self : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (args : (usize, Snapshot.snap_ty (Seq.seq usize))) (result : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = (let (_2, _3) = args in Seq.length (shallow_model2 result) = UIntSize.to_int (field_00 ( ^ self))) /\ unnest0 ( * self) ( ^ self) use seq.Seq - predicate precondition0 [#"../06_knights_tour.rs" 43 16 43 50] (self : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (args : (usize, Ghost.ghost_ty (Seq.seq usize))) + predicate precondition0 [#"../06_knights_tour.rs" 43 16 43 50] (self : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (args : (usize, Snapshot.snap_ty (Seq.seq usize))) = let (_2, _3) = args in true - use prelude.Ghost + use prelude.Snapshot use seq_ext.SeqExt use seq.Seq use seq.Seq use seq.Seq use seq.Seq - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot use prelude.Int function deep_model0 (self : usize) : int = [#"../../../../../creusot-contracts/src/std/num.rs" 22 16 22 35] UIntSize.to_int self @@ -451,11 +451,11 @@ module C06KnightsTour_Impl1_New predicate produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (visited : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq usize . inv7 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) . inv11 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq usize . inv7 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) . inv11 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ else * Seq.get fs 0 = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self /\ ^ Seq.get fs (Seq.length visited - 1) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (visited : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool ensures { result = produces1 self visited succ } @@ -511,7 +511,7 @@ module C06KnightsTour_Impl1_New predicate next_precondition0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (produced : Seq.seq usize) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (produced : Seq.seq usize) : bool ensures { result = next_precondition0 iter func produced } @@ -519,7 +519,7 @@ module C06KnightsTour_Impl1_New predicate preservation0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall b : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . forall f : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall e2 : usize . forall e1 : usize . forall s : Seq.seq usize . inv0 i -> inv9 b -> inv10 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1)) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall b : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . forall f : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall e2 : usize . forall e1 : usize . forall s : Seq.seq usize . inv0 i -> inv9 b -> inv10 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool ensures { result = preservation0 iter func } @@ -639,7 +639,7 @@ module C06KnightsTour_Impl1_New predicate completed0 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3)) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9] Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( * self)) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( * self) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( ^ self) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9] Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( * self)) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( * self) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( ^ self) val completed0 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3)) : bool ensures { result = completed0 self } @@ -655,7 +655,7 @@ module C06KnightsTour_Impl1_New predicate resolve0 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 16] resolve1 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) /\ resolve2 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 27] resolve1 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) /\ resolve2 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) val resolve0 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool ensures { result = resolve0 self } @@ -665,13 +665,13 @@ module C06KnightsTour_Impl1_New ensures { inv6 result } val map_inv0 (self : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 - requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 138] forall i2 : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i2 -> inv1 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))} + requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 141] forall i2 : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i2 -> inv1 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 44 15 44 51] reinitialize0 ()} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 45 15 45 70] preservation0 self func} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 21 47 25] inv0 self} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 27 47 31] inv2 func} - ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 46 14 46 85] result = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.C_MapInv self func (Ghost.new (Seq.empty )) } - ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 47 4 50 58] inv3 result } + ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 46 14 46 88] result = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.C_MapInv self func (Snapshot.new (Seq.empty )) } + ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 47 4 50 61] inv3 result } let rec cfg new [#"../06_knights_tour.rs" 40 4 40 31] [@cfg:stackify] [@cfg:subregion_analysis] (size : usize) : C06KnightsTour_Board_Type.t_board requires {[#"../06_knights_tour.rs" 37 15 37 28] UIntSize.to_int size <= 1000} @@ -1187,7 +1187,7 @@ module C06KnightsTour_Impl1_CountDegree val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool ensures { result = wf0 self } - use prelude.Ghost + use prelude.Snapshot predicate resolve3 (self : isize) = [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true val resolve3 (self : isize) : bool @@ -1248,11 +1248,11 @@ module C06KnightsTour_Impl1_CountDegree end } ensures { inv3 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) (res : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) = @@ -1293,14 +1293,14 @@ module C06KnightsTour_Impl1_CountDegree var count : usize; var iter : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global); var _8 : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global); - var iter_old : Ghost.ghost_ty (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)); - var produced : Ghost.ghost_ty (Seq.seq (isize, isize)); + var iter_old : Snapshot.snap_ty (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)); + var produced : Snapshot.snap_ty (Seq.seq (isize, isize)); var _16 : (); var _17 : Core_Option_Option_Type.t_option (isize, isize); var _18 : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)); var _19 : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)); var __creusot_proc_iter_elem : (isize, isize); - var _22 : Ghost.ghost_ty (Seq.seq (isize, isize)); + var _22 : Snapshot.snap_ty (Seq.seq (isize, isize)); var m : (isize, isize); var next : C06KnightsTour_Point_Type.t_point; var _28 : (isize, isize); @@ -1319,11 +1319,11 @@ module C06KnightsTour_Impl1_CountDegree goto BB2 } BB2 { - [#"../06_knights_tour.rs" 73 8 73 46] iter_old <- ([#"../06_knights_tour.rs" 73 8 73 46] Ghost.new iter); + [#"../06_knights_tour.rs" 73 8 73 46] iter_old <- ([#"../06_knights_tour.rs" 73 8 73 46] Snapshot.new iter); goto BB3 } BB3 { - [#"../06_knights_tour.rs" 73 8 73 46] produced <- ([#"../06_knights_tour.rs" 73 8 73 46] Ghost.new (Seq.empty )); + [#"../06_knights_tour.rs" 73 8 73 46] produced <- ([#"../06_knights_tour.rs" 73 8 73 46] Snapshot.new (Seq.empty )); goto BB4 } BB4 { @@ -1337,8 +1337,8 @@ module C06KnightsTour_Impl1_CountDegree } BB7 { invariant { [#"../06_knights_tour.rs" 73 8 73 46] inv0 iter }; - invariant { [#"../06_knights_tour.rs" 73 8 73 46] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../06_knights_tour.rs" 73 20 73 44] UIntSize.to_int count <= Seq.length (Ghost.inner produced) }; + invariant { [#"../06_knights_tour.rs" 73 8 73 46] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../06_knights_tour.rs" 73 20 73 44] UIntSize.to_int count <= Seq.length (Snapshot.inner produced) }; goto BB8 } BB8 { @@ -1370,14 +1370,14 @@ module C06KnightsTour_Impl1_CountDegree absurd } BB13 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _17); - [#"../06_knights_tour.rs" 73 8 73 46] _22 <- ([#"../06_knights_tour.rs" 73 8 73 46] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _17); + [#"../06_knights_tour.rs" 73 8 73 46] _22 <- ([#"../06_knights_tour.rs" 73 8 73 46] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB14 } BB14 { [#"../06_knights_tour.rs" 73 8 73 46] produced <- ([#"../06_knights_tour.rs" 73 8 73 46] _22); - [#"../06_knights_tour.rs" 73 8 73 46] _22 <- any Ghost.ghost_ty (Seq.seq (isize, isize)); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] m <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../06_knights_tour.rs" 73 8 73 46] _22 <- any Snapshot.snap_ty (Seq.seq (isize, isize)); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] m <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); assume { resolve1 __creusot_proc_iter_elem }; [#"../06_knights_tour.rs" 75 29 75 31] _28 <- ([#"../06_knights_tour.rs" 75 29 75 31] m); [#"../06_knights_tour.rs" 75 23 75 32] next <- ([#"../06_knights_tour.rs" 75 23 75 32] mov0 ([#"../06_knights_tour.rs" 75 23 75 24] p) ([#"../06_knights_tour.rs" 75 29 75 31] _28)); @@ -1857,7 +1857,7 @@ module C06KnightsTour_Min ensures { result = inv0 _x } axiom inv0 : forall x : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point) . inv0 x = true - use prelude.Ghost + use prelude.Snapshot use seq.Seq predicate resolve0 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point))) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -1898,10 +1898,10 @@ module C06KnightsTour_Min val shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (usize, C06KnightsTour_Point_Type.t_point) ensures { result = shallow_model0 self } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) (res : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)) = @@ -1929,13 +1929,13 @@ module C06KnightsTour_Min var v : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) = v; var min : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point); var iter : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point); - var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)); - var produced : Ghost.ghost_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point)); + var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)); + var produced : Snapshot.snap_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point)); var _15 : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point); var _16 : borrowed (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)); var _17 : borrowed (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)); var __creusot_proc_iter_elem : (usize, C06KnightsTour_Point_Type.t_point); - var _20 : Ghost.ghost_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point)); + var _20 : Snapshot.snap_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point)); var x : (usize, C06KnightsTour_Point_Type.t_point); var _23 : (); var m : (usize, C06KnightsTour_Point_Type.t_point); @@ -1948,11 +1948,11 @@ module C06KnightsTour_Min goto BB1 } BB1 { - [#"../06_knights_tour.rs" 113 4 114 74] iter_old <- ([#"../06_knights_tour.rs" 113 4 114 74] Ghost.new iter); + [#"../06_knights_tour.rs" 113 4 114 74] iter_old <- ([#"../06_knights_tour.rs" 113 4 114 74] Snapshot.new iter); goto BB2 } BB2 { - [#"../06_knights_tour.rs" 113 4 114 74] produced <- ([#"../06_knights_tour.rs" 113 4 114 74] Ghost.new (Seq.empty )); + [#"../06_knights_tour.rs" 113 4 114 74] produced <- ([#"../06_knights_tour.rs" 113 4 114 74] Snapshot.new (Seq.empty )); goto BB3 } BB3 { @@ -1960,7 +1960,7 @@ module C06KnightsTour_Min } BB4 { invariant { [#"../06_knights_tour.rs" 113 4 114 74] inv0 iter }; - invariant { [#"../06_knights_tour.rs" 113 4 114 74] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; + invariant { [#"../06_knights_tour.rs" 113 4 114 74] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../06_knights_tour.rs" 113 4 114 74] forall r : (usize, C06KnightsTour_Point_Type.t_point) . min = Core_Option_Option_Type.C_Some r -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) /\ index_logic0 v i = r) }; goto BB5 } @@ -1992,14 +1992,14 @@ module C06KnightsTour_Min absurd } BB10 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _15); - [#"../06_knights_tour.rs" 113 4 114 74] _20 <- ([#"../06_knights_tour.rs" 113 4 114 74] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _15); + [#"../06_knights_tour.rs" 113 4 114 74] _20 <- ([#"../06_knights_tour.rs" 113 4 114 74] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB11 } BB11 { [#"../06_knights_tour.rs" 113 4 114 74] produced <- ([#"../06_knights_tour.rs" 113 4 114 74] _20); - [#"../06_knights_tour.rs" 113 4 114 74] _20 <- any Ghost.ghost_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point)); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../06_knights_tour.rs" 113 4 114 74] _20 <- any Snapshot.snap_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point)); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); switch (min) | Core_Option_Option_Type.C_None -> goto BB12 | Core_Option_Option_Type.C_Some _ -> goto BB13 @@ -2347,7 +2347,7 @@ module C06KnightsTour_KnightsTour ensures { result = invariant0 self } axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv0 x = true - use prelude.Ghost + use prelude.Snapshot use C06KnightsTour_Board_Type as C06KnightsTour_Board_Type predicate resolve8 (self : C06KnightsTour_Point_Type.t_point) = [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true @@ -2487,10 +2487,10 @@ module C06KnightsTour_KnightsTour end } ensures { inv8 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post1 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) (res : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) = @@ -2543,10 +2543,10 @@ module C06KnightsTour_KnightsTour end } ensures { inv3 result } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize) = @@ -2565,7 +2565,7 @@ module C06KnightsTour_KnightsTour ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 89 0 166 1] into_iter_post0 self result } ensures { inv0 result } - use prelude.Ghost + use prelude.Snapshot function dumb_nonlinear_arith0 [#"../06_knights_tour.rs" 131 0 131 33] (a : usize) : () = [#"../06_knights_tour.rs" 128 0 128 8] () val dumb_nonlinear_arith0 [#"../06_knights_tour.rs" 131 0 131 33] (a : usize) : () @@ -2598,27 +2598,27 @@ module C06KnightsTour_KnightsTour var p : C06KnightsTour_Point_Type.t_point; var _14 : (); var _15 : borrowed (C06KnightsTour_Board_Type.t_board); - var _17 : Ghost.ghost_ty (); + var _17 : Snapshot.snap_ty (); var iter : Core_Ops_Range_Range_Type.t_range usize; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced : Ghost.ghost_ty (Seq.seq usize); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced : Snapshot.snap_ty (Seq.seq usize); var _34 : (); var _35 : Core_Option_Option_Type.t_option usize; var _36 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _37 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem : usize; - var _40 : Ghost.ghost_ty (Seq.seq usize); + var _40 : Snapshot.snap_ty (Seq.seq usize); var step : usize; var candidates : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global); var iter1 : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global); var _46 : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global); - var iter_old1 : Ghost.ghost_ty (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)); - var produced1 : Ghost.ghost_ty (Seq.seq (isize, isize)); + var iter_old1 : Snapshot.snap_ty (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)); + var produced1 : Snapshot.snap_ty (Seq.seq (isize, isize)); var _54 : Core_Option_Option_Type.t_option (isize, isize); var _55 : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)); var _56 : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)); var __creusot_proc_iter_elem1 : (isize, isize); - var _59 : Ghost.ghost_ty (Seq.seq (isize, isize)); + var _59 : Snapshot.snap_ty (Seq.seq (isize, isize)); var m : (isize, isize); var adj : C06KnightsTour_Point_Type.t_point; var _65 : (isize, isize); @@ -2647,7 +2647,7 @@ module C06KnightsTour_KnightsTour goto BB2 } BB2 { - [#"../06_knights_tour.rs" 141 4 141 38] _17 <- ([#"../06_knights_tour.rs" 141 4 141 38] Ghost.new (dumb_nonlinear_arith0 size)); + [#"../06_knights_tour.rs" 141 4 141 44] _17 <- ([#"../06_knights_tour.rs" 141 4 141 44] Snapshot.new (dumb_nonlinear_arith0 size)); goto BB3 } BB3 { @@ -2655,11 +2655,11 @@ module C06KnightsTour_KnightsTour goto BB4 } BB4 { - [#"../06_knights_tour.rs" 142 4 142 36] iter_old <- ([#"../06_knights_tour.rs" 142 4 142 36] Ghost.new iter); + [#"../06_knights_tour.rs" 142 4 142 36] iter_old <- ([#"../06_knights_tour.rs" 142 4 142 36] Snapshot.new iter); goto BB5 } BB5 { - [#"../06_knights_tour.rs" 142 4 142 36] produced <- ([#"../06_knights_tour.rs" 142 4 142 36] Ghost.new (Seq.empty )); + [#"../06_knights_tour.rs" 142 4 142 36] produced <- ([#"../06_knights_tour.rs" 142 4 142 36] Snapshot.new (Seq.empty )); goto BB6 } BB6 { @@ -2673,7 +2673,7 @@ module C06KnightsTour_KnightsTour } BB9 { invariant { [#"../06_knights_tour.rs" 142 4 142 36] inv0 iter }; - invariant { [#"../06_knights_tour.rs" 142 4 142 36] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; + invariant { [#"../06_knights_tour.rs" 142 4 142 36] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../06_knights_tour.rs" 142 16 142 34] C06KnightsTour_Board_Type.board_size board = size }; invariant { [#"../06_knights_tour.rs" 143 16 143 26] wf0 board }; invariant { [#"../06_knights_tour.rs" 144 16 144 34] in_bounds0 board p }; @@ -2708,14 +2708,14 @@ module C06KnightsTour_KnightsTour absurd } BB15 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _35); - [#"../06_knights_tour.rs" 142 4 142 36] _40 <- ([#"../06_knights_tour.rs" 142 4 142 36] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _35); + [#"../06_knights_tour.rs" 142 4 142 36] _40 <- ([#"../06_knights_tour.rs" 142 4 142 36] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB16 } BB16 { [#"../06_knights_tour.rs" 142 4 142 36] produced <- ([#"../06_knights_tour.rs" 142 4 142 36] _40); - [#"../06_knights_tour.rs" 142 4 142 36] _40 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] step <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../06_knights_tour.rs" 142 4 142 36] _40 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] step <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../06_knights_tour.rs" 147 50 147 60] candidates <- ([#"../06_knights_tour.rs" 147 50 147 60] new4 ()); goto BB17 } @@ -2729,11 +2729,11 @@ module C06KnightsTour_KnightsTour goto BB19 } BB19 { - [#"../06_knights_tour.rs" 148 8 149 54] iter_old1 <- ([#"../06_knights_tour.rs" 148 8 149 54] Ghost.new iter1); + [#"../06_knights_tour.rs" 148 8 149 54] iter_old1 <- ([#"../06_knights_tour.rs" 148 8 149 54] Snapshot.new iter1); goto BB20 } BB20 { - [#"../06_knights_tour.rs" 148 8 149 54] produced1 <- ([#"../06_knights_tour.rs" 148 8 149 54] Ghost.new (Seq.empty )); + [#"../06_knights_tour.rs" 148 8 149 54] produced1 <- ([#"../06_knights_tour.rs" 148 8 149 54] Snapshot.new (Seq.empty )); goto BB21 } BB21 { @@ -2750,7 +2750,7 @@ module C06KnightsTour_KnightsTour } BB25 { invariant { [#"../06_knights_tour.rs" 148 8 149 54] inv1 iter1 }; - invariant { [#"../06_knights_tour.rs" 148 8 149 54] produces1 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 }; + invariant { [#"../06_knights_tour.rs" 148 8 149 54] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 }; invariant { [#"../06_knights_tour.rs" 148 8 149 54] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 candidates) -> in_bounds0 board (let (_, a) = index_logic0 candidates i in a) }; goto BB26 } @@ -2778,14 +2778,14 @@ module C06KnightsTour_KnightsTour goto BB30 } BB30 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1 <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _54); - [#"../06_knights_tour.rs" 148 8 149 54] _59 <- ([#"../06_knights_tour.rs" 148 8 149 54] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _54); + [#"../06_knights_tour.rs" 148 8 149 54] _59 <- ([#"../06_knights_tour.rs" 148 8 149 54] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); goto BB31 } BB31 { [#"../06_knights_tour.rs" 148 8 149 54] produced1 <- ([#"../06_knights_tour.rs" 148 8 149 54] _59); - [#"../06_knights_tour.rs" 148 8 149 54] _59 <- any Ghost.ghost_ty (Seq.seq (isize, isize)); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] m <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1); + [#"../06_knights_tour.rs" 148 8 149 54] _59 <- any Snapshot.snap_ty (Seq.seq (isize, isize)); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] m <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1); assume { resolve2 __creusot_proc_iter_elem1 }; [#"../06_knights_tour.rs" 151 28 151 30] _65 <- ([#"../06_knights_tour.rs" 151 28 151 30] m); [#"../06_knights_tour.rs" 151 22 151 31] adj <- ([#"../06_knights_tour.rs" 151 22 151 31] mov0 ([#"../06_knights_tour.rs" 151 22 151 23] p) ([#"../06_knights_tour.rs" 151 28 151 30] _65)); diff --git a/creusot/tests/should_succeed/vector/06_knights_tour.rs b/creusot/tests/should_succeed/vector/06_knights_tour.rs index 84e824fb06..b3f6643fdc 100644 --- a/creusot/tests/should_succeed/vector/06_knights_tour.rs +++ b/creusot/tests/should_succeed/vector/06_knights_tour.rs @@ -125,7 +125,7 @@ fn min(v: &Vec<(usize, Point)>) -> Option<&(usize, Point)> { min } -#[ghost] +#[logic] #[requires(a@ <= 1_000)] #[ensures(a@ * a@ <= 1_000_000)] fn dumb_nonlinear_arith(a: usize) {} @@ -138,7 +138,7 @@ pub fn knights_tour(size: usize, x: usize, y: usize) -> Option { let mut p = Point { x: x as isize, y: y as isize }; board.set(p, 1); - gh! { dumb_nonlinear_arith(size) }; + snapshot! { dumb_nonlinear_arith(size) }; #[invariant(board.size == size)] #[invariant(board.wf())] #[invariant(board.in_bounds(p))] diff --git a/creusot/tests/should_succeed/vector/08_haystack.mlcfg b/creusot/tests/should_succeed/vector/08_haystack.mlcfg index 8ac793f7be..406aaa9f4e 100644 --- a/creusot/tests/should_succeed/vector/08_haystack.mlcfg +++ b/creusot/tests/should_succeed/vector/08_haystack.mlcfg @@ -296,7 +296,7 @@ module C08Haystack_Search ensures { result = invariant0 self } axiom inv0 : forall x : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . inv0 x = true - use prelude.Ghost + use prelude.Snapshot use prelude.Slice use seq.Seq predicate has_value0 [@inline:trivial] (self : usize) (seq : Seq.seq uint8) (out : uint8) = @@ -340,8 +340,8 @@ module C08Haystack_Search end } ensures { inv5 result } - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post1 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize) = @@ -392,11 +392,11 @@ module C08Haystack_Search val match_at0 [#"../08_haystack.rs" 7 0 7 77] (needle : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (haystack : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (pos : int) (len : int) : bool ensures { result = match_at0 needle haystack pos len } - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost - use prelude.Ghost + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot + use prelude.Snapshot predicate into_iter_post0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (res : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) = @@ -441,23 +441,23 @@ module C08Haystack_Search var _10 : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize; var _12 : usize; var _14 : usize; - var iter_old : Ghost.ghost_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize); - var produced : Ghost.ghost_ty (Seq.seq usize); + var iter_old : Snapshot.snap_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize); + var produced : Snapshot.snap_ty (Seq.seq usize); var _24 : Core_Option_Option_Type.t_option usize; var _25 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize); var _26 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize); var __creusot_proc_iter_elem : usize; - var _29 : Ghost.ghost_ty (Seq.seq usize); + var _29 : Snapshot.snap_ty (Seq.seq usize); var i : usize; var iter1 : Core_Ops_Range_Range_Type.t_range usize; var _36 : usize; - var iter_old1 : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize); - var produced1 : Ghost.ghost_ty (Seq.seq usize); + var iter_old1 : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize); + var produced1 : Snapshot.snap_ty (Seq.seq usize); var _45 : Core_Option_Option_Type.t_option usize; var _46 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var _47 : borrowed (Core_Ops_Range_Range_Type.t_range usize); var __creusot_proc_iter_elem1 : usize; - var _50 : Ghost.ghost_ty (Seq.seq usize); + var _50 : Snapshot.snap_ty (Seq.seq usize); var j : usize; var _55 : uint8; var _59 : uint8; @@ -484,11 +484,11 @@ module C08Haystack_Search goto BB4 } BB4 { - [#"../08_haystack.rs" 22 4 22 112] iter_old <- ([#"../08_haystack.rs" 22 4 22 112] Ghost.new iter); + [#"../08_haystack.rs" 22 4 22 112] iter_old <- ([#"../08_haystack.rs" 22 4 22 112] Snapshot.new iter); goto BB5 } BB5 { - [#"../08_haystack.rs" 22 4 22 112] produced <- ([#"../08_haystack.rs" 22 4 22 112] Ghost.new (Seq.empty )); + [#"../08_haystack.rs" 22 4 22 112] produced <- ([#"../08_haystack.rs" 22 4 22 112] Snapshot.new (Seq.empty )); goto BB6 } BB6 { @@ -496,8 +496,8 @@ module C08Haystack_Search } BB7 { invariant { [#"../08_haystack.rs" 22 4 22 112] inv0 iter }; - invariant { [#"../08_haystack.rs" 22 4 22 112] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter }; - invariant { [#"../08_haystack.rs" 22 4 22 112] forall k : int . 0 <= k /\ k < Seq.length (Ghost.inner produced) -> not match_at0 needle haystack k (Seq.length (shallow_model0 needle)) }; + invariant { [#"../08_haystack.rs" 22 4 22 112] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; + invariant { [#"../08_haystack.rs" 22 4 22 112] forall k : int . 0 <= k /\ k < Seq.length (Snapshot.inner produced) -> not match_at0 needle haystack k (Seq.length (shallow_model0 needle)) }; goto BB8 } BB8 { @@ -528,14 +528,14 @@ module C08Haystack_Search absurd } BB13 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _24); - [#"../08_haystack.rs" 22 4 22 112] _29 <- ([#"../08_haystack.rs" 22 4 22 112] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _24); + [#"../08_haystack.rs" 22 4 22 112] _29 <- ([#"../08_haystack.rs" 22 4 22 112] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem))); goto BB14 } BB14 { [#"../08_haystack.rs" 22 4 22 112] produced <- ([#"../08_haystack.rs" 22 4 22 112] _29); - [#"../08_haystack.rs" 22 4 22 112] _29 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] i <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem); + [#"../08_haystack.rs" 22 4 22 112] _29 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../08_haystack.rs" 25 20 25 32] _36 <- ([#"../08_haystack.rs" 25 20 25 32] len0 ([#"../08_haystack.rs" 25 20 25 26] needle)); goto BB15 } @@ -545,11 +545,11 @@ module C08Haystack_Search goto BB16 } BB16 { - [#"../08_haystack.rs" 24 8 24 68] iter_old1 <- ([#"../08_haystack.rs" 24 8 24 68] Ghost.new iter1); + [#"../08_haystack.rs" 24 8 24 68] iter_old1 <- ([#"../08_haystack.rs" 24 8 24 68] Snapshot.new iter1); goto BB17 } BB17 { - [#"../08_haystack.rs" 24 8 24 68] produced1 <- ([#"../08_haystack.rs" 24 8 24 68] Ghost.new (Seq.empty )); + [#"../08_haystack.rs" 24 8 24 68] produced1 <- ([#"../08_haystack.rs" 24 8 24 68] Snapshot.new (Seq.empty )); goto BB18 } BB18 { @@ -557,8 +557,8 @@ module C08Haystack_Search } BB19 { invariant { [#"../08_haystack.rs" 24 8 24 68] inv1 iter1 }; - invariant { [#"../08_haystack.rs" 24 8 24 68] produces1 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 }; - invariant { [#"../08_haystack.rs" 24 20 24 66] match_at0 needle haystack (UIntSize.to_int i) (Seq.length (Ghost.inner produced1)) }; + invariant { [#"../08_haystack.rs" 24 8 24 68] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 }; + invariant { [#"../08_haystack.rs" 24 20 24 66] match_at0 needle haystack (UIntSize.to_int i) (Seq.length (Snapshot.inner produced1)) }; goto BB20 } BB20 { @@ -585,14 +585,14 @@ module C08Haystack_Search goto BB24 } BB24 { - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1 <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] Core_Option_Option_Type.some_0 _45); - [#"../08_haystack.rs" 24 8 24 68] _50 <- ([#"../08_haystack.rs" 24 8 24 68] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] Core_Option_Option_Type.some_0 _45); + [#"../08_haystack.rs" 24 8 24 68] _50 <- ([#"../08_haystack.rs" 24 8 24 68] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1))); goto BB25 } BB25 { [#"../08_haystack.rs" 24 8 24 68] produced1 <- ([#"../08_haystack.rs" 24 8 24 68] _50); - [#"../08_haystack.rs" 24 8 24 68] _50 <- any Ghost.ghost_ty (Seq.seq usize); - [#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] j <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 664 0 664 51] __creusot_proc_iter_elem1); + [#"../08_haystack.rs" 24 8 24 68] _50 <- any Snapshot.snap_ty (Seq.seq usize); + [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] j <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1); [#"../08_haystack.rs" 26 21 26 24] _55 <- ([#"../08_haystack.rs" 26 21 26 24] index0 ([#"../08_haystack.rs" 26 15 26 21] needle) ([#"../08_haystack.rs" 26 22 26 23] j)); goto BB26 }