From ac914f03d5316c516534bdbec8ac8fc4e372659e Mon Sep 17 00:00:00 2001 From: Li-yao Xia Date: Fri, 6 Dec 2024 22:50:39 +0100 Subject: [PATCH] Add specs for iterators of HashMap and HashSet --- creusot-contracts/src/logic/fset.rs | 11 + creusot-contracts/src/logic/seq.rs | 10 + creusot-contracts/src/std.rs | 4 + .../src/std/collections/hash_map.rs | 249 + .../src/std/collections/hash_set.rs | 226 + creusot-contracts/src/std/default.rs | 10 + .../creusot-contracts/creusot-contracts.coma | 23541 +++++++++------- .../creusot-contracts/why3session.xml | 311 +- .../creusot-contracts/why3shapes.gz | Bin 24628 -> 28585 bytes creusot/tests/should_fail/bug/603.stderr | 2 +- creusot/tests/should_fail/bug/878.coma | 4 +- creusot/tests/should_fail/bug/specialize.coma | 4 +- .../diagnostics/view_unimplemented.stderr | 4 +- .../should_succeed/bug/final_borrows.coma | 4 +- .../tests/should_succeed/cc/collections.coma | 1925 ++ .../tests/should_succeed/cc/collections.rs | 79 + .../cc/collections/why3session.xml | 131 + .../cc/collections/why3shapes.gz | Bin 0 -> 2951 bytes .../tests/should_succeed/ghost/ghost_set.coma | 30 +- .../tests/should_succeed/ghost/ghost_vec.coma | 48 +- creusot/tests/should_succeed/hashmap.coma | 12 +- .../should_succeed/heapsort_generic.coma | 4 +- creusot/tests/should_succeed/hillel.coma | 8 +- .../should_succeed/iterators/02_iter_mut.coma | 10 +- .../iterators/03_std_iterators.coma | 6 +- .../iterators/08_collect_extend.coma | 4 +- creusot/tests/should_succeed/knapsack.coma | 2 +- .../tests/should_succeed/knapsack_full.coma | 2 +- creusot/tests/should_succeed/linked_list.coma | 36 +- .../selection_sort_generic.coma | 2 +- creusot/tests/should_succeed/slices/01.coma | 2 +- .../tests/should_succeed/sparse_array.coma | 12 +- .../sparse_array/why3session.xml | 23 +- .../should_succeed/sparse_array/why3shapes.gz | Bin 3437 -> 3482 bytes .../tests/should_succeed/take_first_mut.coma | 2 +- .../traits/16_impl_cloning.coma | 2 +- .../type_invariants/vec_inv.coma | 2 +- .../tests/should_succeed/vector/02_gnome.coma | 2 +- .../vector/03_knuth_shuffle.coma | 2 +- .../vector/05_binary_search_generic.coma | 2 +- .../should_succeed/vector/07_read_write.coma | 2 +- .../should_succeed/vector/09_capacity.coma | 4 +- 42 files changed, 16785 insertions(+), 9949 deletions(-) create mode 100644 creusot-contracts/src/std/collections/hash_map.rs create mode 100644 creusot-contracts/src/std/collections/hash_set.rs create mode 100644 creusot/tests/should_succeed/cc/collections.coma create mode 100644 creusot/tests/should_succeed/cc/collections.rs create mode 100644 creusot/tests/should_succeed/cc/collections/why3session.xml create mode 100644 creusot/tests/should_succeed/cc/collections/why3shapes.gz diff --git a/creusot-contracts/src/logic/fset.rs b/creusot-contracts/src/logic/fset.rs index 9ebd35b76..469bbb09c 100644 --- a/creusot-contracts/src/logic/fset.rs +++ b/creusot-contracts/src/logic/fset.rs @@ -114,6 +114,17 @@ impl FSet { dead } + /// Returns a new set, which is the union of `self` and `other`. + /// + /// An element is in the result if it is in `self` _or_ if it is in `other`. + #[trusted] + #[logic] + #[creusot::builtins = "set.Fset.inter"] + pub fn intersection(self, other: Self) -> Self { + let _ = other; + dead + } + /// Returns `true` if every element of `self` is in `other`. #[trusted] #[predicate] diff --git a/creusot-contracts/src/logic/seq.rs b/creusot-contracts/src/logic/seq.rs index d28a4a84b..8146bbd1b 100644 --- a/creusot-contracts/src/logic/seq.rs +++ b/creusot-contracts/src/logic/seq.rs @@ -376,6 +376,16 @@ impl Seq { { self.sorted_range(0, self.len()) } + + #[open] + #[logic] + #[ensures(forall, b: Seq, x: T> + a.concat(b).contains(x) == a.contains(x) || b.contains(x))] + pub fn concat_contains() + where + T: Sized, + { + } } impl Seq<&T> { diff --git a/creusot-contracts/src/std.rs b/creusot-contracts/src/std.rs index ec8370106..08c594887 100644 --- a/creusot-contracts/src/std.rs +++ b/creusot-contracts/src/std.rs @@ -3,6 +3,10 @@ pub use ::std::*; pub mod array; pub mod boxed; pub mod clone; +pub mod collections { + pub mod hash_map; + pub mod hash_set; +} pub mod cmp; pub mod default; pub mod deque; diff --git a/creusot-contracts/src/std/collections/hash_map.rs b/creusot-contracts/src/std/collections/hash_map.rs new file mode 100644 index 000000000..ca2bcb09d --- /dev/null +++ b/creusot-contracts/src/std/collections/hash_map.rs @@ -0,0 +1,249 @@ +use crate::{ + logic::FMap, + std::iter::{FromIterator, IntoIterator, Iterator}, + *, +}; +use ::std::{ + collections::hash_map::*, + default::Default, + hash::{BuildHasher, Hash}, +}; + +impl View for HashMap { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +extern_spec! { + mod std { + mod collections { + mod hash_map { + impl HashMap { + #[ensures(self@ == result@)] + fn iter(&self) -> Iter<'_, K, V>; + + #[ensures(self.into_iter_post(result))] + fn iter_mut(&mut self) -> IterMut<'_, K, V>; + } + } + } + } +} + +impl View for IntoIter { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl Iterator for IntoIter { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((k, v)) + ==> self@.get(k.deep_model()) == Some(v) && o@.get(k.deep_model()) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !exists k2.deep_model() == k && visited.contains((k2, v2))) + && (forall self@.get(k) == Some(v) + ==> (exists k1.deep_model() == k && visited.contains((k1, v))) || o@.get(k) == Some(v)) + && (forall + 0 <= i1 && i1 < visited.len() && 0 <= i2 && i2 < visited.len() + && visited[i1].0.deep_model() == visited[i2].0.deep_model() + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl<'a, K: DeepModel, V> View for Iter<'a, K, V> { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, K: DeepModel, V> Iterator for Iter<'a, K, V> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // `self@` equals the union of `visited` (viewed as a finite map) and `o@` + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((k, v)) + ==> self@.get(k.deep_model()) == Some(*v) && o@.get(k.deep_model()) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !exists k2.deep_model() == k && visited.contains((k2, v2))) + && (forall self@.get(k) == Some(v) + ==> (exists k2.deep_model() == k && visited.contains((k2, &v))) || o@.get(k) == Some(v)) + && (forall + 0 <= i1 && i1 < visited.len() && 0 <= i2 && i2 < visited.len() + && visited[i1].0.deep_model() == visited[i2].0.deep_model() + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl<'a, K: DeepModel, V> View for IterMut<'a, K, V> { + type ViewTy = FMap; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, K: DeepModel, V> Iterator for IterMut<'a, K, V> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + // self@ equals the union of visited (viewed as a fmap) and o@ + pearlite! { + self@.len() == visited.len() + o@.len() + && (forall visited.contains((&k, v)) + ==> self@.get(k.deep_model()) == Some(v) && o@.get(k.deep_model()) == None) + && (forall o@.get(k) == Some(v) + ==> self@.get(k) == Some(v) && !exists k2.deep_model() == k && visited.contains((k2, v2))) + && (forall self@.get(k) == Some(v) + ==> (exists k1.deep_model() == k && visited.contains((k1, v))) || o@.get(k) == Some(v)) + && (forall + 0 <= i1 && i1 < visited.len() && 0 <= i2 && i2 < visited.len() + && visited[i1].0.deep_model() == visited[i2].0.deep_model() + ==> i1 == i2) + } + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && self@.is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] } + } +} + +impl IntoIterator for HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &mut HashMap { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate(prophetic)] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { forall (*self)@.contains(k) == (^self)@.contains(k) + && (forall (*self)@.contains(k) == res@.contains(k)) + && forall (*self)@.contains(k) ==> (*self)@[k] == *res@[k] && (^self)@[k] == ^res@[k] } + } +} + +impl FromIterator<(K, V)> + for HashMap +{ + #[predicate] + #[open] + fn from_iter_post(prod: Seq<(K, V)>, res: Self) -> bool { + pearlite! { forall (res@.get(k) == Some(v)) + == (exists 0 <= i && i < prod.len() && k1.deep_model() == k && prod[i] == (k1, v) + && forall i < j && j < prod.len() ==> prod[j].0.deep_model() != k) } + } +} diff --git a/creusot-contracts/src/std/collections/hash_set.rs b/creusot-contracts/src/std/collections/hash_set.rs new file mode 100644 index 000000000..41bd35d58 --- /dev/null +++ b/creusot-contracts/src/std/collections/hash_set.rs @@ -0,0 +1,226 @@ +use crate::{ + logic::FSet, + std::iter::{FromIterator, IntoIterator, Iterator}, + *, +}; +use ::std::{collections::hash_set::*, hash::*}; + +impl View for HashSet { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +extern_spec! { + mod std { + mod collections { + mod hash_set { + impl HashSet { + #[ensures(self@ == result@)] + fn iter(&self) -> Iter<'_, T>; + } + impl HashSet + where + T: Eq + Hash + DeepModel, + S: BuildHasher, + { + #[ensures(result@ == self@.intersection(other@))] + fn intersection<'a>(&'a self, other: &'a HashSet) -> Intersection<'a, T, S>; + } + } + } + } +} + +impl View for IntoIter { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +#[open] +#[predicate] +pub fn set_produces>>( + start: I, + visited: Seq, + end: I, +) -> bool { + pearlite! { start@.len() == visited.len() + end@.len() + && (forall start@.contains(x) ==> (exists x1.deep_model() == x && visited.contains(x1)) || end@.contains(x)) + && (forall visited.contains(x) ==> start@.contains(x.deep_model()) && !end@.contains(x.deep_model())) + && (forall end@.contains(x) ==> start@.contains(x) && !exists x1.deep_model() == x && visited.contains(x1)) + && (forall + 0 <= i && i < visited.len() && 0 <= j && j < visited.len() + && visited[i].deep_model() == visited[j].deep_model() + ==> i == j) + } +} + +#[open] +#[logic] +#[requires(set_produces(a, ab, b))] +#[requires(set_produces(b, bc, c))] +#[ensures(set_produces(a, ab.concat(bc), c))] +pub fn set_produces_trans>>( + a: I, + ab: Seq, + b: I, + bc: Seq, + c: I, +) { + Seq::::concat_contains(); + proof_assert! { forall ab.len() <= i && ab.concat(bc).get(i) == Some(x) ==> bc.contains(x) }; + proof_assert! { forall 0 <= i && i < bc.len() ==> bc[i] == ab.concat(bc)[ab.len() + i] }; +} + +impl Iterator for IntoIter { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + set_produces(self, visited, o) + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + set_produces_trans(a, ab, b, bc, c); + } +} + +impl<'a, T: DeepModel> View for Iter<'a, T> { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, T: DeepModel> Iterator for Iter<'a, T> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + set_produces(self, visited, o) + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + set_produces_trans(a, ab, b, bc, c); + } +} + +impl IntoIterator for HashSet { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl IntoIterator for &HashSet { + #[predicate] + #[open] + fn into_iter_pre(self) -> bool { + pearlite! { true } + } + + #[predicate] + #[open] + fn into_iter_post(self, res: Self::IntoIter) -> bool { + pearlite! { self@ == res@ } + } +} + +impl FromIterator for HashSet { + #[predicate] + #[open] + fn from_iter_post(prod: Seq, res: Self) -> bool { + pearlite! { forall res@.contains(x) == exists x1.deep_model() == x && prod.contains(x1) } + } +} + +impl<'a, T: DeepModel, S> View for Intersection<'a, T, S> { + type ViewTy = FSet; + + #[logic] + #[trusted] + #[open] + fn view(self) -> Self::ViewTy { + dead + } +} + +impl<'a, T: Eq + Hash + DeepModel, S: BuildHasher> Iterator for Intersection<'a, T, S> { + #[open] + #[predicate(prophetic)] + fn produces(self, visited: Seq, o: Self) -> bool { + set_produces(self, visited, o) + } + + #[open] + #[predicate(prophetic)] + fn completed(&mut self) -> bool { + pearlite! { self.resolve() && (self@).is_empty() } + } + + #[law] + #[open] + #[ensures(self.produces(Seq::EMPTY, self))] + fn produces_refl(self) {} + + #[law] + #[open] + #[requires(a.produces(ab, b))] + #[requires(b.produces(bc, c))] + #[ensures(a.produces(ab.concat(bc), c))] + fn produces_trans(a: Self, ab: Seq, b: Self, bc: Seq, c: Self) { + set_produces_trans(a, ab, b, bc, c); + } +} diff --git a/creusot-contracts/src/std/default.rs b/creusot-contracts/src/std/default.rs index b1770f27a..a96b6e45d 100644 --- a/creusot-contracts/src/std/default.rs +++ b/creusot-contracts/src/std/default.rs @@ -24,3 +24,13 @@ impl Default for bool { pearlite! { self == false } } } + +// `RandomState::default()` is defined as `RandomState::new()` +// which produces random values. +impl Default for std::hash::RandomState { + #[predicate] + #[open] + fn is_default(self) -> bool { + pearlite! { true } + } +} diff --git a/creusot/tests/creusot-contracts/creusot-contracts.coma b/creusot/tests/creusot-contracts/creusot-contracts.coma index cfbca1ad4..7b8d0eaf4 100644 --- a/creusot/tests/creusot-contracts/creusot-contracts.coma +++ b/creusot/tests/creusot-contracts/creusot-contracts.coma @@ -92,4295 +92,4659 @@ module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_ goal vc_produces_trans'0 : ([%#sarray1] produces'0 b bc c) -> ([%#sarray0] produces'0 a ab b) -> ([%#sarray2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialEq_Rhs_ne_body [#"../../../creusot-contracts/src/std/cmp.rs" 10 31 18 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 18 29 18 32 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 17 26 17 75 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75 - let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sinvariant5 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 79 4 79 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 78 14 78 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 76 4 76 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - use prelude.prelude.Borrow + use seq.Seq - type t_Self_'0 + type t_K'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_V'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant5] inv'4 self + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use prelude.prelude.UInt16 - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant5] inv'0 self + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use prelude.prelude.Opaque - axiom inv_axiom'2 [@rewrite] : forall x : t_Self_'0 [inv'2 x] . inv'2 x = invariant'2 x + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - type t_Rhs'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant5] inv'5 self + use prelude.prelude.UIntSize - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant5] inv'1 self + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom inv_axiom'3 [@rewrite] : forall x : t_Rhs'0 [inv'3 x] . inv'3 x = invariant'3 x + type t_FMap'0 + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_IntoIter'0) : t_FMap'0 + + + use prelude.prelude.Int + + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x type t_DeepModelTy'0 - function deep_model'4 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel4] deep_model'4 self + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel4] deep_model'0 self + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function deep_model'5 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + use map.Map - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel4] deep_model'5 self + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel4] deep_model'1 self + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - let rec eq'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:eq 'self' type invariant] inv'2 self} - {[@expl:eq 'other' type invariant] inv'3 other} - any [ return' (result:bool)-> {[%#scmp3] result = (deep_model'2 self = deep_model'3 other)} (! return' {result}) ] + use map.Map - use prelude.prelude.Intrinsic + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap6] Map.get (view'1 self) k - meta "compute_max_steps" 1000000 + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - let rec extern_spec_std_cmp_PartialEq_Rhs_ne_body'0 (self_:t_Self_'0) (rhs:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body 'self_' type invariant] [%#scmp0] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body 'rhs' type invariant] [%#scmp1] inv'1 rhs} - (! bb0 - [ bb0 = s0 [ s0 = eq'0 {self_} {rhs} (fun (_ret':bool) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- not _4 ] s1 | s1 = return' {_0} ] ] - ) [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & rhs : t_Rhs'0 = rhs | & _4 : bool = any_l () ] - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body ensures] [%#scmp2] result - = (deep_model'0 self_ <> deep_model'1 rhs)} - (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + constant self : t_IntoIter'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 79 4 79 26] (self : t_IntoIter'0) : () + + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_lt_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 36 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 39 29 39 34 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 38 48 38 52 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 36 29 36 34 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 86 4 86 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 83 15 83 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 84 15 84 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 85 14 85 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 87 24 87 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 87 8 87 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - use prelude.prelude.Borrow + use prelude.prelude.UInt16 - type t_Self_'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'2 self + use prelude.prelude.Opaque - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - type t_Rhs'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + use prelude.prelude.UIntSize - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant20] inv'3 self + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - type t_DeepModelTy'0 + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_K'0 - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + type t_V'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_FMap'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_IntoIter'0) : t_FMap'0 - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + use prelude.prelude.Int - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) + type t_DeepModelTy'0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap10] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use map.Map - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap9] Map.get (view'1 self) k - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) - - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant a : t_IntoIter'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + constant ab : Seq.seq (t_K'0, t_V'0) - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + constant b : t_IntoIter'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 (t_Ordering'0) + constant bc : Seq.seq (t_K'0, t_V'0) - let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} - {[@expl:partial_cmp 'other' type invariant] inv'1 other} - any - [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} - (! return' {result}) ] - + constant c : t_IntoIter'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any - [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} - (! {false} - any) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 86 4 86 90] (a : t_IntoIter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_IntoIter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_IntoIter'0) : () - use prelude.prelude.Intrinsic + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 131 4 131 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 130 14 130 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 128 4 128 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'2 self + use seq.Seq - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'3 self + use prelude.prelude.Borrow - meta "compute_max_steps" 1000000 + type t_K'0 - let rec extern_spec_std_cmp_PartialOrd_Rhs_lt_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body 'self_' type invariant] [%#scmp2] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body 'other' type invariant] [%#scmp3] inv'1 other} - (! bb0 - [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] - | bb8 = bb2 - | bb3 = v_Some'0 {_4} - (fun (r0'0:t_Ordering'0) -> - any - [ br0 -> {r0'0 = C_Less'0 } (! bb4) - | br1 -> {r0'0 = C_Equal'0 } (! bb2) - | br2 -> {r0'0 = C_Greater'0 } (! bb2) ] - ) - | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] - | bb4 = bb5 - | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] - | bb6 = return' {_0} ] - ) - [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body ensures] [%#scmp4] result - = lt_log'0 (deep_model'0 self_) (deep_model'1 other)} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_le_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 44 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 47 29 47 34 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 46 66 46 70 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 44 29 44 34 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 43 26 43 77 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - - use prelude.prelude.Borrow - - type t_Self_'0 + type t_V'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'2 self + use prelude.prelude.UInt16 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - type t_Rhs'0 + use prelude.prelude.Opaque - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant20] inv'3 self + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + use prelude.prelude.UIntSize - type t_DeepModelTy'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_FMap'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 97 4 97 33] (self : t_Iter'0) : t_FMap'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use prelude.prelude.Int - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + type t_DeepModelTy'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'1 self - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use map.Map - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use map.Map - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap7] Map.get (view'1 self) k - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) - - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap6] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 105 4 105 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + constant self : t_Iter'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 131 4 131 26] (self : t_Iter'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 138 4 138 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 135 15 135 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 136 15 136 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 137 14 137 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 139 24 139 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 139 8 139 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel8 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + use prelude.prelude.UInt16 - type t_Option'0 = - | C_None'0 - | C_Some'0 (t_Ordering'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} - {[@expl:partial_cmp 'other' type invariant] inv'1 other} - any - [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} - (! return' {result}) ] - + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any - [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} - (! {false} - any) ] - + use prelude.prelude.Opaque - use prelude.prelude.Intrinsic + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'2 self + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'3 self + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - meta "compute_max_steps" 1000000 + use prelude.prelude.UIntSize - let rec extern_spec_std_cmp_PartialOrd_Rhs_le_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body 'self_' type invariant] [%#scmp2] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body 'other' type invariant] [%#scmp3] inv'1 other} - (! bb0 - [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] - | bb8 = bb2 - | bb3 = v_Some'0 {_4} - (fun (r0'0:t_Ordering'0) -> - any - [ br0 -> {r0'0 = C_Less'0 } (! bb4) - | br1 -> {r0'0 = C_Equal'0 } (! bb4) - | br2 -> {r0'0 = C_Greater'0 } (! bb2) ] - ) - | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] - | bb4 = bb5 - | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] - | bb6 = return' {_0} ] - ) - [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body ensures] [%#scmp4] result - = le_log'0 (deep_model'0 self_) (deep_model'1 other)} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_gt_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 52 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 55 29 55 34 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 54 51 54 55 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 52 29 52 34 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 51 26 51 76 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } use prelude.prelude.Borrow - type t_Self_'0 + type t_K'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_V'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'2 self + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_FMap'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 97 4 97 33] (self : t_Iter'0) : t_FMap'0 + - type t_Rhs'0 + use prelude.prelude.Int - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant20] inv'3 self + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x type t_DeepModelTy'0 - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel8] deep_model'1 self - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap10] Map.get (view'1 self) k - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap9] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 105 4 105 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - + constant a : t_Iter'0 - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) + constant ab : Seq.seq (t_K'0, t_V'0) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + constant b : t_Iter'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + constant bc : Seq.seq (t_K'0, t_V'0) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant c : t_Iter'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 138 4 138 90] (a : t_Iter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_Iter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_Iter'0) : () - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 183 4 183 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 182 14 182 45 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 10 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use prelude.prelude.Borrow - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + type t_K'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + type t_V'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + use prelude.prelude.UInt16 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + use prelude.prelude.UIntSize + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } + + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } + + type t_FMap'0 + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 149 4 149 33] (self : t_IterMut'0) : t_FMap'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use prelude.prelude.Int + + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap3] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + type t_DeepModelTy'0 + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 type t_Option'0 = | C_None'0 - | C_Some'0 (t_Ordering'0) + | C_Some'0 (borrowed t_V'0) - let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} - {[@expl:partial_cmp 'other' type invariant] inv'1 other} - any - [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} - (! return' {result}) ] - + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_V'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any - [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} - (! {false} - any) ] + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - use prelude.prelude.Intrinsic + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap8] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'2 self + use map.Map - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'3 self + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap7] Map.get (view'1 self) k - meta "compute_max_steps" 1000000 + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - let rec extern_spec_std_cmp_PartialOrd_Rhs_gt_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body 'self_' type invariant] [%#scmp2] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body 'other' type invariant] [%#scmp3] inv'1 other} - (! bb0 - [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] - | bb8 = bb2 - | bb3 = v_Some'0 {_4} - (fun (r0'0:t_Ordering'0) -> - any - [ br0 -> {r0'0 = C_Less'0 } (! bb2) - | br1 -> {r0'0 = C_Equal'0 } (! bb2) - | br2 -> {r0'0 = C_Greater'0 } (! bb4) ] - ) - | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] - | bb4 = bb5 - | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] - | bb6 = return' {_0} ] - ) - [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'0 self + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 157 4 157 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body ensures] [%#scmp4] result - = gt_log'0 (deep_model'0 self_) (deep_model'1 other)} - (! return' {result}) ] + = + [%#shash_map2] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'1 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'1 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'1 (let (a, _) = Seq.get visited i1 in a) = deep_model'1 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + constant self : t_IterMut'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 183 4 183 26] (self : t_IterMut'0) : () + + goal vc_produces_refl'0 : [%#shash_map0] produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_ge_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 60 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 63 29 63 34 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 62 69 62 73 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 60 29 60 34 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 59 26 59 77 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 190 4 190 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 187 15 187 32 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 188 15 188 32 + let%span shash_map2 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 189 14 189 42 + let%span shash_map3 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 191 24 191 102 + let%span shash_map4 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 191 8 191 104 + let%span shash_map5 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel9 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - use prelude.prelude.Borrow + use prelude.prelude.UInt16 - type t_Self_'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'2 self + use prelude.prelude.Opaque - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - type t_Rhs'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + use prelude.prelude.UIntSize - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = - [%#sinvariant20] inv'3 self + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - type t_DeepModelTy'0 + use prelude.prelude.Borrow - function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_K'0 - function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 + type t_V'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_FMap'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 149 4 149 33] (self : t_IterMut'0) : t_FMap'0 - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + use prelude.prelude.Int - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap6] len'0 self >= 0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq7] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + type t_DeepModelTy'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_V'0) - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + use map.Map - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap11] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + use map.Map - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap10] Map.get (view'1 self) k - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel9] deep_model'0 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 157 4 157 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + = + [%#shash_map5] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'1 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'1 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'1 (let (a, _) = Seq.get visited i1 in a) = deep_model'1 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + constant a : t_IterMut'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 (t_Ordering'0) + constant ab : Seq.seq (t_K'0, borrowed t_V'0) - let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} - {[@expl:partial_cmp 'other' type invariant] inv'1 other} - any - [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} - (! return' {result}) ] - + constant b : t_IterMut'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any - [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} - (! {false} - any) ] - + constant bc : Seq.seq (t_K'0, borrowed t_V'0) - use prelude.prelude.Intrinsic + constant c : t_IterMut'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'2 self + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 190 4 190 90] (a : t_IterMut'0) (ab : Seq.seq (t_K'0, borrowed t_V'0)) (b : t_IterMut'0) (bc : Seq.seq (t_K'0, borrowed t_V'0)) (c : t_IterMut'0) : () + + + goal vc_produces_trans'0 : ([%#shash_map1] produces'0 b bc c) + -> ([%#shash_map0] produces'0 a ab b) + -> ([%#shash_map3] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in [%#shash_map2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__set_produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 82 20 82 108 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 83 20 83 98 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sseq8 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq9 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 + let%span sfset11 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'3 self + type t_I'0 - meta "compute_max_steps" 1000000 - - let rec extern_spec_std_cmp_PartialOrd_Rhs_ge_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body 'self_' type invariant] [%#scmp2] inv'0 self_} - {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body 'other' type invariant] [%#scmp3] inv'1 other} - (! bb0 - [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] - | bb8 = bb2 - | bb3 = v_Some'0 {_4} - (fun (r0'0:t_Ordering'0) -> - any - [ br0 -> {r0'0 = C_Less'0 } (! bb2) - | br1 -> {r0'0 = C_Equal'0 } (! bb4) - | br2 -> {r0'0 = C_Greater'0 } (! bb4) ] - ) - | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] - | bb4 = bb5 - | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] - | bb6 = return' {_0} ] - ) - [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - - [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body ensures] [%#scmp4] result - = ge_log'0 (deep_model'0 self_) (deep_model'1 other)} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_max_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 80 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 80 29 80 30 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 80 41 80 45 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 75 26 75 66 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 76 26 76 63 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 43 26 43 77 - let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - - use prelude.prelude.Borrow - - type t_Self_'0 - - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant20] inv'0 self - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_T'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x + use seq.Seq type t_DeepModelTy'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + use set.Fset - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel6] deep_model'0 self + function view'0 [#"../../../creusot-contracts/src/model.rs" 17 4 17 34] (self : t_I'0) : Fset.fset t_DeepModelTy'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use set.Fset - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use prelude.prelude.Int - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) - = (cmp_log'0 x y = C_Equal'0) + use set.Fset - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate contains'1 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset11] Fset.mem e self - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) - -> ([%#sord18] cmp_log'0 y x = C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) - -> ([%#sord16] cmp_log'0 y x = C_Greater'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_I'0) (visited : Seq.seq t_T'0) (end' : t_I'0) + = + [%#shash_set7] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'1 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'0 visited x1) \/ contains'1 (view'0 end') x) + /\ (forall x : t_T'0 . contains'0 visited x + -> contains'1 (view'0 start) (deep_model'0 x) /\ not contains'1 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'1 (view'0 end') x + -> contains'1 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'0 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y - = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq8] () - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 + axiom concat_contains'0_spec : forall _1 : () . [%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function get'0 [#"../../../creusot-contracts/src/logic/seq.rs" 82 4 84 17] (self : Seq.seq t_T'0) (ix : int) : t_Option'0 + = + [%#sseq10] if 0 <= ix /\ ix < Seq.length self then C_Some'0 (Seq.get self ix) else C_None'0 - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + constant a : t_I'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant ab : Seq.seq t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + constant b : t_I'0 - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + constant bc : Seq.seq t_T'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant c : t_I'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function set_produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + goal vc_set_produces_trans'0 : ([%#shash_set1] set_produces'0 b bc c) + -> ([%#shash_set0] set_produces'0 a ab b) + -> ([%#sseq3] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x = contains'0 a x + \/ contains'0 b x) + -> (let _ = concat_contains'0 () in ([%#shash_set4] forall i : int, x : t_T'0 . Seq.length ab <= i + /\ get'0 (Seq.(++) ab bc) i = C_Some'0 x -> contains'0 bc x) + && (let _ = () in let _ = () in ([%#shash_set5] forall i : int . 0 <= i /\ i < Seq.length bc + -> Seq.get bc i = Seq.get (Seq.(++) ab bc) (Seq.length ab + i)) + && (let _ = () in let _ = () in [%#shash_set2] set_produces'0 a (Seq.(++) ab bc) c))) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 102 4 102 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 101 14 101 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 99 4 99 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset4 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_T'0 - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + use seq.Seq - let rec le'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:le 'self' type invariant] inv'1 self} - {[@expl:le 'other' type invariant] inv'1 other} - any - [ return' (result:bool)-> {[%#scmp5] result = le_log'0 (deep_model'1 self) (deep_model'1 other)} - (! return' {result}) ] - + use prelude.prelude.UInt16 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - use prelude.prelude.Intrinsic + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - meta "compute_max_steps" 1000000 + use prelude.prelude.Opaque - let rec extern_spec_std_cmp_Ord_max_body'0 (self_:t_Self_'0) (o:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_max_body 'self_' type invariant] [%#scmp0] inv'0 self_} - {[@expl:extern_spec_std_cmp_Ord_max_body 'o' type invariant] [%#scmp1] inv'0 o} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = le'0 {self_} {o} (fun (_ret':bool) -> [ &_8 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = any [ br0 -> {_8 = false} (! bb8) | br1 -> {_8} (! bb7) ] - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'0 self_} s1 | s1 = -{resolve'0 self_}- s2 | s2 = [ &_0 <- o ] s3 | s3 = bb9 ] - - | bb8 = s0 - [ s0 = {[@expl:type invariant] inv'0 o} s1 | s1 = -{resolve'0 o}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb9 ] - - | bb9 = bb10 - | bb10 = bb11 - | bb11 = return' {_0} ] - ) [ & _0 : t_Self_'0 = any_l () | & self_ : t_Self_'0 = self_ | & o : t_Self_'0 = o | & _8 : bool = any_l () ] - [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_max_body result type invariant] [%#scmp2] inv'0 result} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #0] [%#scmp3] ge_log'0 (deep_model'0 result) (deep_model'0 self_)} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #1] [%#scmp4] ge_log'0 (deep_model'0 result) (deep_model'0 o)} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #2] [%#scmp0] result = self_ \/ result = o} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #3] [%#scmp0] le_log'0 (deep_model'0 self_) (deep_model'0 o) - -> result = o} - {[@expl:extern_spec_std_cmp_Ord_max_body ensures #4] [%#scmp0] lt_log'0 (deep_model'0 o) (deep_model'0 self_) - -> result = self_} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_min_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 89 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 89 29 89 30 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 89 41 89 45 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 84 26 84 66 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 85 26 85 63 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 88 26 88 77 - let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant21 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - use prelude.prelude.Borrow + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - type t_Self_'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use prelude.prelude.UIntSize - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant21] inv'0 self + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - type t_DeepModelTy'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel7] deep_model'0 self + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_DeepModelTy'0 - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord20] (x = y) - = (cmp_log'0 x y = C_Equal'0) + use set.Fset - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord18] cmp_log'0 x y = C_Greater'0) - -> ([%#sord19] cmp_log'0 y x = C_Less'0) + use set.Fset - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord16] cmp_log'0 x y = C_Less'0) - -> ([%#sord17] cmp_log'0 y x = C_Greater'0) + use prelude.prelude.Int - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset4] Fset.mem e self - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord13] cmp_log'0 x y - = o) -> ([%#sord14] cmp_log'0 y z = o) -> ([%#sord15] cmp_log'0 x z = o) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord12] cmp_log'0 x x = C_Equal'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) + = + [%#shash_set3] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 89 4 89 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#shash_set2] set_produces'0 self visited o - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + constant self : t_IntoIter'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 102 4 102 26] (self : t_IntoIter'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 109 4 109 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 106 15 106 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 107 15 107 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 108 14 108 42 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 110 8 110 43 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set8 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span shash_set9 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sfset12 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq13 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + use prelude.prelude.UInt16 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + use prelude.prelude.Opaque + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + use prelude.prelude.UIntSize + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } + + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_T'0 + + use seq.Seq + + type t_DeepModelTy'0 + + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset12] Fset.mem e self - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + use seq.Seq + + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq13] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) + = + [%#shash_set9] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 89 4 89 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#shash_set7] set_produces'0 self visited o - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + use seq.Seq - let rec lt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:lt 'self' type invariant] inv'1 self} - {[@expl:lt 'other' type invariant] inv'1 other} - any - [ return' (result:bool)-> {[%#scmp6] result = lt_log'0 (deep_model'1 self) (deep_model'1 other)} - (! return' {result}) ] + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq11] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq10] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x + + function set_produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + = + [%#shash_set8] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) + axiom set_produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq t_T'0, b : t_IntoIter'0, bc : Seq.seq t_T'0, c : t_IntoIter'0 . ([%#shash_set3] set_produces'0 a ab b) + -> ([%#shash_set4] set_produces'0 b bc c) -> ([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) - use prelude.prelude.Intrinsic + constant a : t_IntoIter'0 - meta "compute_max_steps" 1000000 + constant ab : Seq.seq t_T'0 - let rec extern_spec_std_cmp_Ord_min_body'0 (self_:t_Self_'0) (o:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_min_body 'self_' type invariant] [%#scmp0] inv'0 self_} - {[@expl:extern_spec_std_cmp_Ord_min_body 'o' type invariant] [%#scmp1] inv'0 o} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = lt'0 {self_} {o} (fun (_ret':bool) -> [ &_8 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = any [ br0 -> {_8 = false} (! bb8) | br1 -> {_8} (! bb7) ] - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'0 o} s1 | s1 = -{resolve'0 o}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb9 ] - - | bb8 = s0 - [ s0 = {[@expl:type invariant] inv'0 self_} s1 | s1 = -{resolve'0 self_}- s2 | s2 = [ &_0 <- o ] s3 | s3 = bb9 ] - - | bb9 = bb10 - | bb10 = bb11 - | bb11 = return' {_0} ] - ) [ & _0 : t_Self_'0 = any_l () | & self_ : t_Self_'0 = self_ | & o : t_Self_'0 = o | & _8 : bool = any_l () ] - [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_min_body result type invariant] [%#scmp2] inv'0 result} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #0] [%#scmp3] le_log'0 (deep_model'0 result) (deep_model'0 self_)} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #1] [%#scmp4] le_log'0 (deep_model'0 result) (deep_model'0 o)} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #2] [%#scmp0] result = self_ \/ result = o} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #3] [%#scmp0] lt_log'0 (deep_model'0 self_) (deep_model'0 o) - -> result = self_} - {[@expl:extern_spec_std_cmp_Ord_min_body ensures #4] [%#scmp5] le_log'0 (deep_model'0 o) (deep_model'0 self_) - -> result = o} - (! return' {result}) ] + constant b : t_IntoIter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 109 4 109 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> (([@expl:set_produces_trans requires #0] [%#shash_set3] set_produces'0 a ab b) + && ([@expl:set_produces_trans requires #1] [%#shash_set4] set_produces'0 b bc c)) + /\ (([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) + -> (let _ = set_produces_trans'0 a ab b bc c in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c)) end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_clamp_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 102 18] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 102 31 102 34 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 102 42 102 45 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 93 27 93 63 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 102 56 102 60 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 94 26 94 65 - let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 95 26 95 65 - let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 97 16 101 43 - let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 51 26 51 76 - let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 - let%span smodel10 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - let%span sinvariant24 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 141 4 141 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 140 14 140 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 138 4 138 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset4 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + + use seq.Seq use prelude.prelude.Borrow - type t_Self_'0 + type t_T'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = - [%#sinvariant24] inv'0 self + use prelude.prelude.UInt16 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - type t_DeepModelTy'0 + use prelude.prelude.Opaque - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = - [%#smodel10] deep_model'0 self + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord23] (x = y) - = (cmp_log'0 x y = C_Equal'0) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord21] cmp_log'0 x y = C_Greater'0) - -> ([%#sord22] cmp_log'0 y x = C_Less'0) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord19] cmp_log'0 x y = C_Less'0) - -> ([%#sord20] cmp_log'0 y x = C_Greater'0) + type t_DeepModelTy'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 120 4 120 33] (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord16] cmp_log'0 x y - = o) -> ([%#sord17] cmp_log'0 y z = o) -> ([%#sord18] cmp_log'0 x z = o) + use set.Fset - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord15] cmp_log'0 x x = C_Equal'0 + use prelude.prelude.Int - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use set.Fset - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset4] Fset.mem e self - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'1 self - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq6] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) + = + [%#shash_set3] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 128 4 128 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set2] set_produces'0 self visited o - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + constant self : t_Iter'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 141 4 141 26] (self : t_Iter'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 148 4 148 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 145 15 145 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 146 15 146 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 147 14 147 42 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 149 8 149 43 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set8 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span shash_set9 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sfset12 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel13 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq14 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + use prelude.prelude.UInt16 - let rec gt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:gt 'self' type invariant] inv'1 self} - {[@expl:gt 'other' type invariant] inv'1 other} - any - [ return' (result:bool)-> {[%#scmp8] result = gt_log'0 (deep_model'1 self) (deep_model'1 other)} - (! return' {result}) ] - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - let rec lt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:lt 'self' type invariant] inv'1 self} - {[@expl:lt 'other' type invariant] inv'1 other} - any - [ return' (result:bool)-> {[%#scmp9] result = lt_log'0 (deep_model'1 self) (deep_model'1 other)} - (! return' {result}) ] + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + use prelude.prelude.UIntSize + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq + + type t_DeepModelTy'0 + + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 120 4 120 33] (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 - use prelude.prelude.Intrinsic + use set.Fset - meta "compute_max_steps" 1000000 + use seq.Seq - let rec extern_spec_std_cmp_Ord_clamp_body'0 (self_:t_Self_'0) (min:t_Self_'0) (max:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_clamp_body 'self_' type invariant] [%#scmp0] inv'0 self_} - {[@expl:extern_spec_std_cmp_Ord_clamp_body 'min' type invariant] [%#scmp1] inv'0 min} - {[@expl:extern_spec_std_cmp_Ord_clamp_body 'max' type invariant] [%#scmp2] inv'0 max} - {[@expl:extern_spec_std_cmp_Ord_clamp_body requires] [%#scmp3] le_log'0 (deep_model'0 min) (deep_model'0 max)} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = gt'0 {self_} {max} (fun (_ret':bool) -> [ &_9 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = any [ br0 -> {_9 = false} (! bb8) | br1 -> {_9} (! bb7) ] - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'0 min} s1 - | s1 = -{resolve'0 min}- s2 - | s2 = {[@expl:type invariant] inv'0 self_} s3 - | s3 = -{resolve'0 self_}- s4 - | s4 = [ &_0 <- max ] s5 - | s5 = bb13 ] - - | bb8 = s0 - [ s0 = {[@expl:type invariant] inv'0 max} s1 - | s1 = -{resolve'0 max}- s2 - | s2 = lt'0 {self_} {min} (fun (_ret':bool) -> [ &_12 <- _ret' ] s3) - | s3 = bb9 ] - - | bb9 = any [ br0 -> {_12 = false} (! bb11) | br1 -> {_12} (! bb10) ] - | bb10 = s0 - [ s0 = {[@expl:type invariant] inv'0 self_} s1 - | s1 = -{resolve'0 self_}- s2 - | s2 = [ &_0 <- min ] s3 - | s3 = bb12 ] - - | bb11 = s0 - [ s0 = {[@expl:type invariant] inv'0 min} s1 | s1 = -{resolve'0 min}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb12 ] - - | bb12 = bb13 - | bb13 = bb14 - | bb14 = bb15 - | bb15 = bb16 - | bb16 = return' {_0} ] - ) - [ & _0 : t_Self_'0 = any_l () - | & self_ : t_Self_'0 = self_ - | & min : t_Self_'0 = min - | & max : t_Self_'0 = max - | & _9 : bool = any_l () - | & _12 : bool = any_l () ] - - [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_clamp_body result type invariant] [%#scmp4] inv'0 result} - {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #0] [%#scmp5] ge_log'0 (deep_model'0 result) (deep_model'0 min)} - {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #1] [%#scmp6] le_log'0 (deep_model'0 result) (deep_model'0 max)} - {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #2] [%#scmp0] result = self_ \/ result = min \/ result = max} - {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #3] [%#scmp7] if gt_log'0 (deep_model'0 self_) (deep_model'0 max) then - result = max - else - if lt_log'0 (deep_model'0 self_) (deep_model'0 min) then result = min else result = self_ - } - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_max_body [#"../../../creusot-contracts/src/std/cmp.rs" 112 12 113 66] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 112 22 112 24 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 112 29 112 31 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 112 39 112 40 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 107 22 107 60 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 108 22 108 60 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 109 22 109 50 - let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 110 22 110 73 - let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 111 22 111 72 - let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 75 26 75 66 - let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 76 26 76 63 - let%span scmp10 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + use prelude.prelude.Int - type t_T'0 + use set.Fset - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset12] Fset.mem e self - type t_DeepModelTy'0 + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel13] deep_model'1 self - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq14] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) + = + [%#shash_set9] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord23] (x = y) - = (cmp_log'0 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 128 4 128 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set7] set_produces'0 self visited o - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord21] cmp_log'0 x y = C_Greater'0) - -> ([%#sord22] cmp_log'0 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq11] () - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord19] cmp_log'0 x y = C_Less'0) - -> ([%#sord20] cmp_log'0 y x = C_Greater'0) + axiom concat_contains'0_spec : forall _1 : () . [%#sseq10] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + function set_produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + = + [%#shash_set8] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord16] cmp_log'0 x y - = o) -> ([%#sord17] cmp_log'0 y z = o) -> ([%#sord18] cmp_log'0 x z = o) + axiom set_produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq t_T'0, b : t_Iter'0, bc : Seq.seq t_T'0, c : t_Iter'0 . ([%#shash_set3] set_produces'0 a ab b) + -> ([%#shash_set4] set_produces'0 b bc c) -> ([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + constant a : t_Iter'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord15] cmp_log'0 x x = C_Equal'0 + constant ab : Seq.seq t_T'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + constant b : t_Iter'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + constant bc : Seq.seq t_T'0 - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + constant c : t_Iter'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 148 4 148 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> (([@expl:set_produces_trans requires #0] [%#shash_set3] set_produces'0 a ab b) + && ([@expl:set_produces_trans requires #1] [%#shash_set4] set_produces'0 b bc c)) + /\ (([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) + -> (let _ = set_produces_trans'0 a ab b bc c in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c)) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_refl [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 215 14 215 45 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 213 4 213 10 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset4 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + use seq.Seq - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use prelude.prelude.Borrow - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_T'0 - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use prelude.prelude.UInt16 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - let rec max'0 (self:t_T'0) (other:t_T'0) (return' (ret:t_T'0))= {[@expl:max 'self' type invariant] inv'0 self} - {[@expl:max 'other' type invariant] inv'0 other} - any - [ return' (result:t_T'0)-> {inv'0 result} - {[%#scmp8] ge_log'0 (deep_model'0 result) (deep_model'0 self)} - {[%#scmp9] ge_log'0 (deep_model'0 result) (deep_model'0 other)} - {[%#scmp10] result = self \/ result = other} - {[%#scmp10] le_log'0 (deep_model'0 self) (deep_model'0 other) -> result = other} - {[%#scmp10] lt_log'0 (deep_model'0 other) (deep_model'0 self) -> result = self} - (! return' {result}) ] - + use prelude.prelude.Opaque - use prelude.prelude.Intrinsic + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - meta "compute_max_steps" 1000000 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - let rec extern_spec_std_cmp_max_body'0 (v1:t_T'0) (v2:t_T'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_cmp_max_body 'v1' type invariant] [%#scmp0] inv'0 v1} - {[@expl:extern_spec_std_cmp_max_body 'v2' type invariant] [%#scmp1] inv'0 v2} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = max'0 {v1} {v2} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = bb7 - | bb7 = bb8 - | bb8 = return' {_0} ] - ) [ & _0 : t_T'0 = any_l () | & v1 : t_T'0 = v1 | & v2 : t_T'0 = v2 ] - [ return' (result:t_T'0)-> {[@expl:extern_spec_std_cmp_max_body result type invariant] [%#scmp2] inv'0 result} - {[@expl:extern_spec_std_cmp_max_body ensures #0] [%#scmp3] ge_log'0 (deep_model'0 result) (deep_model'0 v1)} - {[@expl:extern_spec_std_cmp_max_body ensures #1] [%#scmp4] ge_log'0 (deep_model'0 result) (deep_model'0 v2)} - {[@expl:extern_spec_std_cmp_max_body ensures #2] [%#scmp5] result = v1 \/ result = v2} - {[@expl:extern_spec_std_cmp_max_body ensures #3] [%#scmp6] le_log'0 (deep_model'0 v1) (deep_model'0 v2) - -> result = v2} - {[@expl:extern_spec_std_cmp_max_body ensures #4] [%#scmp7] lt_log'0 (deep_model'0 v2) (deep_model'0 v1) - -> result = v1} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_min_body [#"../../../creusot-contracts/src/std/cmp.rs" 123 12 124 66] - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 123 22 123 24 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 123 29 123 31 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 123 39 123 40 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 118 22 118 60 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 119 22 119 60 - let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 120 22 120 50 - let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 121 22 121 72 - let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 122 22 122 73 - let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 84 26 84 66 - let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 85 26 85 63 - let%span scmp10 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 - let%span scmp11 = "../../../creusot-contracts/src/std/cmp.rs" 88 26 88 77 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord24 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - type t_T'0 + use prelude.prelude.UIntSize - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_DeepModelTy'0 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_S'0 - axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord24] (x = y) - = (cmp_log'0 x y = C_Equal'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord22] cmp_log'0 x y = C_Greater'0) - -> ([%#sord23] cmp_log'0 y x = C_Less'0) + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord20] cmp_log'0 x y = C_Less'0) - -> ([%#sord21] cmp_log'0 y x = C_Greater'0) + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord17] cmp_log'0 x y - = o) -> ([%#sord18] cmp_log'0 y z = o) -> ([%#sord19] cmp_log'0 x z = o) + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () + type t_DeepModelTy'0 - axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord16] cmp_log'0 x x = C_Equal'0 + use set.Fset - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 195 4 195 33] (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use set.Fset - axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord15] gt_log'0 x y - = (cmp_log'0 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + use prelude.prelude.Int - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset4] Fset.mem e self - axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] ge_log'0 x y - = (cmp_log'0 x y <> C_Less'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'1 self - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] lt_log'0 x y - = (cmp_log'0 x y = C_Less'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq6] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) + = + [%#shash_set3] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 203 4 203 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) + = + [%#shash_set2] set_produces'0 self visited o - axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] le_log'0 x y - = (cmp_log'0 x y <> C_Greater'0) + constant self : t_Intersection'0 - let rec min'0 (self:t_T'0) (other:t_T'0) (return' (ret:t_T'0))= {[@expl:min 'self' type invariant] inv'0 self} - {[@expl:min 'other' type invariant] inv'0 other} - any - [ return' (result:t_T'0)-> {inv'0 result} - {[%#scmp8] le_log'0 (deep_model'0 result) (deep_model'0 self)} - {[%#scmp9] le_log'0 (deep_model'0 result) (deep_model'0 other)} - {[%#scmp10] result = self \/ result = other} - {[%#scmp10] lt_log'0 (deep_model'0 self) (deep_model'0 other) -> result = self} - {[%#scmp11] le_log'0 (deep_model'0 other) (deep_model'0 self) -> result = other} - (! return' {result}) ] + function produces_refl'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 26] (self : t_Intersection'0) : () - use prelude.prelude.Intrinsic - - meta "compute_max_steps" 1000000 - - let rec extern_spec_std_cmp_min_body'0 (v1:t_T'0) (v2:t_T'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_cmp_min_body 'v1' type invariant] [%#scmp0] inv'0 v1} - {[@expl:extern_spec_std_cmp_min_body 'v2' type invariant] [%#scmp1] inv'0 v2} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = bb4 - | bb4 = bb5 - | bb5 = s0 [ s0 = min'0 {v1} {v2} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb6 ] - | bb6 = bb7 - | bb7 = bb8 - | bb8 = return' {_0} ] - ) [ & _0 : t_T'0 = any_l () | & v1 : t_T'0 = v1 | & v2 : t_T'0 = v2 ] - [ return' (result:t_T'0)-> {[@expl:extern_spec_std_cmp_min_body result type invariant] [%#scmp2] inv'0 result} - {[@expl:extern_spec_std_cmp_min_body ensures #0] [%#scmp3] le_log'0 (deep_model'0 result) (deep_model'0 v1)} - {[@expl:extern_spec_std_cmp_min_body ensures #1] [%#scmp4] le_log'0 (deep_model'0 result) (deep_model'0 v2)} - {[@expl:extern_spec_std_cmp_min_body ensures #2] [%#scmp5] result = v1 \/ result = v2} - {[@expl:extern_spec_std_cmp_min_body ensures #3] [%#scmp6] lt_log'0 (deep_model'0 v1) (deep_model'0 v2) - -> result = v1} - {[@expl:extern_spec_std_cmp_min_body ensures #4] [%#scmp7] le_log'0 (deep_model'0 v2) (deep_model'0 v1) - -> result = v2} - (! return' {result}) ] - + goal vc_produces_refl'0 : [%#shash_set0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_le_log [#"../../../creusot-contracts/src/std/cmp.rs" 156 4 156 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 155 14 155 64 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 153 4 153 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_trans [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 223 4 223 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 220 15 220 32 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 221 15 221 32 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 222 14 222 42 + let%span shash_set3 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set4 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set5 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set6 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 224 8 224 43 + let%span shash_set7 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span shash_set8 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span shash_set9 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sfset12 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel13 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq14 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_T'0 + use prelude.prelude.UInt16 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.Borrow - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_S'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_T'0 - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_DeepModelTy'0 - axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + use set.Fset - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 195 4 195 33] (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + [%#sfset12] Fset.mem e self - constant x : t_Reverse'0 + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - constant y : t_Reverse'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel13] deep_model'1 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 156 4 156 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + use seq.Seq + + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq14] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) + = + [%#shash_set9] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - goal vc_cmp_le_log'0 : [%#scmp0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_lt_log [#"../../../creusot-contracts/src/std/cmp.rs" 161 4 161 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 160 14 160 61 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 158 4 158 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 203 4 203 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) + + = + [%#shash_set7] set_produces'0 self visited o - type t_T'0 + use seq.Seq - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () = + [%#sseq11] () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom concat_contains'0_spec : forall _1 : () . [%#sseq10] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function set_produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 74 0 80 1] (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () + = + [%#shash_set8] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + axiom set_produces_trans'0_spec : forall a : t_Intersection'0, ab : Seq.seq t_T'0, b : t_Intersection'0, bc : Seq.seq t_T'0, c : t_Intersection'0 . ([%#shash_set3] set_produces'0 a ab b) + -> ([%#shash_set4] set_produces'0 b bc c) -> ([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant a : t_Intersection'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + constant ab : Seq.seq t_T'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + constant b : t_Intersection'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + constant bc : Seq.seq t_T'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + constant c : t_Intersection'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 223 4 223 90] (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + goal vc_produces_trans'0 : ([%#shash_set1] produces'0 b bc c) + -> ([%#shash_set0] produces'0 a ab b) + -> (([@expl:set_produces_trans requires #0] [%#shash_set3] set_produces'0 a ab b) + && ([@expl:set_produces_trans requires #1] [%#shash_set4] set_produces'0 b bc c)) + /\ (([%#shash_set5] set_produces'0 a (Seq.(++) ab bc) c) + -> (let _ = set_produces_trans'0 a ab b bc c in [%#shash_set2] produces'0 a (Seq.(++) ab bc) c)) +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialEq_Rhs_ne_body [#"../../../creusot-contracts/src/std/cmp.rs" 10 31 18 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 18 29 18 32 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 17 26 17 75 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sinvariant5 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Borrow - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_Self_'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant5] inv'4 self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant5] inv'0 self - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + axiom inv_axiom'2 [@rewrite] : forall x : t_Self_'0 [inv'2 x] . inv'2 x = invariant'2 x - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_Rhs'0 - axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant5] inv'5 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant5] inv'1 self - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool - - = - [%#sord2] cmp_log'0 self o = C_Less'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - constant x : t_Reverse'0 + axiom inv_axiom'3 [@rewrite] : forall x : t_Rhs'0 [inv'3 x] . inv'3 x = invariant'3 x - constant y : t_Reverse'0 - - function cmp_lt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 161 4 161 35] (x : t_Reverse'0) (y : t_Reverse'0) : () - - - goal vc_cmp_lt_log'0 : [%#scmp0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_ge_log [#"../../../creusot-contracts/src/std/cmp.rs" 166 4 166 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 165 14 165 61 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 163 4 163 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + type t_DeepModelTy'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function deep_model'4 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'4 self - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'0 self - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + function deep_model'5 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'5 self - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + let rec eq'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:eq 'self' type invariant] inv'2 self} + {[@expl:eq 'other' type invariant] inv'3 other} + any [ return' (result:bool)-> {[%#scmp3] result = (deep_model'2 self = deep_model'3 other)} (! return' {result}) ] - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Intrinsic - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + meta "compute_max_steps" 1000000 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + let rec extern_spec_std_cmp_PartialEq_Rhs_ne_body'0 (self_:t_Self_'0) (rhs:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body 'self_' type invariant] [%#scmp0] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body 'rhs' type invariant] [%#scmp1] inv'1 rhs} + (! bb0 + [ bb0 = s0 [ s0 = eq'0 {self_} {rhs} (fun (_ret':bool) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- not _4 ] s1 | s1 = return' {_0} ] ] + ) [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & rhs : t_Rhs'0 = rhs | & _4 : bool = any_l () ] + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialEq_Rhs_ne_body ensures] [%#scmp2] result + = (deep_model'0 self_ <> deep_model'1 rhs)} + (! return' {result}) ] +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_lt_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 36 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 39 29 39 34 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 38 48 38 52 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 36 29 36 34 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Borrow - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + type t_Self_'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'2 self - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_Rhs'0 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant20] inv'3 self - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_DeepModelTy'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - = - [%#sord2] cmp_log'0 self o <> C_Less'0 - constant x : t_Reverse'0 - - constant y : t_Reverse'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 166 4 166 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_cmp_ge_log'0 : [%#scmp0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_gt_log [#"../../../creusot-contracts/src/std/cmp.rs" 171 4 171 35] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 170 14 170 64 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 168 4 168 10 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_Ordering'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} + {[@expl:partial_cmp 'other' type invariant] inv'1 other} + any + [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} + (! return' {result}) ] + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any + [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} + (! {false} + any) ] + - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use prelude.prelude.Intrinsic - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'2 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'3 self - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + meta "compute_max_steps" 1000000 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + let rec extern_spec_std_cmp_PartialOrd_Rhs_lt_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body 'self_' type invariant] [%#scmp2] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body 'other' type invariant] [%#scmp3] inv'1 other} + (! bb0 + [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] + | bb8 = bb2 + | bb3 = v_Some'0 {_4} + (fun (r0'0:t_Ordering'0) -> + any + [ br0 -> {r0'0 = C_Less'0 } (! bb4) + | br1 -> {r0'0 = C_Equal'0 } (! bb2) + | br2 -> {r0'0 = C_Greater'0 } (! bb2) ] + ) + | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] + | bb4 = bb5 + | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - = - [%#sord2] cmp_log'0 self o = C_Greater'0 - - constant x : t_Reverse'0 - - constant y : t_Reverse'0 - - function cmp_gt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 171 4 171 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_lt_body ensures] [%#scmp4] result + = lt_log'0 (deep_model'0 self_) (deep_model'1 other)} + (! return' {result}) ] - - goal vc_cmp_gt_log'0 : [%#scmp0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__refl [#"../../../creusot-contracts/src/std/cmp.rs" 176 4 176 20] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 175 14 175 45 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 173 4 173 10 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_le_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 44 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 47 29 47 34 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 46 66 46 70 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 44 29 44 34 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 43 26 43 77 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - type t_T'0 + use prelude.prelude.Borrow - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + type t_Self_'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'2 self - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_Rhs'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant20] inv'3 self - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + type t_DeepModelTy'0 - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 + - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - constant x : t_Reverse'0 - - function refl'0 [#"../../../creusot-contracts/src/std/cmp.rs" 176 4 176 20] (x : t_Reverse'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - goal vc_refl'0 : [%#scmp0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__trans [#"../../../creusot-contracts/src/std/cmp.rs" 183 4 183 52] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 180 15 180 32 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 181 15 181 32 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 182 14 182 31 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 178 4 178 10 - let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - type t_T'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_Ordering'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} + {[@expl:partial_cmp 'other' type invariant] inv'1 other} + any + [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} + (! return' {result}) ] - axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any + [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} + (! {false} + any) ] + - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Intrinsic - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'2 self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'3 self - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + meta "compute_max_steps" 1000000 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + let rec extern_spec_std_cmp_PartialOrd_Rhs_le_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body 'self_' type invariant] [%#scmp2] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body 'other' type invariant] [%#scmp3] inv'1 other} + (! bb0 + [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] + | bb8 = bb2 + | bb3 = v_Some'0 {_4} + (fun (r0'0:t_Ordering'0) -> + any + [ br0 -> {r0'0 = C_Less'0 } (! bb4) + | br1 -> {r0'0 = C_Equal'0 } (! bb4) + | br2 -> {r0'0 = C_Greater'0 } (! bb2) ] + ) + | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] + | bb4 = bb5 + | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] + + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_le_body ensures] [%#scmp4] result + = le_log'0 (deep_model'0 self_) (deep_model'1 other)} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_gt_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 52 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 55 29 55 34 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 54 51 54 55 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 52 29 52 34 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 51 26 51 76 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_Self_'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'2 self - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp4] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - constant x : t_Reverse'0 + type t_Rhs'0 - constant y : t_Reverse'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - constant z : t_Reverse'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant20] inv'3 self - constant o : t_Ordering'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function trans'0 [#"../../../creusot-contracts/src/std/cmp.rs" 183 4 183 52] (x : t_Reverse'0) (y : t_Reverse'0) (z : t_Reverse'0) (o : t_Ordering'0) : () - + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - goal vc_trans'0 : ([%#scmp1] cmp_log'0 y z = o) -> ([%#scmp0] cmp_log'0 x y = o) -> ([%#scmp2] cmp_log'0 x z = o) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym1 [#"../../../creusot-contracts/src/std/cmp.rs" 189 4 189 33] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 187 15 187 45 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 188 14 188 47 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 185 4 185 10 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_DeepModelTy'0 - type t_T'0 + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) - - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - constant x : t_Reverse'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant y : t_Reverse'0 + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/std/cmp.rs" 189 4 189 33] (x : t_Reverse'0) (y : t_Reverse'0) : () + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - goal vc_antisym1'0 : ([%#scmp0] cmp_log'0 x y = C_Less'0) -> ([%#scmp1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym2 [#"../../../creusot-contracts/src/std/cmp.rs" 195 4 195 33] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 193 15 193 48 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 194 14 194 44 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 191 4 191 10 - let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_Ordering'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} + {[@expl:partial_cmp 'other' type invariant] inv'1 other} + any + [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} + (! return' {result}) ] + - axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any + [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} + (! {false} + any) ] + - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Intrinsic - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'2 self - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'3 self - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + meta "compute_max_steps" 1000000 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + let rec extern_spec_std_cmp_PartialOrd_Rhs_gt_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body 'self_' type invariant] [%#scmp2] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body 'other' type invariant] [%#scmp3] inv'1 other} + (! bb0 + [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] + | bb8 = bb2 + | bb3 = v_Some'0 {_4} + (fun (r0'0:t_Ordering'0) -> + any + [ br0 -> {r0'0 = C_Less'0 } (! bb2) + | br1 -> {r0'0 = C_Equal'0 } (! bb2) + | br2 -> {r0'0 = C_Greater'0 } (! bb4) ] + ) + | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] + | bb4 = bb5 + | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] + + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_gt_body ensures] [%#scmp4] result + = gt_log'0 (deep_model'0 self_) (deep_model'1 other)} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_PartialOrd_Rhs_ge_body [#"../../../creusot-contracts/src/std/cmp.rs" 27 32 60 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 63 29 63 34 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 62 69 62 73 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 60 29 60 34 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 59 26 59 77 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 32 26 32 91 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Borrow - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_Self_'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'2 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'0 x] . inv'0 x = invariant'0 x - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Rhs'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 - - = - [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - constant x : t_Reverse'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Rhs'0) = + [%#sinvariant20] inv'3 self - constant y : t_Reverse'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Rhs'0) - function antisym2'0 [#"../../../creusot-contracts/src/std/cmp.rs" 195 4 195 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - + axiom inv_axiom'1 [@rewrite] : forall x : t_Rhs'0 [inv'1 x] . inv'1 x = invariant'1 x - goal vc_antisym2'0 : ([%#scmp0] cmp_log'0 x y = C_Greater'0) -> ([%#scmp1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__eq_cmp [#"../../../creusot-contracts/src/std/cmp.rs" 200 4 200 31] (* as logic::ord::OrdLogic> *) - let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 199 14 199 59 - let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 197 4 197 10 - let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_DeepModelTy'0 - type t_T'0 + function deep_model'2 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - type t_Reverse'0 = - { t_Reverse__0'0: t_T'0 } + function deep_model'3 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Rhs'0) : t_DeepModelTy'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - - axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) - - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - - axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with - | C_Equal'0 -> C_Equal'0 - | C_Less'0 -> C_Greater'0 - | C_Greater'0 -> C_Less'0 - end - constant x : t_Reverse'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant y : t_Reverse'0 + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/std/cmp.rs" 200 4 200 31] (x : t_Reverse'0) (y : t_Reverse'0) : () + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - goal vc_eq_cmp'0 : [%#scmp0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_refl [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (* as std::iter::Iterator> *) - let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 177 14 177 45 - let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 175 4 175 10 - let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - use prelude.prelude.Borrow + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_T'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - use prelude.prelude.Opaque + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Iter'1 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - type t_Iter'0 = - { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_Ordering'0) - use prelude.prelude.Slice + let rec partial_cmp'0 (self:t_Self_'0) (other:t_Rhs'0) (return' (ret:t_Option'0))= {[@expl:partial_cmp 'self' type invariant] inv'0 self} + {[@expl:partial_cmp 'other' type invariant] inv'1 other} + any + [ return' (result:t_Option'0)-> {[%#scmp5] result = C_Some'0 (cmp_log'0 (deep_model'2 self) (deep_model'3 other))} + (! return' {result}) ] + - function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Ordering'0))= any + [ good (field_0:t_Ordering'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Ordering'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} + (! {false} + any) ] + - use seq.Seq + use prelude.prelude.Intrinsic - use seq.Seq + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'2 self - use seq.Seq + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Rhs'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'3 self - use prelude.prelude.UIntSize + meta "compute_max_steps" 1000000 - constant v_MAX'0 : usize = (18446744073709551615 : usize) - - use prelude.prelude.UIntSize - - use prelude.prelude.Int - - use prelude.prelude.Slice - - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice8] view'2 self = Slice.id self) - - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel5] view'2 self - - use seq.Seq - - use seq.Seq - - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + let rec extern_spec_std_cmp_PartialOrd_Rhs_ge_body'0 (self_:t_Self_'0) (other:t_Rhs'0) (return' (ret:bool))= {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body 'self_' type invariant] [%#scmp2] inv'0 self_} + {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body 'other' type invariant] [%#scmp3] inv'1 other} + (! bb0 + [ bb0 = s0 [ s0 = partial_cmp'0 {self_} {other} (fun (_ret':t_Option'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = any [ br0 -> {_4 = C_None'0 } (! bb8) | br1 (x0:t_Ordering'0)-> {_4 = C_Some'0 x0} (! bb3) ] + | bb8 = bb2 + | bb3 = v_Some'0 {_4} + (fun (r0'0:t_Ordering'0) -> + any + [ br0 -> {r0'0 = C_Less'0 } (! bb2) + | br1 -> {r0'0 = C_Equal'0 } (! bb4) + | br2 -> {r0'0 = C_Greater'0 } (! bb4) ] + ) + | bb2 = s0 [ s0 = [ &_0 <- [%#scmp0] false ] s1 | s1 = bb6 ] + | bb4 = bb5 + | bb5 = s0 [ s0 = [ &_0 <- [%#scmp1] true ] s1 | s1 = bb6 ] + | bb6 = return' {_0} ] + ) + [ & _0 : bool = any_l () | & self_ : t_Self_'0 = self_ | & other : t_Rhs'0 = other | & _4 : t_Option'0 = any_l () ] - = - [%#sindex6] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - - use seq.Seq - - predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + [ return' (result:bool)-> {[@expl:extern_spec_std_cmp_PartialOrd_Rhs_ge_body ensures] [%#scmp4] result + = ge_log'0 (deep_model'0 self_) (deep_model'1 other)} + (! return' {result}) ] - = - [%#sdeque2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - - constant self : t_Iter'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (self : t_Iter'0) : () - - goal vc_produces_refl'0 : [%#sdeque0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_trans [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (* as std::iter::Iterator> *) - let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 182 15 182 32 - let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 183 15 183 32 - let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 184 14 184 42 - let%span sdeque3 = "../../../creusot-contracts/src/std/deque.rs" 180 4 180 10 - let%span sdeque4 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - - use prelude.prelude.Opaque - - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } - - type t_Iter'1 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - - type t_Iter'0 = - { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_max_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 80 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 80 29 80 30 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 80 41 80 45 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 75 26 75 66 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 76 26 76 63 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 43 26 43 77 + let%span smodel6 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant20 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 use prelude.prelude.Borrow - type t_T'0 - - use seq.Seq - - use prelude.prelude.Slice - - function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 - - use seq.Seq - - use seq.Seq - - use seq.Seq - - use prelude.prelude.UIntSize - - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_Self_'0 - use prelude.prelude.UIntSize + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - use prelude.prelude.Int + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant20] inv'0 self - use prelude.prelude.Slice + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice10] view'2 self = Slice.id self) + type t_DeepModelTy'0 - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel7] view'2 self + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - use seq.Seq + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel6] deep_model'0 self - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - = - [%#sindex8] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - - use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - = - [%#sdeque4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant a : t_Iter'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord19] (x = y) + = (cmp_log'0 x y = C_Equal'0) - constant ab : Seq.seq t_T'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant b : t_Iter'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord17] cmp_log'0 x y = C_Greater'0) + -> ([%#sord18] cmp_log'0 y x = C_Less'0) - constant bc : Seq.seq t_T'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant c : t_Iter'0 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord15] cmp_log'0 x y = C_Less'0) + -> ([%#sord16] cmp_log'0 y x = C_Greater'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () - goal vc_produces_trans'0 : ([%#sdeque1] produces'0 b bc c) - -> ([%#sdeque0] produces'0 a ab b) -> ([%#sdeque2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_refl [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (* as std::iter::Iterator> *) - let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 57 14 57 45 - let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 55 4 55 10 - let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 - let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord12] cmp_log'0 x y + = o) -> ([%#sord13] cmp_log'0 y z = o) -> ([%#sord14] cmp_log'0 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - type t_T'0 + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord11] cmp_log'0 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_I'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Cloned'0 = - { t_Cloned__it'0: t_I'0 } + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - use prelude.prelude.Borrow + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x - = match x with - | {t_Cloned__it'0 = it} -> inv'1 it - end + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned3] inv'0 self -> inv'1 (iter'0 self) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord7] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) + let rec le'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:le 'self' type invariant] inv'1 self} + {[@expl:le 'other' type invariant] inv'1 other} + any + [ return' (result:bool)-> {[%#scmp5] result = le_log'0 (deep_model'1 self) (deep_model'1 other)} + (! return' {result}) ] - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.Intrinsic - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self - - use seq.Seq - - use seq.Seq - - use prelude.prelude.Int - - use seq.Seq - - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + let rec extern_spec_std_cmp_Ord_max_body'0 (self_:t_Self_'0) (o:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_max_body 'self_' type invariant] [%#scmp0] inv'0 self_} + {[@expl:extern_spec_std_cmp_Ord_max_body 'o' type invariant] [%#scmp1] inv'0 o} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = le'0 {self_} {o} (fun (_ret':bool) -> [ &_8 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = any [ br0 -> {_8 = false} (! bb8) | br1 -> {_8} (! bb7) ] + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'0 self_} s1 | s1 = -{resolve'0 self_}- s2 | s2 = [ &_0 <- o ] s3 | s3 = bb9 ] + + | bb8 = s0 + [ s0 = {[@expl:type invariant] inv'0 o} s1 | s1 = -{resolve'0 o}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb9 ] + + | bb9 = bb10 + | bb10 = bb11 + | bb11 = return' {_0} ] + ) [ & _0 : t_Self_'0 = any_l () | & self_ : t_Self_'0 = self_ | & o : t_Self_'0 = o | & _8 : bool = any_l () ] + [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_max_body result type invariant] [%#scmp2] inv'0 result} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #0] [%#scmp3] ge_log'0 (deep_model'0 result) (deep_model'0 self_)} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #1] [%#scmp4] ge_log'0 (deep_model'0 result) (deep_model'0 o)} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #2] [%#scmp0] result = self_ \/ result = o} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #3] [%#scmp0] le_log'0 (deep_model'0 self_) (deep_model'0 o) + -> result = o} + {[@expl:extern_spec_std_cmp_Ord_max_body ensures #4] [%#scmp0] lt_log'0 (deep_model'0 o) (deep_model'0 self_) + -> result = self_} + (! return' {result}) ] - = - [%#scloned2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - - constant self : t_Cloned'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (self : t_Cloned'0) : () - - goal vc_produces_refl'0 : [%#scloned0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_trans [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (* as std::iter::Iterator> *) - let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 62 15 62 32 - let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 63 15 63 32 - let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 64 14 64 42 - let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 60 4 60 10 - let%span scloned4 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 - let%span scloned5 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - type t_I'0 - - type t_Cloned'0 = - { t_Cloned__it'0: t_I'0 } - - type t_T'0 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_min_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 89 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 89 29 89 30 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 89 41 89 45 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 84 26 84 66 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 85 26 85 63 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 88 26 88 77 + let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant21 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 use prelude.prelude.Borrow - use seq.Seq + type t_Self_'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant21] inv'0 self - axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x - = match x with - | {t_Cloned__it'0 = it} -> inv'1 it - end + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x - axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned5] inv'0 self -> inv'1 (iter'0 self) + type t_DeepModelTy'0 - use seq.Seq + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - use seq.Seq + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel7] deep_model'0 self - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self - - use seq.Seq - - use seq.Seq - - use prelude.prelude.Int - - use seq.Seq - - use seq.Seq - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - = - [%#scloned4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - - use seq.Seq - - constant a : t_Cloned'0 - - constant ab : Seq.seq t_T'0 - - constant b : t_Cloned'0 - - constant bc : Seq.seq t_T'0 - constant c : t_Cloned'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord20] (x = y) + = (cmp_log'0 x y = C_Equal'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (a : t_Cloned'0) (ab : Seq.seq t_T'0) (b : t_Cloned'0) (bc : Seq.seq t_T'0) (c : t_Cloned'0) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_produces_trans'0 : ([%#scloned1] produces'0 b bc c) - -> ([%#scloned0] produces'0 a ab b) -> ([%#scloned2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_refl [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (* as std::iter::Iterator> *) - let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 - let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 55 4 55 10 - let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 - let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_T'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord18] cmp_log'0 x y = C_Greater'0) + -> ([%#sord19] cmp_log'0 y x = C_Less'0) - use seq.Seq + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_I'0 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord16] cmp_log'0 x y = C_Less'0) + -> ([%#sord17] cmp_log'0 y x = C_Greater'0) - type t_Copied'0 = - { t_Copied__it'0: t_I'0 } + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - use prelude.prelude.Borrow + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord13] cmp_log'0 x y + = o) -> ([%#sord14] cmp_log'0 y z = o) -> ([%#sord15] cmp_log'0 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord12] cmp_log'0 x x = C_Equal'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x - = match x with - | {t_Copied__it'0 = it} -> inv'1 it - end + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied3] inv'0 self -> inv'1 (iter'0 self) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord10] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord9] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord8] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - use seq.Seq + let rec lt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:lt 'self' type invariant] inv'1 self} + {[@expl:lt 'other' type invariant] inv'1 other} + any + [ return' (result:bool)-> {[%#scmp6] result = lt_log'0 (deep_model'1 self) (deep_model'1 other)} + (! return' {result}) ] + - use prelude.prelude.Int + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) - use seq.Seq + use prelude.prelude.Intrinsic - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) - - = - [%#scopied2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - - constant self : t_Copied'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (self : t_Copied'0) : () - - goal vc_produces_refl'0 : [%#scopied0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + let rec extern_spec_std_cmp_Ord_min_body'0 (self_:t_Self_'0) (o:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_min_body 'self_' type invariant] [%#scmp0] inv'0 self_} + {[@expl:extern_spec_std_cmp_Ord_min_body 'o' type invariant] [%#scmp1] inv'0 o} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = lt'0 {self_} {o} (fun (_ret':bool) -> [ &_8 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = any [ br0 -> {_8 = false} (! bb8) | br1 -> {_8} (! bb7) ] + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'0 o} s1 | s1 = -{resolve'0 o}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb9 ] + + | bb8 = s0 + [ s0 = {[@expl:type invariant] inv'0 self_} s1 | s1 = -{resolve'0 self_}- s2 | s2 = [ &_0 <- o ] s3 | s3 = bb9 ] + + | bb9 = bb10 + | bb10 = bb11 + | bb11 = return' {_0} ] + ) [ & _0 : t_Self_'0 = any_l () | & self_ : t_Self_'0 = self_ | & o : t_Self_'0 = o | & _8 : bool = any_l () ] + [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_min_body result type invariant] [%#scmp2] inv'0 result} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #0] [%#scmp3] le_log'0 (deep_model'0 result) (deep_model'0 self_)} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #1] [%#scmp4] le_log'0 (deep_model'0 result) (deep_model'0 o)} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #2] [%#scmp0] result = self_ \/ result = o} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #3] [%#scmp0] lt_log'0 (deep_model'0 self_) (deep_model'0 o) + -> result = self_} + {[@expl:extern_spec_std_cmp_Ord_min_body ensures #4] [%#scmp5] le_log'0 (deep_model'0 o) (deep_model'0 self_) + -> result = o} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_trans [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (* as std::iter::Iterator> *) - let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 - let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 - let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 - let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 60 4 60 10 - let%span scopied4 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 - let%span scopied5 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - type t_I'0 - - type t_Copied'0 = - { t_Copied__it'0: t_I'0 } - - type t_T'0 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_Ord_clamp_body [#"../../../creusot-contracts/src/std/cmp.rs" 68 18 102 18] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 102 31 102 34 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 102 42 102 45 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 93 27 93 63 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 102 56 102 60 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 94 26 94 65 + let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 95 26 95 65 + let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 97 16 101 43 + let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 51 26 51 76 + let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 35 26 35 76 + let%span smodel10 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + let%span sinvariant24 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 use prelude.prelude.Borrow - use seq.Seq + type t_Self_'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Self_'0) = + [%#sinvariant24] inv'0 self - axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x - = match x with - | {t_Copied__it'0 = it} -> inv'1 it - end + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Self_'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Self_'0 [inv'1 x] . inv'1 x = invariant'0 x - axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'0 self -> inv'1 (iter'0 self) + type t_DeepModelTy'0 - use seq.Seq + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Self_'0) : t_DeepModelTy'0 - use seq.Seq + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_Self_'0) : t_DeepModelTy'0 = + [%#smodel10] deep_model'0 self - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self - - use seq.Seq - - use seq.Seq - - use prelude.prelude.Int - - use seq.Seq - - use seq.Seq - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - = - [%#scopied4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - - use seq.Seq - constant a : t_Copied'0 - - constant ab : Seq.seq t_T'0 - - constant b : t_Copied'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord23] (x = y) + = (cmp_log'0 x y = C_Equal'0) - constant bc : Seq.seq t_T'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant c : t_Copied'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord21] cmp_log'0 x y = C_Greater'0) + -> ([%#sord22] cmp_log'0 y x = C_Less'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_produces_trans'0 : ([%#scopied1] produces'0 b bc c) - -> ([%#scopied0] produces'0 a ab b) -> ([%#scopied2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_refl [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (* as std::iter::Iterator> *) - let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 18 14 18 45 - let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 16 4 16 10 - let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord19] cmp_log'0 x y = C_Less'0) + -> ([%#sord20] cmp_log'0 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - type t_T'0 + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord16] cmp_log'0 x y + = o) -> ([%#sord17] cmp_log'0 y z = o) -> ([%#sord18] cmp_log'0 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - type t_Empty'0 = - { t_Empty__0'0: () } + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord15] cmp_log'0 x x = C_Equal'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#sempty2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - - constant self : t_Empty'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (self : t_Empty'0) : () - goal vc_produces_refl'0 : [%#sempty0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_trans [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (* as std::iter::Iterator> *) - let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 23 15 23 32 - let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 24 15 24 32 - let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 25 14 25 42 - let%span sempty3 = "../../../creusot-contracts/src/std/iter/empty.rs" 21 4 21 10 - let%span sempty4 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Empty'0 = - { t_Empty__0'0: () } + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - type t_T'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - = - [%#sempty4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - - use seq.Seq - constant a : t_Empty'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant ab : Seq.seq t_T'0 + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - constant b : t_Empty'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - constant bc : Seq.seq t_T'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant c : t_Empty'0 + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (a : t_Empty'0) (ab : Seq.seq t_T'0) (b : t_Empty'0) (bc : Seq.seq t_T'0) (c : t_Empty'0) : () + let rec gt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:gt 'self' type invariant] inv'1 self} + {[@expl:gt 'other' type invariant] inv'1 other} + any + [ return' (result:bool)-> {[%#scmp8] result = gt_log'0 (deep_model'1 self) (deep_model'1 other)} + (! return' {result}) ] - goal vc_produces_trans'0 : ([%#sempty1] produces'0 b bc c) - -> ([%#sempty0] produces'0 a ab b) -> ([%#sempty2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_refl [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (* as std::iter::Iterator> *) - let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 82 14 82 45 - let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 80 4 80 10 - let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 - let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span senumerate8 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 - - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Self_'0) - use prelude.prelude.UIntSize + let rec lt'0 (self:t_Self_'0) (other:t_Self_'0) (return' (ret:bool))= {[@expl:lt 'self' type invariant] inv'1 self} + {[@expl:lt 'other' type invariant] inv'1 other} + any + [ return' (result:bool)-> {[%#scmp9] result = lt_log'0 (deep_model'1 self) (deep_model'1 other)} + (! return' {result}) ] + - type t_Item'0 + use prelude.prelude.Intrinsic - use seq.Seq + meta "compute_max_steps" 1000000 - type t_I'0 - - type t_Enumerate'0 = - { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } - - use seq.Seq - - use prelude.prelude.Int - - function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int - - use seq.Seq - - use seq.Seq - - use seq.Seq - - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + let rec extern_spec_std_cmp_Ord_clamp_body'0 (self_:t_Self_'0) (min:t_Self_'0) (max:t_Self_'0) (return' (ret:t_Self_'0))= {[@expl:extern_spec_std_cmp_Ord_clamp_body 'self_' type invariant] [%#scmp0] inv'0 self_} + {[@expl:extern_spec_std_cmp_Ord_clamp_body 'min' type invariant] [%#scmp1] inv'0 min} + {[@expl:extern_spec_std_cmp_Ord_clamp_body 'max' type invariant] [%#scmp2] inv'0 max} + {[@expl:extern_spec_std_cmp_Ord_clamp_body requires] [%#scmp3] le_log'0 (deep_model'0 min) (deep_model'0 max)} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = gt'0 {self_} {max} (fun (_ret':bool) -> [ &_9 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = any [ br0 -> {_9 = false} (! bb8) | br1 -> {_9} (! bb7) ] + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'0 min} s1 + | s1 = -{resolve'0 min}- s2 + | s2 = {[@expl:type invariant] inv'0 self_} s3 + | s3 = -{resolve'0 self_}- s4 + | s4 = [ &_0 <- max ] s5 + | s5 = bb13 ] + + | bb8 = s0 + [ s0 = {[@expl:type invariant] inv'0 max} s1 + | s1 = -{resolve'0 max}- s2 + | s2 = lt'0 {self_} {min} (fun (_ret':bool) -> [ &_12 <- _ret' ] s3) + | s3 = bb9 ] + + | bb9 = any [ br0 -> {_12 = false} (! bb11) | br1 -> {_12} (! bb10) ] + | bb10 = s0 + [ s0 = {[@expl:type invariant] inv'0 self_} s1 + | s1 = -{resolve'0 self_}- s2 + | s2 = [ &_0 <- min ] s3 + | s3 = bb12 ] + + | bb11 = s0 + [ s0 = {[@expl:type invariant] inv'0 min} s1 | s1 = -{resolve'0 min}- s2 | s2 = [ &_0 <- self_ ] s3 | s3 = bb12 ] + + | bb12 = bb13 + | bb13 = bb14 + | bb14 = bb15 + | bb15 = bb16 + | bb16 = return' {_0} ] + ) + [ & _0 : t_Self_'0 = any_l () + | & self_ : t_Self_'0 = self_ + | & min : t_Self_'0 = min + | & max : t_Self_'0 = max + | & _9 : bool = any_l () + | & _12 : bool = any_l () ] - - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + [ return' (result:t_Self_'0)-> {[@expl:extern_spec_std_cmp_Ord_clamp_body result type invariant] [%#scmp4] inv'0 result} + {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #0] [%#scmp5] ge_log'0 (deep_model'0 result) (deep_model'0 min)} + {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #1] [%#scmp6] le_log'0 (deep_model'0 result) (deep_model'0 max)} + {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #2] [%#scmp0] result = self_ \/ result = min \/ result = max} + {[@expl:extern_spec_std_cmp_Ord_clamp_body ensures #3] [%#scmp7] if gt_log'0 (deep_model'0 self_) (deep_model'0 max) then + result = max + else + if lt_log'0 (deep_model'0 self_) (deep_model'0 min) then result = min else result = self_ + } + (! return' {result}) ] +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_max_body [#"../../../creusot-contracts/src/std/cmp.rs" 112 12 113 66] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 112 22 112 24 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 112 29 112 31 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 112 39 112 40 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 107 22 107 60 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 108 22 108 60 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 109 22 109 50 + let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 110 22 110 73 + let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 111 22 111 72 + let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 75 26 75 66 + let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 76 26 76 63 + let%span scmp10 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) - -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use seq.Seq - - constant v_MAX'0 : usize = (18446744073709551615 : usize) - - use prelude.prelude.UIntSize - - use prelude.prelude.Borrow - - predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - - function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate3] inv'0 self -> inv'1 (iter'0 self) + type t_T'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = - [%#senumerate8] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i - -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) - /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter - end) + type t_DeepModelTy'0 - use seq.Seq + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 - = - [%#senumerate2] Seq.length visited = n'0 o - n'0 self - /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i - /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) - constant self : t_Enumerate'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (self : t_Enumerate'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_produces_refl'0 : [%#senumerate0] produces'0 self (Seq.empty : Seq.seq (usize, t_Item'0)) self -end -module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_trans [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (* as std::iter::Iterator> *) - let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 87 15 87 32 - let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 88 15 88 32 - let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 89 14 89 42 - let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 85 4 85 10 - let%span senumerate4 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 - let%span senumerate5 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span senumerate10 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord23] (x = y) + = (cmp_log'0 x y = C_Equal'0) - type t_I'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use prelude.prelude.UIntSize + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord21] cmp_log'0 x y = C_Greater'0) + -> ([%#sord22] cmp_log'0 y x = C_Less'0) - type t_Enumerate'0 = - { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - type t_Item'0 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord19] cmp_log'0 x y = C_Less'0) + -> ([%#sord20] cmp_log'0 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord16] cmp_log'0 x y + = o) -> ([%#sord17] cmp_log'0 y z = o) -> ([%#sord18] cmp_log'0 x z = o) - use prelude.prelude.Int + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord15] cmp_log'0 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - use seq.Seq + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use seq.Seq + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) - -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - use seq.Seq + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use prelude.prelude.UIntSize + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - use prelude.prelude.Borrow + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord11] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) + let rec max'0 (self:t_T'0) (other:t_T'0) (return' (ret:t_T'0))= {[@expl:max 'self' type invariant] inv'0 self} + {[@expl:max 'other' type invariant] inv'0 other} + any + [ return' (result:t_T'0)-> {inv'0 result} + {[%#scmp8] ge_log'0 (deep_model'0 result) (deep_model'0 self)} + {[%#scmp9] ge_log'0 (deep_model'0 result) (deep_model'0 other)} + {[%#scmp10] result = self \/ result = other} + {[%#scmp10] le_log'0 (deep_model'0 self) (deep_model'0 other) -> result = other} + {[%#scmp10] lt_log'0 (deep_model'0 other) (deep_model'0 self) -> result = self} + (! return' {result}) ] + - function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 + use prelude.prelude.Intrinsic - axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate5] inv'0 self -> inv'1 (iter'0 self) + meta "compute_max_steps" 1000000 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = - [%#senumerate10] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i - -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) - /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) + let rec extern_spec_std_cmp_max_body'0 (v1:t_T'0) (v2:t_T'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_cmp_max_body 'v1' type invariant] [%#scmp0] inv'0 v1} + {[@expl:extern_spec_std_cmp_max_body 'v2' type invariant] [%#scmp1] inv'0 v2} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = max'0 {v1} {v2} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = bb7 + | bb7 = bb8 + | bb8 = return' {_0} ] + ) [ & _0 : t_T'0 = any_l () | & v1 : t_T'0 = v1 | & v2 : t_T'0 = v2 ] + [ return' (result:t_T'0)-> {[@expl:extern_spec_std_cmp_max_body result type invariant] [%#scmp2] inv'0 result} + {[@expl:extern_spec_std_cmp_max_body ensures #0] [%#scmp3] ge_log'0 (deep_model'0 result) (deep_model'0 v1)} + {[@expl:extern_spec_std_cmp_max_body ensures #1] [%#scmp4] ge_log'0 (deep_model'0 result) (deep_model'0 v2)} + {[@expl:extern_spec_std_cmp_max_body ensures #2] [%#scmp5] result = v1 \/ result = v2} + {[@expl:extern_spec_std_cmp_max_body ensures #3] [%#scmp6] le_log'0 (deep_model'0 v1) (deep_model'0 v2) + -> result = v2} + {[@expl:extern_spec_std_cmp_max_body ensures #4] [%#scmp7] lt_log'0 (deep_model'0 v2) (deep_model'0 v1) + -> result = v1} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__cmp__extern_spec_std_cmp_min_body [#"../../../creusot-contracts/src/std/cmp.rs" 123 12 124 66] + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 123 22 123 24 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 123 29 123 31 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 123 39 123 40 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 118 22 118 60 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 119 22 119 60 + let%span scmp5 = "../../../creusot-contracts/src/std/cmp.rs" 120 22 120 50 + let%span scmp6 = "../../../creusot-contracts/src/std/cmp.rs" 121 22 121 72 + let%span scmp7 = "../../../creusot-contracts/src/std/cmp.rs" 122 22 122 73 + let%span scmp8 = "../../../creusot-contracts/src/std/cmp.rs" 84 26 84 66 + let%span scmp9 = "../../../creusot-contracts/src/std/cmp.rs" 85 26 85 63 + let%span scmp10 = "../../../creusot-contracts/src/std/cmp.rs" 7 0 130 1 + let%span scmp11 = "../../../creusot-contracts/src/std/cmp.rs" 88 26 88 77 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord18 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord19 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord20 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord21 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord22 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord23 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord24 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter - end) + type t_T'0 - use seq.Seq + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + type t_DeepModelTy'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) - - = - [%#senumerate4] Seq.length visited = n'0 o - n'0 self - /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) - /\ Seq.length visited = Seq.length s - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i - /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - constant a : t_Enumerate'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_DeepModelTy'0) (other : t_DeepModelTy'0) : t_Ordering'0 + - constant ab : Seq.seq (usize, t_Item'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant b : t_Enumerate'0 + axiom eq_cmp'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord24] (x = y) + = (cmp_log'0 x y = C_Equal'0) - constant bc : Seq.seq (usize, t_Item'0) + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - constant c : t_Enumerate'0 + axiom antisym2'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord22] cmp_log'0 x y = C_Greater'0) + -> ([%#sord23] cmp_log'0 y x = C_Less'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (a : t_Enumerate'0) (ab : Seq.seq (usize, t_Item'0)) (b : t_Enumerate'0) (bc : Seq.seq (usize, t_Item'0)) (c : t_Enumerate'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - goal vc_produces_trans'0 : ([%#senumerate1] produces'0 b bc c) - -> ([%#senumerate0] produces'0 a ab b) -> ([%#senumerate2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_refl [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (* as std::iter::Iterator> *) - let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 105 14 105 45 - let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 103 4 103 10 - let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 - let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 - let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 - let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom antisym1'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . ([%#sord20] cmp_log'0 x y = C_Less'0) + -> ([%#sord21] cmp_log'0 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) (z : t_DeepModelTy'0) (o : t_Ordering'0) : () + - type t_Item'0 + axiom trans'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0, z : t_DeepModelTy'0, o : t_Ordering'0 . ([%#sord17] cmp_log'0 x y + = o) -> ([%#sord18] cmp_log'0 y z = o) -> ([%#sord19] cmp_log'0 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_DeepModelTy'0) : () - type t_I'0 + axiom refl'0_spec : forall x : t_DeepModelTy'0 . [%#sord16] cmp_log'0 x x = C_Equal'0 - type t_F'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - type t_Filter'0 = - { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () + - use prelude.prelude.Borrow + axiom cmp_gt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord15] gt_log'0 x y + = (cmp_log'0 x y = C_Greater'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom cmp_ge_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord14] ge_log'0 x y + = (cmp_log'0 x y <> C_Less'0) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops12] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + axiom cmp_lt_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord13] lt_log'0 x y + = (cmp_log'0 x y = C_Less'0) - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_DeepModelTy'0) (o : t_DeepModelTy'0) : bool + - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_DeepModelTy'0) (y : t_DeepModelTy'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops9] unnest'0 self b) - -> ([%#sops10] unnest'0 b c) -> ([%#sops11] unnest'0 self c) + axiom cmp_le_log'0_spec : forall x : t_DeepModelTy'0, y : t_DeepModelTy'0 . [%#sord12] le_log'0 x y + = (cmp_log'0 x y <> C_Greater'0) - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + let rec min'0 (self:t_T'0) (other:t_T'0) (return' (ret:t_T'0))= {[@expl:min 'self' type invariant] inv'0 self} + {[@expl:min 'other' type invariant] inv'0 other} + any + [ return' (result:t_T'0)-> {inv'0 result} + {[%#scmp8] le_log'0 (deep_model'0 result) (deep_model'0 self)} + {[%#scmp9] le_log'0 (deep_model'0 result) (deep_model'0 other)} + {[%#scmp10] result = self \/ result = other} + {[%#scmp10] lt_log'0 (deep_model'0 self) (deep_model'0 other) -> result = self} + {[%#scmp11] le_log'0 (deep_model'0 other) (deep_model'0 self) -> result = other} + (! return' {result}) ] + - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops8] unnest'0 self self + use prelude.prelude.Intrinsic - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_cmp_min_body'0 (v1:t_T'0) (v2:t_T'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_cmp_min_body 'v1' type invariant] [%#scmp0] inv'0 v1} + {[@expl:extern_spec_std_cmp_min_body 'v2' type invariant] [%#scmp1] inv'0 v2} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = bb4 + | bb4 = bb5 + | bb5 = s0 [ s0 = min'0 {v1} {v2} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb6 ] + | bb6 = bb7 + | bb7 = bb8 + | bb8 = return' {_0} ] + ) [ & _0 : t_T'0 = any_l () | & v1 : t_T'0 = v1 | & v2 : t_T'0 = v2 ] + [ return' (result:t_T'0)-> {[@expl:extern_spec_std_cmp_min_body result type invariant] [%#scmp2] inv'0 result} + {[@expl:extern_spec_std_cmp_min_body ensures #0] [%#scmp3] le_log'0 (deep_model'0 result) (deep_model'0 v1)} + {[@expl:extern_spec_std_cmp_min_body ensures #1] [%#scmp4] le_log'0 (deep_model'0 result) (deep_model'0 v2)} + {[@expl:extern_spec_std_cmp_min_body ensures #2] [%#scmp5] result = v1 \/ result = v2} + {[@expl:extern_spec_std_cmp_min_body ensures #3] [%#scmp6] lt_log'0 (deep_model'0 v1) (deep_model'0 v2) + -> result = v1} + {[@expl:extern_spec_std_cmp_min_body ensures #4] [%#scmp7] le_log'0 (deep_model'0 v2) (deep_model'0 v1) + -> result = v2} + (! return' {result}) ] +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_le_log [#"../../../creusot-contracts/src/std/cmp.rs" 156 4 156 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 155 14 155 64 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 153 4 153 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops6] postcondition_mut'0 self args res_state res) - -> ([%#sops7] unnest'0 self res_state) + type t_T'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = - [%#sfilter3] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) - /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) - /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true - /\ postcondition_mut'0 f1 (i) f2 false)) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' - end) + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter4] inv'0 self -> inv'1 (func'0 self) + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use prelude.prelude.Int + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use map.Map + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter5] inv'0 self -> inv'2 (iter'0 self) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter14] produces'1 a ab b) - -> ([%#siter15] produces'1 b bc c) -> ([%#siter16] produces'1 a (Seq.(++) ab bc) c) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter13] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use map.Map + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use seq.Seq + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) - - = - [%#sfilter2] invariant'0 self - -> unnest'0 (func'0 self) (func'0 succ) - /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited - -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) - = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - constant self : t_Filter'0 + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (self : t_Filter'0) : () + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - goal vc_produces_refl'0 : [%#sfilter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_trans [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (* as std::iter::Iterator> *) - let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 110 15 110 32 - let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 111 15 111 32 - let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 112 14 112 42 - let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 108 4 108 10 - let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 - let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 - let%span sfilter6 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 - let%span sfilter7 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - type t_I'0 + axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - type t_F'0 + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - type t_Filter'0 = - { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Greater'0 - type t_Item'0 + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use prelude.prelude.Borrow + function cmp_le_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 156 4 156 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + goal vc_cmp_le_log'0 : [%#scmp0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_lt_log [#"../../../creusot-contracts/src/std/cmp.rs" 161 4 161 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 160 14 160 61 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 158 4 158 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - + type t_T'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops14] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops11] unnest'0 self b) - -> ([%#sops12] unnest'0 b c) -> ([%#sops13] unnest'0 self c) + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops10] unnest'0 self self + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops8] postcondition_mut'0 self args res_state res) - -> ([%#sops9] unnest'0 self res_state) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = - [%#sfilter5] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) - /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) - /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true - /\ postcondition_mut'0 f1 (i) f2 false)) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x - = (invariant'0 x - /\ match x with - | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' - end) + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter6] inv'0 self -> inv'1 (func'0 self) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use map.Map + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter7] inv'0 self -> inv'2 (iter'0 self) + axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - use seq.Seq + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + = + [%#sord2] cmp_log'0 self o = C_Less'0 - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) - -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) + constant x : t_Reverse'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + constant y : t_Reverse'0 - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function cmp_lt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 161 4 161 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - use seq.Seq + goal vc_cmp_lt_log'0 : [%#scmp0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_ge_log [#"../../../creusot-contracts/src/std/cmp.rs" 166 4 166 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 165 14 165 61 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 163 4 163 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use map.Map + type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) - - = - [%#sfilter4] invariant'0 self - -> unnest'0 (func'0 self) (func'0 succ) - /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited - -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) - /\ (forall i : int . 0 <= i /\ i < Seq.length s - -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) - = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - constant a : t_Filter'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + - constant ab : Seq.seq t_Item'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - constant b : t_Filter'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant bc : Seq.seq t_Item'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - constant c : t_Filter'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (a : t_Filter'0) (ab : Seq.seq t_Item'0) (b : t_Filter'0) (bc : Seq.seq t_Item'0) (c : t_Filter'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - goal vc_produces_trans'0 : ([%#sfilter1] produces'0 b bc c) - -> ([%#sfilter0] produces'0 a ab b) -> ([%#sfilter2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_refl [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (* as std::iter::Iterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_Item'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - use seq.Seq + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - type t_I'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse3] inv'0 self -> inv'1 (view'0 self)) - && ([%#sfuse4] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + = + [%#sord2] cmp_log'0 self o <> C_Less'0 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + constant x : t_Reverse'0 - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + constant y : t_Reverse'0 - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function cmp_ge_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 166 4 166 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + goal vc_cmp_ge_log'0 : [%#scmp0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__cmp_gt_log [#"../../../creusot-contracts/src/std/cmp.rs" 171 4 171 35] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 170 14 170 64 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 168 4 168 10 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - = - [%#sfuse2] match view'0 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self - | C_Some'0 i -> match view'0 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end - constant self : t_Fuse'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_produces_refl'0 : [%#sfuse0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_trans [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (* as std::iter::Iterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - type t_I'0 + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - type t_Item'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse5] inv'0 self -> inv'1 (view'0 self)) - && ([%#sfuse6] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use seq.Seq + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 = - [%#sfuse4] match view'0 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self - | C_Some'0 i -> match view'0 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 end - constant a : t_Fuse'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Reverse'0) (o : t_Reverse'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Greater'0 - constant ab : Seq.seq t_Item'0 + constant x : t_Reverse'0 - constant b : t_Fuse'0 + constant y : t_Reverse'0 - constant bc : Seq.seq t_Item'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 171 4 171 35] (x : t_Reverse'0) (y : t_Reverse'0) : () + - constant c : t_Fuse'0 + goal vc_cmp_gt_log'0 : [%#scmp0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__refl [#"../../../creusot-contracts/src/std/cmp.rs" 176 4 176 20] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 175 14 175 45 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 173 4 173 10 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () + type t_T'0 + + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - goal vc_produces_trans'0 : ([%#sfuse1] produces'0 b bc c) - -> ([%#sfuse0] produces'0 a ab b) -> ([%#sfuse2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__fuse__qyi7691061398646472980__is_fused [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (* as std::iter::fuse::FusedIterator> *) - let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 63 15 63 31 - let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 64 15 64 44 - let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 65 14 65 50 - let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 61 4 61 10 - let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 20 12 21 28 - let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 - let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 - let%span sfuse7 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 - let%span sfuse8 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 - let%span sfuse9 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 - let%span sfuse10 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 - let%span sfuse11 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 - let%span smodel12 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sfuse13 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 - let%span sfuse14 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - type t_I'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_I'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - type t_Fuse'0 = - { t_Fuse__iter'0: t_Option'0 } + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - type t_Item'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x - = match x with - | {t_Fuse__iter'0 = iter} -> inv'1 iter - end + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - function view'1 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - axiom view'1_spec : forall self : t_Fuse'0 . ([%#sfuse13] inv'0 self -> inv'1 (view'1 self)) - && ([%#sfuse14] forall other : t_Fuse'0 . view'1 self = view'1 other -> self = other) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) - -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) - - = - [%#sfuse5] match view'1 self with - | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'1 other = view'1 self - | C_Some'0 i -> match view'1 other with - | C_Some'0 i2 -> produces'1 i prod i2 - | C_None'0 -> false - end - end + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 = - [%#sfuse11] () - - axiom produces_trans'0_spec : forall a : t_Fuse'0, ab : Seq.seq t_Item'0, b : t_Fuse'0, bc : Seq.seq t_Item'0, c : t_Fuse'0 . ([%#sfuse8] produces'0 a ab b) - -> ([%#sfuse9] produces'0 b bc c) -> ([%#sfuse10] produces'0 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () = - [%#sfuse7] () - - axiom produces_refl'0_spec : forall self : t_Fuse'0 . [%#sfuse6] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - - use prelude.prelude.Borrow + [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - function view'0 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (t_Fuse'0)) : t_Option'0 = - [%#smodel12] view'1 self.current + constant x : t_Reverse'0 - predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + function refl'0 [#"../../../creusot-contracts/src/std/cmp.rs" 176 4 176 20] (x : t_Reverse'0) : () - predicate completed'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 18 4 18 35] (self : borrowed (t_Fuse'0)) = - [%#sfuse4] (view'0 self = C_None'0 - \/ (exists it : borrowed t_I'0 . completed'1 it /\ view'0 self = C_Some'0 (it.current))) - /\ view'1 self.final = C_None'0 + goal vc_refl'0 : [%#scmp0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__trans [#"../../../creusot-contracts/src/std/cmp.rs" 183 4 183 52] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 180 15 180 32 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 181 15 181 32 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 182 14 182 31 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 178 4 178 10 + let%span scmp4 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - constant self : borrowed (t_Fuse'0) + type t_T'0 - constant steps : Seq.seq t_Item'0 + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - constant next : t_Fuse'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function is_fused'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (self : borrowed (t_Fuse'0)) (steps : Seq.seq t_Item'0) (next : t_Fuse'0) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - goal vc_is_fused'0 : ([%#sfuse1] produces'0 self.final steps next) - -> ([%#sfuse0] completed'0 self) -> ([%#sfuse2] steps = (Seq.empty : Seq.seq t_Item'0) /\ self.final = next) -end -module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_refl [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (* as std::iter::Iterator> *) - let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 80 14 80 45 - let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 78 4 78 10 - let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 - let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 - let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_B'0 - - use seq.Seq + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - type t_I'0 + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_F'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - type t_Map'0 = - { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x - = match x with - | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f - end + axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - axiom func'0_spec : forall self : t_Map'0 . [%#smap3] inv'0 self -> inv'1 (func'0 self) + axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 - type t_Item'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Borrow + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops11] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) - -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp4] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) - -> ([%#sops6] unnest'0 self res_state) + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use seq.Seq + constant z : t_Reverse'0 - use seq.Seq + constant o : t_Ordering'0 - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/std/cmp.rs" 183 4 183 52] (x : t_Reverse'0) (y : t_Reverse'0) (z : t_Reverse'0) (o : t_Ordering'0) : () + - use seq.Seq - - function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Map'0 . [%#smap4] inv'0 self -> inv'2 (iter'0 self) + goal vc_trans'0 : ([%#scmp1] cmp_log'0 y z = o) -> ([%#scmp0] cmp_log'0 x y = o) -> ([%#scmp2] cmp_log'0 x z = o) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym1 [#"../../../creusot-contracts/src/std/cmp.rs" 189 4 189 33] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 187 15 187 45 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 188 14 188 47 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 185 4 185 10 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use seq.Seq + type t_T'0 - use seq.Seq + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) - -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - use prelude.prelude.Int + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - use seq.Seq + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - = - [%#smap2] unnest'0 (func'0 self) (func'0 succ) - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited - /\ produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - func'0 self = func'0 succ - else - (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 (func'0 self) (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - constant self : t_Map'0 + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (self : t_Map'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - goal vc_produces_refl'0 : [%#smap0] produces'0 self (Seq.empty : Seq.seq t_B'0) self -end -module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_trans [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (* as std::iter::Iterator> *) - let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 85 15 85 32 - let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 86 15 86 32 - let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 87 14 87 42 - let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 83 4 83 10 - let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 - let%span smap5 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 - let%span smap6 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - type t_I'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - type t_F'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - type t_Map'0 = - { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_B'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x - = match x with - | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f - end + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom func'0_spec : forall self : t_Map'0 . [%#smap5] inv'0 self -> inv'1 (func'0 self) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - type t_Item'0 + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - use prelude.prelude.Borrow + constant x : t_Reverse'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + constant y : t_Reverse'0 - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) + function antisym1'0 [#"../../../creusot-contracts/src/std/cmp.rs" 189 4 189 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - + goal vc_antisym1'0 : ([%#scmp0] cmp_log'0 x y = C_Less'0) -> ([%#scmp1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__antisym2 [#"../../../creusot-contracts/src/std/cmp.rs" 195 4 195 33] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 193 15 193 48 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 194 14 194 44 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 191 4 191 10 + let%span scmp3 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops13] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + type t_T'0 - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops10] unnest'0 self b) - -> ([%#sops11] unnest'0 b c) -> ([%#sops12] unnest'0 self c) + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops9] unnest'0 self self + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - + axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops7] postcondition_mut'0 self args res_state res) - -> ([%#sops8] unnest'0 self res_state) + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - use seq.Seq + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - use seq.Seq + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - use seq.Seq + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - axiom iter'0_spec : forall self : t_Map'0 . [%#smap6] inv'0 self -> inv'2 (iter'0 self) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use seq.Seq + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter15] produces'1 a ab b) - -> ([%#siter16] produces'1 b bc c) -> ([%#siter17] produces'1 a (Seq.(++) ab bc) c) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter14] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - use seq.Seq + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp3] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - use seq.Seq + constant x : t_Reverse'0 - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + constant y : t_Reverse'0 + + function antisym2'0 [#"../../../creusot-contracts/src/std/cmp.rs" 195 4 195 33] (x : t_Reverse'0) (y : t_Reverse'0) : () - = - [%#smap4] unnest'0 (func'0 self) (func'0 succ) - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited - /\ produces'1 (iter'0 self) s (iter'0 succ) - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - func'0 self = func'0 succ - else - (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 (func'0 self) (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - - use seq.Seq - constant a : t_Map'0 - - constant ab : Seq.seq t_B'0 + goal vc_antisym2'0 : ([%#scmp0] cmp_log'0 x y = C_Greater'0) -> ([%#scmp1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__cmp__qyi16241606109483467814__eq_cmp [#"../../../creusot-contracts/src/std/cmp.rs" 200 4 200 31] (* as logic::ord::OrdLogic> *) + let%span scmp0 = "../../../creusot-contracts/src/std/cmp.rs" 199 14 199 59 + let%span scmp1 = "../../../creusot-contracts/src/std/cmp.rs" 197 4 197 10 + let%span scmp2 = "../../../creusot-contracts/src/std/cmp.rs" 146 8 150 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - constant b : t_Map'0 + type t_T'0 - constant bc : Seq.seq t_B'0 + type t_Reverse'0 = + { t_Reverse__0'0: t_T'0 } - constant c : t_Map'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (a : t_Map'0) (ab : Seq.seq t_B'0) (b : t_Map'0) (bc : Seq.seq t_B'0) (c : t_Map'0) : () + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - goal vc_produces_trans'0 : ([%#smap1] produces'0 b bc c) - -> ([%#smap0] produces'0 a ab b) -> ([%#smap2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_refl [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_B'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () - use seq.Seq + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - type t_I'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () - type t_F'0 + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - type t_Item'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + - use seq.Seq + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - use prelude.prelude.Snapshot + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - use prelude.prelude.Borrow + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) - -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) - -> ([%#sops4] unnest'0 self res_state) + function cmp_log'0 [#"../../../creusot-contracts/src/std/cmp.rs" 145 4 145 41] (self : t_Reverse'0) (o : t_Reverse'0) : t_Ordering'0 + + = + [%#scmp2] match cmp_log'1 self.t_Reverse__0'0 o.t_Reverse__0'0 with + | C_Equal'0 -> C_Equal'0 + | C_Less'0 -> C_Greater'0 + | C_Greater'0 -> C_Less'0 + end - use seq.Seq + constant x : t_Reverse'0 - use seq.Seq + constant y : t_Reverse'0 - use seq.Seq + function eq_cmp'0 [#"../../../creusot-contracts/src/std/cmp.rs" 200 4 200 31] (x : t_Reverse'0) (y : t_Reverse'0) : () - use seq.Seq + goal vc_eq_cmp'0 : [%#scmp0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_refl [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (* as std::iter::Iterator> *) + let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 177 14 177 45 + let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 175 4 175 10 + let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 use seq.Seq - use seq.Seq + use prelude.prelude.Borrow - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + type t_T'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + use seq.Seq - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'1 a ab b) - -> ([%#siter12] produces'1 b bc c) -> ([%#siter13] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.Opaque - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter10] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + type t_Iter'1 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - use prelude.prelude.Snapshot + type t_Iter'0 = + { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } - use prelude.prelude.Snapshot + use prelude.prelude.Slice - use prelude.prelude.Int + function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 use seq.Seq @@ -4388,113 +4752,87 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__pr use seq.Seq - use prelude.prelude.Snapshot - - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - - - use seq.Seq + use prelude.prelude.UIntSize - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) - - = - [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + constant v_MAX'0 : usize = (18446744073709551615 : usize) - constant self : t_MapInv'0 + use prelude.prelude.UIntSize - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () + use prelude.prelude.Int - goal vc_produces_refl'0 : [%#smap_inv0] produces'0 self (Seq.empty : Seq.seq t_B'0) self -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_trans [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + use prelude.prelude.Slice - type t_I'0 + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - type t_F'0 + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice8] view'2 self = Slice.id self) - type t_Item'0 + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel5] view'2 self use seq.Seq - use prelude.prelude.Snapshot - - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - - type t_B'0 - use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + = + [%#sindex6] Seq.get (view'2 self) ix - use prelude.prelude.Borrow + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + = + [%#sdeque2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops11] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + constant self : t_Iter'0 - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/deque.rs" 178 4 178 26] (self : t_Iter'0) : () - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + goal vc_produces_refl'0 : [%#sdeque0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__deque__qyi3159098507555769709__produces_trans [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (* as std::iter::Iterator> *) + let%span sdeque0 = "../../../creusot-contracts/src/std/deque.rs" 182 15 182 32 + let%span sdeque1 = "../../../creusot-contracts/src/std/deque.rs" 183 15 183 32 + let%span sdeque2 = "../../../creusot-contracts/src/std/deque.rs" 184 14 184 42 + let%span sdeque3 = "../../../creusot-contracts/src/std/deque.rs" 180 4 180 10 + let%span sdeque4 = "../../../creusot-contracts/src/std/deque.rs" 171 12 171 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) - -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) + use prelude.prelude.Opaque - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self + type t_Iter'1 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + type t_Iter'0 = + { t_Iter__i1'0: t_Iter'1; t_Iter__i2'0: t_Iter'1 } - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) - -> ([%#sops6] unnest'0 self res_state) + use prelude.prelude.Borrow - use seq.Seq + type t_T'0 use seq.Seq - use seq.Seq + use prelude.prelude.Slice + + function view'0 [#"../../../creusot-contracts/src/std/deque.rs" 155 4 155 33] (self : t_Iter'0) : slice t_T'0 use seq.Seq @@ -4502,774 +4840,592 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__pr use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use prelude.prelude.UIntSize - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) - -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.UIntSize - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + use prelude.prelude.Int - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use prelude.prelude.Slice - use prelude.prelude.Snapshot + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - use prelude.prelude.Snapshot + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice10] view'2 self = Slice.id self) - use prelude.prelude.Int + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel7] view'2 self use seq.Seq use seq.Seq - use seq.Seq + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex8] Seq.get (view'2 self) ix - use prelude.prelude.Snapshot + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) use seq.Seq - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/deque.rs" 169 4 169 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#smap_inv4] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - - use seq.Seq + [%#sdeque4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant a : t_MapInv'0 + constant a : t_Iter'0 - constant ab : Seq.seq t_B'0 + constant ab : Seq.seq t_T'0 - constant b : t_MapInv'0 + constant b : t_Iter'0 - constant bc : Seq.seq t_B'0 + constant bc : Seq.seq t_T'0 - constant c : t_MapInv'0 + constant c : t_Iter'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/deque.rs" 185 4 185 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - goal vc_produces_trans'0 : ([%#smap_inv1] produces'0 b bc c) - -> ([%#smap_inv0] produces'0 a ab b) -> ([%#smap_inv2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#sdeque1] produces'0 b bc c) + -> ([%#sdeque0] produces'0 a ab b) -> ([%#sdeque2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi5691635635396426195__resolve_coherence [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (* as resolve::Resolve> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 62 15 62 39 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 63 14 63 31 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 60 4 60 23 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 57 8 57 50 - - use prelude.prelude.Borrow - - type t_I'0 +module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_refl [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (* as std::iter::Iterator> *) + let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 57 14 57 45 + let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 55 4 55 10 + let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 + let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_F'0 + use seq.Seq - type t_B'0 + type t_T'0 use seq.Seq - use prelude.prelude.Snapshot + type t_I'0 - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_B'0) } + type t_Cloned'0 = + { t_Cloned__it'0: t_I'0 } - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : Snapshot.snap_ty (Seq.seq t_B'0)) - = - true + use prelude.prelude.Borrow - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_I'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_MapInv'0) = - match _1 with - | {t_MapInv__iter'0 = x0 ; t_MapInv__func'0 = x1 ; t_MapInv__produced'0 = x2} -> resolve'1 x2 - /\ resolve'2 x1 /\ resolve'3 x0 - end + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) - predicate resolve'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 28] (self : t_MapInv'0) = - [%#smap_inv3] resolve'3 self.t_MapInv__iter'0 /\ resolve'2 self.t_MapInv__func'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x + = match x with + | {t_Cloned__it'0 = it} -> inv'1 it + end - constant self : t_MapInv'0 + function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 - function resolve_coherence'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (self : t_MapInv'0) : () - + axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned3] inv'0 self -> inv'1 (iter'0 self) - goal vc_resolve_coherence'0 : ([%#smap_inv0] structural_resolve'0 self) -> ([%#smap_inv1] resolve'0 self) -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4413682431414748756__next [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 90 4 90 44] (* ::Item, F> as std::iter::Iterator> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 91 39 91 58 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 94 16 94 76 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 95 31 95 71 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 99 38 99 88 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 100 32 100 63 - let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 105 32 105 56 - let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 17 90 21 - let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 26 90 44 - let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 86 14 89 5 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 103 26 106 17 - let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 162 27 162 52 - let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 163 26 163 71 - let%span smap_inv12 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 163 15 163 31 - let%span smap_inv13 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 164 4 164 60 - let%span smap_inv14 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 165 15 165 30 - let%span smap_inv15 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 166 15 166 64 - let%span smap_inv16 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 167 14 167 74 - let%span smap_inv17 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 168 14 168 75 - let%span smap_inv18 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 - let%span smap_inv19 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 - let%span smap_inv20 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9 - let%span smap_inv21 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 74 12 76 73 - let%span smap_inv22 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 - let%span smap_inv23 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 - let%span smap_inv24 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 117 12 119 63 - let%span smap_inv25 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span sresolve26 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span smap_inv27 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv28 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv29 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv30 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv31 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv32 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span siter33 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter34 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter35 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter36 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span sops37 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops38 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops39 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops40 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops41 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops42 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops43 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span smap_inv44 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 153 12 156 47 - let%span smap_inv45 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 - let%span sinvariant46 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - use prelude.prelude.Snapshot + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) + - type t_I'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - type t_F'0 + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - type t_Item'0 + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self use seq.Seq - use prelude.prelude.Snapshot - - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + use seq.Seq - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_I'0) = - [%#sinvariant46] inv'0 self.current /\ inv'0 self.final + use prelude.prelude.Int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_I'0) + use seq.Seq - axiom inv_axiom'2 [@rewrite] : forall x : borrowed t_I'0 [inv'4 x] . inv'4 x = invariant'2 x + use seq.Seq - type t_Option'0 = - | C_None'0 - | C_Some'0 t_Item'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + + = + [%#scloned2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - predicate inv'9 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Item'0) + constant self : t_Cloned'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 58 4 58 26] (self : t_Cloned'0) : () - axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'5 x] . inv'5 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'9 a_0 - end + goal vc_produces_refl'0 : [%#scloned0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__cloned__qyi10472681371035856984__produces_trans [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (* as std::iter::Iterator> *) + let%span scloned0 = "../../../creusot-contracts/src/std/iter/cloned.rs" 62 15 62 32 + let%span scloned1 = "../../../creusot-contracts/src/std/iter/cloned.rs" 63 15 63 32 + let%span scloned2 = "../../../creusot-contracts/src/std/iter/cloned.rs" 64 14 64 42 + let%span scloned3 = "../../../creusot-contracts/src/std/iter/cloned.rs" 60 4 60 10 + let%span scloned4 = "../../../creusot-contracts/src/std/iter/cloned.rs" 48 12 51 79 + let%span scloned5 = "../../../creusot-contracts/src/std/iter/cloned.rs" 11 14 11 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_I'0 + + type t_Cloned'0 = + { t_Cloned__it'0: t_I'0 } + + type t_T'0 use seq.Seq + use prelude.prelude.Borrow + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Cloned'0) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter34] produces'0 a ab b) - -> ([%#siter35] produces'0 b bc c) -> ([%#siter36] produces'0 a (Seq.(++) ab bc) c) + axiom inv_axiom'0 [@rewrite] : forall x : t_Cloned'0 [inv'0 x] . inv'0 x + = match x with + | {t_Cloned__it'0 = it} -> inv'1 it + end - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function iter'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 12 4 12 22] (self : t_Cloned'0) : t_I'0 - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter33] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + axiom iter'0_spec : forall self : t_Cloned'0 . [%#scloned5] inv'0 self -> inv'1 (iter'0 self) - predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + use seq.Seq use seq.Seq - let rec next'1 (self:borrowed t_I'0) (return' (ret:t_Option'0))= {[@expl:next 'self' type invariant] inv'4 self} - any - [ return' (result:t_Option'0)-> {inv'5 result} - {[%#siter9] match result with - | C_None'0 -> completed'1 self - | C_Some'0 v -> produces'0 self.current (Seq.singleton v) self.final - end} - (! return' {result}) ] + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Item'0))= any - [ good (field_0:t_Item'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_Item'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - use prelude.prelude.Snapshot + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use seq.Seq + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self - use prelude.prelude.Snapshot + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_F'0) = - [%#sinvariant46] inv'1 self.current /\ inv'1 self.final + use prelude.prelude.Int - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_F'0) + use seq.Seq - axiom inv_axiom'4 [@rewrite] : forall x : borrowed t_F'0 [inv'6 x] . inv'6 x = invariant'3 x + use seq.Seq - predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 46 4 46 64] (self : t_Cloned'0) (visited : Seq.seq t_T'0) (o : t_Cloned'0) + = + [%#scloned4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - axiom inv_axiom'5 [@rewrite] : forall x : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) [inv'7 x] . inv'7 x - = (let (x0, x1) = x in inv'9 x0) + use seq.Seq - type t_B'0 + constant a : t_Cloned'0 - predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + constant ab : Seq.seq t_T'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + constant b : t_Cloned'0 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + constant bc : Seq.seq t_T'0 - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + constant c : t_Cloned'0 - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/cloned.rs" 65 4 65 90] (a : t_Cloned'0) (ab : Seq.seq t_T'0) (b : t_Cloned'0) (bc : Seq.seq t_T'0) (c : t_Cloned'0) : () - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops43] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'2 res_state) + goal vc_produces_trans'0 : ([%#scloned1] produces'0 b bc c) + -> ([%#scloned0] produces'0 a ab b) -> ([%#scloned2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_refl [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (* as std::iter::Iterator> *) + let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 + let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 55 4 55 10 + let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + use seq.Seq - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + type t_T'0 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops40] unnest'0 self b) - -> ([%#sops41] unnest'0 b c) -> ([%#sops42] unnest'0 self c) + use seq.Seq - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_I'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops39] unnest'0 self self + type t_Copied'0 = + { t_Copied__it'0: t_I'0 } - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + use prelude.prelude.Borrow - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops37] postcondition_mut'0 self args res_state res) - -> ([%#sops38] unnest'0 self res_state) + use seq.Seq - let rec call_mut'0 (self:borrowed t_F'0) (args:(t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (return' (ret:t_B'0))= {[@expl:call_mut 'self' type invariant] inv'6 self} - {[@expl:call_mut 'args' type invariant] inv'7 args} - {[@expl:call_mut requires] [%#sops10] precondition'0 self.current args} - any - [ return' (result:t_B'0)-> {inv'8 result} - {[%#sops11] postcondition_mut'0 self.current args self.final result} - (! return' {result}) ] - + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate next_precondition'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 115 4 115 78] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - - = - [%#smap_inv24] forall e : t_Item'0, i : t_I'0 . produces'0 iter (Seq.singleton e) i - -> precondition'0 func (e, Snapshot.new produced) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) - predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) - - = - [%#smap_inv45] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new s) - -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) + axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x + = match x with + | {t_Copied__it'0 = it} -> inv'1 it + end - predicate reinitialize'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 151 4 151 33] (_1 : ()) = - [%#smap_inv44] forall iter : borrowed t_I'0, func : t_F'0 . completed'1 iter - -> next_precondition'0 iter.final func (Seq.empty : Seq.seq t_Item'0) /\ preservation'0 iter.final func + function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 - predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - - = - [%#smap_inv23] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) - -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied3] inv'0 self -> inv'1 (iter'0 self) - axiom preservation_inv'0_spec : forall iter : t_I'0, func : t_F'0, produced : Seq.seq t_Item'0 . [%#smap_inv22] produced - = (Seq.empty : Seq.seq t_Item'0) -> preservation_inv'0 iter func produced = preservation'0 iter func + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 72 4 72 30] (self : t_MapInv'0) = - [%#smap_inv21] reinitialize'0 () - /\ preservation_inv'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) - /\ next_precondition'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) + use seq.Seq - function produces_one_invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 169 4 169 73] (self : t_MapInv'0) (e : t_Item'0) (r : t_B'0) (f : borrowed t_F'0) (iter : t_I'0) : () + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - axiom produces_one_invariant'0_spec : forall self : t_MapInv'0, e : t_Item'0, r : t_B'0, f : borrowed t_F'0, iter : t_I'0 . ([%#smap_inv12] invariant'0 self) - -> ([%#smap_inv13] produces'0 self.t_MapInv__iter'0 (Seq.singleton e) iter) - -> ([%#smap_inv14] f.current = self.t_MapInv__func'0) - -> ([%#smap_inv15] postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final r) - -> ([%#smap_inv16] preservation_inv'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) - && ([%#smap_inv17] next_precondition'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () + - use prelude.prelude.Snapshot + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - use prelude.prelude.Snapshot + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use seq.Seq + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_T'0) self use seq.Seq use seq.Seq - use seq.Seq + use prelude.prelude.Int use seq.Seq use seq.Seq - use seq.Seq + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + + = + [%#scopied2] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - use seq.Seq + constant self : t_Copied'0 - use prelude.prelude.Snapshot + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 58 4 58 26] (self : t_Copied'0) : () - use prelude.prelude.Int + goal vc_produces_refl'0 : [%#scopied0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__copied__qyi18224474876607687026__produces_trans [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (* as std::iter::Iterator> *) + let%span scopied0 = "../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 + let%span scopied1 = "../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 + let%span scopied2 = "../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 + let%span scopied3 = "../../../creusot-contracts/src/std/iter/copied.rs" 60 4 60 10 + let%span scopied4 = "../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span scopied5 = "../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_I'0 + + type t_Copied'0 = + { t_Copied__it'0: t_I'0 } + + type t_T'0 use seq.Seq + use prelude.prelude.Borrow + use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Copied'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Copied'0 [inv'0 x] . inv'0 x + = match x with + | {t_Copied__it'0 = it} -> inv'1 it + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 12 4 12 22] (self : t_Copied'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'0 self -> inv'1 (iter'0 self) + use seq.Seq use seq.Seq - predicate produces'1 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_T'0) (o : t_I'0) - = - [%#smap_inv25] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'0 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_T'0) (b : t_I'0) (bc : Seq.seq t_T'0) (c : t_I'0) : () - = - [%#smap_inv32] () - - axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv29] produces'1 a ab b) - -> ([%#smap_inv30] produces'1 b bc c) -> ([%#smap_inv31] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = - [%#smap_inv28] () - axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv27] produces'1 self (Seq.empty : Seq.seq t_B'0) self - - predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - - = - [%#smap_inv19] exists f : borrowed t_F'0, e : t_Item'0 . f.current = self.t_MapInv__func'0 - /\ f.final = succ.t_MapInv__func'0 - /\ produces'0 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e - /\ precondition'0 f.current (e, self.t_MapInv__produced'0) - /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_T'0, b : t_I'0, bc : Seq.seq t_T'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - axiom produces_one'0_spec : forall self : t_MapInv'0, visited : t_B'0, succ : t_MapInv'0 . [%#smap_inv18] produces_one'0 self visited succ - = produces'1 self (Seq.singleton visited) succ + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - predicate inv'10 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_MapInv'0) + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_T'0) self - axiom inv_axiom'6 [@rewrite] : forall x : t_MapInv'0 [inv'10 x] . inv'10 x - = (invariant'0 x - /\ match x with - | {t_MapInv__iter'0 = iter ; t_MapInv__func'0 = func ; t_MapInv__produced'0 = produced} -> inv'0 iter /\ inv'1 func - end) + use seq.Seq - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_MapInv'0)) = - [%#sinvariant46] inv'10 self.current /\ inv'10 self.final + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_MapInv'0)) + use prelude.prelude.Int - axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_MapInv'0) [inv'2 x] . inv'2 x = invariant'1 x + use seq.Seq - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_MapInv'0)) = - [%#sresolve26] self.final = self.current + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_MapInv'0)) = - resolve'1 _1 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 46 4 46 64] (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) + + = + [%#scopied4] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) - type t_Option'1 = - | C_None'1 - | C_Some'1 t_B'0 + use seq.Seq - use prelude.prelude.Intrinsic + constant a : t_Copied'0 - use prelude.prelude.Snapshot + constant ab : Seq.seq t_T'0 - use prelude.prelude.Snapshot + constant b : t_Copied'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + constant bc : Seq.seq t_T'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'1 [inv'3 x] . inv'3 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'8 a_0 - end + constant c : t_Copied'0 - predicate completed'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 14 4 14 35] (self : borrowed (t_MapInv'0)) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/copied.rs" 65 4 65 90] (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () - = - [%#smap_inv20] Snapshot.inner (self.final).t_MapInv__produced'0 = (Seq.empty : Seq.seq t_Item'0) - /\ completed'1 (Borrow.borrow_logic (self.current).t_MapInv__iter'0 (self.final).t_MapInv__iter'0 (Borrow.inherit_id (Borrow.get_id self) 1)) - /\ (self.current).t_MapInv__func'0 = (self.final).t_MapInv__func'0 - - meta "compute_max_steps" 1000000 - let rec next'0 (self:borrowed (t_MapInv'0)) (return' (ret:t_Option'1))= {[@expl:next 'self' type invariant] [%#smap_inv6] inv'2 self} - (! bb0 - [ bb0 = s0 [ s0 = [ &old_self <- [%#smap_inv0] Snapshot.new self.current ] s1 | s1 = bb1 ] - | bb1 = s0 - [ s0 = {inv'0 (self.current).t_MapInv__iter'0} - Borrow.borrow_final {(self.current).t_MapInv__iter'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_I'0) -> - [ &_6 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { self.current with t_MapInv__iter'0 = _ret'.final } } ] - s1) - | s1 = next'1 {_6} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s2) - | s2 = bb2 ] - - | bb2 = any [ br0 -> {_5 = C_None'0 } (! bb5) | br1 (x0:t_Item'0)-> {_5 = C_Some'0 x0} (! bb4) ] - | bb4 = bb6 - | bb6 = s0 - [ s0 = v_Some'0 {_5} (fun (r0'0:t_Item'0) -> [ &v <- r0'0 ] s1) - | s1 = {[@expl:assertion] [%#smap_inv1] precondition'0 (self.current).t_MapInv__func'0 (v, (self.current).t_MapInv__produced'0)} - s2 - | s2 = bb7 ] - - | bb7 = s0 - [ s0 = - [ &produced <- [%#smap_inv2] Snapshot.new (Seq.snoc (Snapshot.inner (self.current).t_MapInv__produced'0) v) ] - - s1 - | s1 = bb8 ] - - | bb8 = s0 - [ s0 = {inv'1 (self.current).t_MapInv__func'0} - Borrow.borrow_final {(self.current).t_MapInv__func'0} {Borrow.inherit_id (Borrow.get_id self) 2} - (fun (_ret':borrowed t_F'0) -> - [ &_14 <- _ret' ] - -{inv'1 _ret'.final}- - [ &self <- { self with current = { self.current with t_MapInv__func'0 = _ret'.final } } ] - s1) - | s1 = [ &_15 <- (v, (self.current).t_MapInv__produced'0) ] s2 - | s2 = call_mut'0 {_14} {_15} (fun (_ret':t_B'0) -> [ &r <- _ret' ] s3) - | s3 = bb9 ] - - | bb9 = bb10 - | bb10 = s0 - [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = produced } } ] s1 - | s1 = [ &_19 <- [%#smap_inv3] Snapshot.new (let _ = () in ()) ] s2 - | s2 = bb11 ] - - | bb11 = s0 - [ s0 = {[@expl:assertion] [%#smap_inv4] produces_one'0 (Snapshot.inner old_self) r self.current} s1 | s1 = bb12 ] - - | bb12 = s0 - [ s0 = {[@expl:type invariant] inv'2 self} s1 - | s1 = -{resolve'0 self}- s2 - | s2 = [ &_0 <- C_Some'1 r ] s3 - | s3 = bb13 ] - - | bb13 = bb14 - | bb14 = bb15 - | bb15 = bb17 - | bb5 = s0 [ s0 = [ &_24 <- [%#smap_inv5] Snapshot.new (Seq.empty : Seq.seq t_Item'0) ] s1 | s1 = bb16 ] - | bb16 = s0 - [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = _24 } } ] s1 - | s1 = {[@expl:type invariant] inv'2 self} s2 - | s2 = -{resolve'0 self}- s3 - | s3 = [ &_0 <- C_None'1 ] s4 - | s4 = bb17 ] - - | bb17 = bb18 - | bb18 = return' {_0} ] - ) - [ & _0 : t_Option'1 = any_l () - | & self : borrowed (t_MapInv'0) = self - | & old_self : Snapshot.snap_ty (t_MapInv'0) = any_l () - | & _5 : t_Option'0 = any_l () - | & _6 : borrowed t_I'0 = any_l () - | & v : t_Item'0 = any_l () - | & produced : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () - | & r : t_B'0 = any_l () - | & _14 : borrowed t_F'0 = any_l () - | & _15 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) = any_l () - | & _19 : Snapshot.snap_ty () = any_l () - | & _24 : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () ] - - [ return' (result:t_Option'1)-> {[@expl:next result type invariant] [%#smap_inv7] inv'3 result} - {[@expl:next ensures] [%#smap_inv8] match result with - | C_None'1 -> completed'0 self - | C_Some'1 v -> produces_one'0 self.current v self.final - end} - (! return' {result}) ] - + goal vc_produces_trans'0 : ([%#scopied1] produces'0 b bc c) + -> ([%#scopied0] produces'0 a ab b) -> ([%#scopied2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__preservation_inv [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (* std::iter::map_inv::MapInv::Item, F> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 - let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 +module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_refl [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (* as std::iter::Iterator> *) + let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 18 14 18 45 + let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 16 4 16 10 + let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 use seq.Seq - type t_Item'0 + type t_T'0 use seq.Seq - type t_I'0 + type t_Empty'0 = + { t_Empty__0'0: () } - type t_F'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + + = + [%#sempty2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - use prelude.prelude.Borrow + constant self : t_Empty'0 - type t_B'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 19 4 19 26] (self : t_Empty'0) : () - use prelude.prelude.Snapshot + goal vc_produces_refl'0 : [%#sempty0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__empty__qyi10605201058978801838__produces_trans [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (* as std::iter::Iterator> *) + let%span sempty0 = "../../../creusot-contracts/src/std/iter/empty.rs" 23 15 23 32 + let%span sempty1 = "../../../creusot-contracts/src/std/iter/empty.rs" 24 15 24 32 + let%span sempty2 = "../../../creusot-contracts/src/std/iter/empty.rs" 25 14 25 42 + let%span sempty3 = "../../../creusot-contracts/src/std/iter/empty.rs" 21 4 21 10 + let%span sempty4 = "../../../creusot-contracts/src/std/iter/empty.rs" 13 20 13 54 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + type t_Empty'0 = + { t_Empty__0'0: () } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + type t_T'0 - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 12 4 12 64] (self : t_Empty'0) (visited : Seq.seq t_T'0) (o : t_Empty'0) + = + [%#sempty4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) + use seq.Seq - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant a : t_Empty'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - + constant ab : Seq.seq t_T'0 - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) - -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) + constant b : t_Empty'0 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + constant bc : Seq.seq t_T'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self + constant c : t_Empty'0 - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/empty.rs" 26 4 26 90] (a : t_Empty'0) (ab : Seq.seq t_T'0) (b : t_Empty'0) (bc : Seq.seq t_T'0) (c : t_Empty'0) : () - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) - -> ([%#sops4] unnest'0 self res_state) + goal vc_produces_trans'0 : ([%#sempty1] produces'0 b bc c) + -> ([%#sempty0] produces'0 a ab b) -> ([%#sempty2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_refl [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (* as std::iter::Iterator> *) + let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 82 14 82 45 + let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 80 4 80 10 + let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 + let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span senumerate8 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 use seq.Seq - use seq.Seq + use prelude.prelude.UIntSize - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + type t_Item'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - + use seq.Seq - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'0 a ab b) - -> ([%#siter12] produces'0 b bc c) -> ([%#siter13] produces'0 a (Seq.(++) ab bc) c) + type t_I'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + type t_Enumerate'0 = + { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter10] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - use prelude.prelude.Snapshot + use prelude.prelude.Int - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int - predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) - - = - [%#smap_inv2] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new s) - -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) + use seq.Seq - constant iter : t_I'0 + use seq.Seq - constant func : t_F'0 + use seq.Seq - constant produced : Seq.seq t_Item'0 + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - goal vc_preservation_inv'0 : [%#smap_inv0] produced = (Seq.empty : Seq.seq t_Item'0) - -> ([%#smap_inv1] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current - -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i - -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) - -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b - -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) - = preservation'0 iter func -end -module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__produces_one [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (* std::iter::map_inv::MapInv::Item, F> *) - let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 - let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 - let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 - let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 - let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 - let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 - let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 - let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 - let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 - let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 - let%span sops15 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 - let%span sops16 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 - let%span sops17 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 - let%span sops18 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 - let%span sops19 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter5] produces'1 a ab b) + -> ([%#siter6] produces'1 b bc c) -> ([%#siter7] produces'1 a (Seq.(++) ab bc) c) - use seq.Seq + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - use seq.Seq + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter4] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - type t_I'0 + use seq.Seq - type t_F'0 + constant v_MAX'0 : usize = (18446744073709551615 : usize) - type t_Item'0 + use prelude.prelude.UIntSize - use seq.Seq + use prelude.prelude.Borrow - use prelude.prelude.Snapshot + predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - type t_MapInv'0 = - { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - type t_B'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - use seq.Seq + function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 - use seq.Seq + axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate3] inv'0 self -> inv'1 (iter'0 self) - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = + [%#senumerate8] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i + -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) + /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) - use prelude.prelude.Borrow + axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter + end) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - + use seq.Seq - function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + = + [%#senumerate2] Seq.length visited = n'0 o - n'0 self + /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i + /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) - axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops19] postcondition_once'0 self args res - = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - - predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) + constant self : t_Enumerate'0 - function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 83 4 83 26] (self : t_Enumerate'0) : () - axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops16] unnest'0 self b) - -> ([%#sops17] unnest'0 b c) -> ([%#sops18] unnest'0 self c) + goal vc_produces_refl'0 : [%#senumerate0] produces'0 self (Seq.empty : Seq.seq (usize, t_Item'0)) self +end +module M_creusot_contracts__stdqy35z1__iter__enumerate__qyi2718914205750388896__produces_trans [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (* as std::iter::Iterator> *) + let%span senumerate0 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 87 15 87 32 + let%span senumerate1 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 88 15 88 32 + let%span senumerate2 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 89 14 89 42 + let%span senumerate3 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 85 4 85 10 + let%span senumerate4 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 72 12 76 113 + let%span senumerate5 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 14 14 14 39 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span senumerate10 = "../../../creusot-contracts/src/std/iter/enumerate.rs" 45 12 49 85 - function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () + type t_I'0 - axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops15] unnest'0 self self + use prelude.prelude.UIntSize - function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - + type t_Enumerate'0 = + { t_Enumerate__iter'0: t_I'0; t_Enumerate__count'0: usize } - axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops13] postcondition_mut'0 self args res_state res) - -> ([%#sops14] unnest'0 self res_state) + type t_Item'0 use seq.Seq use seq.Seq - use seq.Seq + use prelude.prelude.Int + + function n'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 21 4 21 21] (self : t_Enumerate'0) : int use seq.Seq @@ -5283,742 +5439,752 @@ module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__pr function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter10] produces'1 a ab b) - -> ([%#siter11] produces'1 b bc c) -> ([%#siter12] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter7] produces'1 a ab b) + -> ([%#siter8] produces'1 b bc c) -> ([%#siter9] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter9] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter6] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - use prelude.prelude.Snapshot + use seq.Seq - use prelude.prelude.Snapshot + constant v_MAX'0 : usize = (18446744073709551615 : usize) - use prelude.prelude.Int + use prelude.prelude.UIntSize - use seq.Seq + use prelude.prelude.Borrow - use seq.Seq + predicate completed'0 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use prelude.prelude.Snapshot + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Enumerate'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - + function iter'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 15 4 15 22] (self : t_Enumerate'0) : t_I'0 - use seq.Seq + axiom iter'0_spec : forall self : t_Enumerate'0 . [%#senumerate5] inv'0 self -> inv'1 (iter'0 self) - predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) - - = - [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 - /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited - /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s - /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) - /\ (if Seq.length visited = 0 then - self.t_MapInv__func'0 = succ.t_MapInv__func'0 - else - (Seq.get fs 0).current = self.t_MapInv__func'0 - /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 - ) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current - /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) - /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 43 4 43 30] (self : t_Enumerate'0) = + [%#senumerate10] (forall s : Seq.seq t_Item'0, i : t_I'0 [produces'1 (iter'0 self) s i] . produces'1 (iter'0 self) s i + -> n'0 self + Seq.length s < UIntSize.to_int v_MAX'0) + /\ (forall i : borrowed t_I'0 . completed'0 i -> produces'1 i.current (Seq.empty : Seq.seq t_Item'0) i.final) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () - - = - [%#smap_inv8] () + axiom inv_axiom'0 [@rewrite] : forall x : t_Enumerate'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Enumerate__iter'0 = iter ; t_Enumerate__count'0 = count} -> inv'1 iter + end) - axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv5] produces'0 a ab b) - -> ([%#smap_inv6] produces'0 b bc c) -> ([%#smap_inv7] produces'0 a (Seq.(++) ab bc) c) + use seq.Seq - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = - [%#smap_inv4] () + use seq.Seq - axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv3] produces'0 self (Seq.empty : Seq.seq t_B'0) self + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 70 4 70 64] (self : t_Enumerate'0) (visited : Seq.seq (usize, t_Item'0)) (o : t_Enumerate'0) + + = + [%#senumerate4] Seq.length visited = n'0 o - n'0 self + /\ (exists s : Seq.seq t_Item'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n'0 self + i + /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) use seq.Seq - use seq.Seq + constant a : t_Enumerate'0 - constant self : t_MapInv'0 + constant ab : Seq.seq (usize, t_Item'0) - constant visited : t_B'0 + constant b : t_Enumerate'0 - constant succ : t_MapInv'0 + constant bc : Seq.seq (usize, t_Item'0) - predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - + constant c : t_Enumerate'0 - goal vc_produces_one'0 : [%#smap_inv0] ([%#smap_inv1] exists f : borrowed t_F'0, e : t_Item'0 . f.current - = self.t_MapInv__func'0 - /\ f.final = succ.t_MapInv__func'0 - /\ produces'1 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 - /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e - /\ precondition'0 f.current (e, self.t_MapInv__produced'0) - /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited) - = produces'0 self (Seq.singleton visited) succ + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/enumerate.rs" 90 4 90 90] (a : t_Enumerate'0) (ab : Seq.seq (usize, t_Item'0)) (b : t_Enumerate'0) (bc : Seq.seq (usize, t_Item'0)) (c : t_Enumerate'0) : () + + + goal vc_produces_trans'0 : ([%#senumerate1] produces'0 b bc c) + -> ([%#senumerate0] produces'0 a ab b) -> ([%#senumerate2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_refl [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (* as std::iter::Iterator> *) - let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 31 14 31 45 - let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 29 4 29 10 - let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 +module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_refl [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (* as std::iter::Iterator> *) + let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 105 14 105 45 + let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 103 4 103 10 + let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 + let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 + let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 + let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 use seq.Seq - type t_T'0 + type t_Item'0 use seq.Seq - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 - - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + type t_I'0 - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + type t_F'0 - type t_Once'0 = - { t_Once__inner'0: t_IntoIter'0 } + type t_Filter'0 = + { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } - function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 + use prelude.prelude.Borrow - use seq.Seq + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) - = - [%#sonce2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - constant self : t_Once'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (self : t_Once'0) : () + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) + - goal vc_produces_refl'0 : [%#sonce0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_trans [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (* as std::iter::Iterator> *) - let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 36 15 36 32 - let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 37 15 37 32 - let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 38 14 38 42 - let%span sonce3 = "../../../creusot-contracts/src/std/iter/once.rs" 34 4 34 10 - let%span sonce4 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + - type t_T'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops12] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops9] unnest'0 self b) + -> ([%#sops10] unnest'0 b c) -> ([%#sops11] unnest'0 self c) - type t_Once'0 = - { t_Once__inner'0: t_IntoIter'0 } + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - use seq.Seq + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops8] unnest'0 self self - use seq.Seq + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () + - function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops6] postcondition_mut'0 self args res_state res) + -> ([%#sops7] unnest'0 self res_state) - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = + [%#sfilter3] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) + /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) + /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true + /\ postcondition_mut'0 f1 (i) f2 false)) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) - - = - [%#sonce4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - constant a : t_Once'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) - constant ab : Seq.seq t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' + end) - constant b : t_Once'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 - constant bc : Seq.seq t_T'0 + axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter4] inv'0 self -> inv'1 (func'0 self) - constant c : t_Once'0 + use prelude.prelude.Int - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (a : t_Once'0) (ab : Seq.seq t_T'0) (b : t_Once'0) (bc : Seq.seq t_T'0) (c : t_Once'0) : () - + use map.Map - goal vc_produces_trans'0 : ([%#sonce1] produces'0 b bc c) - -> ([%#sonce0] produces'0 a ab b) -> ([%#sonce2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 30 4 30 10 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 + function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter5] inv'0 self -> inv'2 (iter'0 self) use seq.Seq - type t_Idx'0 + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - type t_Range'0 = - { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter14] produces'1 a ab b) + -> ([%#siter15] produces'1 b bc c) -> ([%#siter16] produces'1 a (Seq.(++) ab bc) c) - use prelude.prelude.Int + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter13] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use seq.Seq + use map.Map + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) = - [%#srange2] self.t_Range__end'0 = o.t_Range__end'0 - /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 - /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) - /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) + [%#sfilter2] invariant'0 self + -> unnest'0 (func'0 self) (func'0 succ) + /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited + -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) + = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - constant self : t_Range'0 + constant self : t_Filter'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (self : t_Range'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 106 4 106 26] (self : t_Filter'0) : () - goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self + goal vc_produces_refl'0 : [%#sfilter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self end -module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 35 4 35 10 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 +module M_creusot_contracts__stdqy35z1__iter__filter__qyi9573749579793237160__produces_trans [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (* as std::iter::Iterator> *) + let%span sfilter0 = "../../../creusot-contracts/src/std/iter/filter.rs" 110 15 110 32 + let%span sfilter1 = "../../../creusot-contracts/src/std/iter/filter.rs" 111 15 111 32 + let%span sfilter2 = "../../../creusot-contracts/src/std/iter/filter.rs" 112 14 112 42 + let%span sfilter3 = "../../../creusot-contracts/src/std/iter/filter.rs" 108 4 108 10 + let%span sfilter4 = "../../../creusot-contracts/src/std/iter/filter.rs" 87 12 99 17 + let%span sfilter5 = "../../../creusot-contracts/src/std/iter/filter.rs" 34 12 40 124 + let%span sfilter6 = "../../../creusot-contracts/src/std/iter/filter.rs" 22 14 22 39 + let%span sfilter7 = "../../../creusot-contracts/src/std/iter/filter.rs" 15 14 15 39 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_Idx'0 + type t_I'0 - type t_Range'0 = - { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } + type t_F'0 + + type t_Filter'0 = + { t_Filter__iter'0: t_I'0; t_Filter__predicate'0: t_F'0 } + + type t_Item'0 use seq.Seq - use prelude.prelude.Int + use prelude.prelude.Borrow - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - use seq.Seq + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : bool) + - use seq.Seq + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : bool) - = - [%#srange4] self.t_Range__end'0 = o.t_Range__end'0 - /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 - /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) - /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : bool) : () + - constant a : t_Range'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : bool . [%#sops14] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - constant ab : Seq.seq t_Idx'0 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - constant b : t_Range'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - constant bc : Seq.seq t_Idx'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops11] unnest'0 self b) + -> ([%#sops12] unnest'0 b c) -> ([%#sops13] unnest'0 self c) - constant c : t_Range'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (a : t_Range'0) (ab : Seq.seq t_Idx'0) (b : t_Range'0) (bc : Seq.seq t_Idx'0) (c : t_Range'0) : () + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops10] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : bool) : () - goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) - -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__range__range_inclusive_len [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span sops1 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : bool . ([%#sops8] postcondition_mut'0 self args res_state res) + -> ([%#sops9] unnest'0 self res_state) - type t_Idx'0 + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 31 4 31 30] (self : t_Filter'0) = + [%#sfilter5] forall f : t_F'0, i : t_Item'0 . precondition'0 f (i) + /\ (forall f : t_F'0, g : t_F'0 . unnest'0 f g -> f = g) + /\ (forall f1 : t_F'0, f2 : t_F'0, i : t_Item'0 . not (postcondition_mut'0 f1 (i) f2 true + /\ postcondition_mut'0 f1 (i) f2 false)) - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - use prelude.prelude.Int + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Filter'0) - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + axiom inv_axiom'0 [@rewrite] : forall x : t_Filter'0 [inv'0 x] . inv'0 x + = (invariant'0 x + /\ match x with + | {t_Filter__iter'0 = iter ; t_Filter__predicate'0 = predicate'} -> inv'2 iter /\ inv'1 predicate' + end) - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 23 4 23 22] (self : t_Filter'0) : t_F'0 - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + axiom func'0_spec : forall self : t_Filter'0 . [%#sfilter6] inv'0 self -> inv'1 (func'0 self) - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops1] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + use prelude.prelude.Int - constant r : t_RangeInclusive'0 + use map.Map - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int - + function iter'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 16 4 16 22] (self : t_Filter'0) : t_I'0 - goal vc_range_inclusive_len'0 : ([%#sops1] not is_empty_log'0 r - -> deep_model'0 (start_log'0 r) <= deep_model'0 (end_log'0 r)) - -> (if is_empty_log'0 r then - [%#srange0] is_empty_log'0 r = (0 = 0) - else - [%#srange0] is_empty_log'0 r = (deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 = 0) - ) -end -module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + axiom iter'0_spec : forall self : t_Filter'0 . [%#sfilter7] inv'0 self -> inv'2 (iter'0 self) use seq.Seq - type t_Idx'0 - use seq.Seq - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) + -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) - use prelude.prelude.Int + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + use seq.Seq - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + use map.Map - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops5] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + use seq.Seq - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 85 4 85 67] (self : t_Filter'0) (visited : Seq.seq t_Item'0) (succ : t_Filter'0) = - [%#srange4] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + [%#sfilter4] invariant'0 self + -> unnest'0 (func'0 self) (func'0 succ) + /\ (exists s : Seq.seq t_Item'0, f : Map.map int int . produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int, j : int . 0 <= i /\ i <= j /\ j < Seq.length visited + -> 0 <= Map.get f i /\ Map.get f i <= Map.get f j /\ Map.get f j < Seq.length s) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = Seq.get s (Map.get f i)) + /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> (exists j : int . 0 <= j /\ j < Seq.length visited /\ Map.get f j = i) + = postcondition_mut'0 (func'0 self) (Seq.get s i) (func'0 self) true)) - axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange3] is_empty_log'0 r - = (range_inclusive_len'0 r = 0) + constant a : t_Filter'0 - use seq.Seq + constant ab : Seq.seq t_Item'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) - - = - [%#srange2] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o - /\ (is_empty_log'0 self -> is_empty_log'0 o) - /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) + constant b : t_Filter'0 - constant self : t_RangeInclusive'0 + constant bc : Seq.seq t_Item'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (self : t_RangeInclusive'0) : () + constant c : t_Filter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/filter.rs" 113 4 113 90] (a : t_Filter'0) (ab : Seq.seq t_Item'0) (b : t_Filter'0) (bc : Seq.seq t_Item'0) (c : t_Filter'0) : () - goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self + goal vc_produces_trans'0 : ([%#sfilter1] produces'0 b bc c) + -> ([%#sfilter0] produces'0 a ab b) -> ([%#sfilter2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (* as std::iter::Iterator> *) - let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32 - let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32 - let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42 - let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 79 4 79 10 - let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 - let%span srange5 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 - let%span srange6 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 - let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_refl [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (* as std::iter::Iterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_Idx'0 + use seq.Seq - type t_RangeInclusive'0 = - { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + type t_Item'0 use seq.Seq - use seq.Seq + type t_I'0 - function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - use prelude.prelude.Int + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end - axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops7] not is_empty_log'0 self - -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int - - = - [%#srange6] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end - axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange5] is_empty_log'0 r - = (range_inclusive_len'0 r = 0) + function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 + + axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse3] inv'0 self -> inv'1 (view'0 self)) + && ([%#sfuse4] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - = - [%#srange4] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o - /\ (is_empty_log'0 self -> is_empty_log'0 o) - /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length visited - -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) - use seq.Seq + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - constant a : t_RangeInclusive'0 + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - constant ab : Seq.seq t_Idx'0 + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - constant b : t_RangeInclusive'0 + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - constant bc : Seq.seq t_Idx'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + + = + [%#sfuse2] match view'0 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self + | C_Some'0 i -> match view'0 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - constant c : t_RangeInclusive'0 + constant self : t_Fuse'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (a : t_RangeInclusive'0) (ab : Seq.seq t_Idx'0) (b : t_RangeInclusive'0) (bc : Seq.seq t_Idx'0) (c : t_RangeInclusive'0) : () - + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () - goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) - -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_refl'0 : [%#sfuse0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self end -module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_refl [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (* as std::iter::Iterator> *) - let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 31 14 31 45 - let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 29 4 29 10 - let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi10730559947553418603__produces_trans [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (* as std::iter::Iterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_T'0 + type t_I'0 - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - type t_Repeat'0 = - { t_Repeat__element'0: t_T'0 } + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - use prelude.prelude.Int + type t_Item'0 use seq.Seq use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) - - = - [%#srepeat2] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - constant self : t_Repeat'0 + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (self : t_Repeat'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - goal vc_produces_refl'0 : [%#srepeat0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_trans [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (* as std::iter::Iterator> *) - let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 36 15 36 32 - let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 37 15 37 32 - let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 38 14 38 42 - let%span srepeat3 = "../../../creusot-contracts/src/std/iter/repeat.rs" 34 4 34 10 - let%span srepeat4 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x + = match x with + | {t_Fuse__iter'0 = iter} -> inv'1 iter + end - type t_T'0 + function view'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 - type t_Repeat'0 = - { t_Repeat__element'0: t_T'0 } + axiom view'0_spec : forall self : t_Fuse'0 . ([%#sfuse5] inv'0 self -> inv'1 (view'0 self)) + && ([%#sfuse6] forall other : t_Fuse'0 . view'0 self = view'0 other -> self = other) use seq.Seq - use prelude.prelude.Int + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use seq.Seq + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) - function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) = - [%#srepeat4] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) - - use seq.Seq + [%#sfuse4] match view'0 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'0 other = view'0 self + | C_Some'0 i -> match view'0 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - constant a : t_Repeat'0 + constant a : t_Fuse'0 - constant ab : Seq.seq t_T'0 + constant ab : Seq.seq t_Item'0 - constant b : t_Repeat'0 + constant b : t_Fuse'0 - constant bc : Seq.seq t_T'0 + constant bc : Seq.seq t_Item'0 - constant c : t_Repeat'0 + constant c : t_Fuse'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (a : t_Repeat'0) (ab : Seq.seq t_T'0) (b : t_Repeat'0) (bc : Seq.seq t_T'0) (c : t_Repeat'0) : () + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () - goal vc_produces_trans'0 : ([%#srepeat1] produces'0 b bc c) - -> ([%#srepeat0] produces'0 a ab b) -> ([%#srepeat2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#sfuse1] produces'0 b bc c) + -> ([%#sfuse0] produces'0 a ab b) -> ([%#sfuse2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_refl [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (* as std::iter::Iterator> *) - let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 73 14 73 45 - let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 71 4 71 10 - let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 - let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 - let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - - use seq.Seq - - type t_Item'0 - - use seq.Seq +module M_creusot_contracts__stdqy35z1__iter__fuse__qyi7691061398646472980__is_fused [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (* as std::iter::fuse::FusedIterator> *) + let%span sfuse0 = "../../../creusot-contracts/src/std/iter/fuse.rs" 63 15 63 31 + let%span sfuse1 = "../../../creusot-contracts/src/std/iter/fuse.rs" 64 15 64 44 + let%span sfuse2 = "../../../creusot-contracts/src/std/iter/fuse.rs" 65 14 65 50 + let%span sfuse3 = "../../../creusot-contracts/src/std/iter/fuse.rs" 61 4 61 10 + let%span sfuse4 = "../../../creusot-contracts/src/std/iter/fuse.rs" 20 12 21 28 + let%span sfuse5 = "../../../creusot-contracts/src/std/iter/fuse.rs" 29 12 35 13 + let%span sfuse6 = "../../../creusot-contracts/src/std/iter/fuse.rs" 41 14 41 45 + let%span sfuse7 = "../../../creusot-contracts/src/std/iter/fuse.rs" 39 4 39 10 + let%span sfuse8 = "../../../creusot-contracts/src/std/iter/fuse.rs" 46 15 46 32 + let%span sfuse9 = "../../../creusot-contracts/src/std/iter/fuse.rs" 47 15 47 32 + let%span sfuse10 = "../../../creusot-contracts/src/std/iter/fuse.rs" 48 14 48 42 + let%span sfuse11 = "../../../creusot-contracts/src/std/iter/fuse.rs" 44 4 44 10 + let%span smodel12 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfuse13 = "../../../creusot-contracts/src/std/iter/fuse.rs" 8 14 8 39 + let%span sfuse14 = "../../../creusot-contracts/src/std/iter/fuse.rs" 9 14 9 71 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter18 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 type t_I'0 - use prelude.prelude.UIntSize - - type t_Skip'0 = - { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + type t_Option'0 = + | C_None'0 + | C_Some'0 t_I'0 - use prelude.prelude.Int + type t_Fuse'0 = + { t_Fuse__iter'0: t_Option'0 } - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_Item'0 - use prelude.prelude.UIntSize + use seq.Seq - function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + use seq.Seq - axiom n'0_spec : forall self : t_Skip'0 . [%#sskip3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Fuse'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + axiom inv_axiom'0 [@rewrite] : forall x : t_Fuse'0 [inv'0 x] . inv'0 x = match x with - | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + | {t_Fuse__iter'0 = iter} -> inv'1 iter end - function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 + function view'1 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 10 4 10 30] (self : t_Fuse'0) : t_Option'0 - axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip4] inv'0 self -> inv'1 (iter'0 self) + axiom view'1_spec : forall self : t_Fuse'0 . ([%#sfuse13] inv'0 self -> inv'1 (view'1 self)) + && ([%#sfuse14] forall other : t_Fuse'0 . view'1 self = view'1 other -> self = other) use seq.Seq predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter16] produces'1 a ab b) + -> ([%#siter17] produces'1 b bc c) -> ([%#siter18] produces'1 a (Seq.(++) ab bc) c) function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - use seq.Seq - - use prelude.prelude.Borrow + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter15] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 27 4 27 65] (self : t_Fuse'0) (prod : Seq.seq t_Item'0) (other : t_Fuse'0) + + = + [%#sfuse5] match view'1 self with + | C_None'0 -> prod = (Seq.empty : Seq.seq t_Item'0) /\ view'1 other = view'1 self + | C_Some'0 i -> match view'1 other with + | C_Some'0 i2 -> produces'1 i prod i2 + | C_None'0 -> false + end + end - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 49 4 49 90] (a : t_Fuse'0) (ab : Seq.seq t_Item'0) (b : t_Fuse'0) (bc : Seq.seq t_Item'0) (c : t_Fuse'0) : () = - [%#sskip2] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o - \/ n'0 o = 0 - /\ Seq.length visited > 0 - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self - /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) + [%#sfuse11] () - constant self : t_Skip'0 + axiom produces_trans'0_spec : forall a : t_Fuse'0, ab : Seq.seq t_Item'0, b : t_Fuse'0, bc : Seq.seq t_Item'0, c : t_Fuse'0 . ([%#sfuse8] produces'0 a ab b) + -> ([%#sfuse9] produces'0 b bc c) -> ([%#sfuse10] produces'0 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (self : t_Skip'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 42 4 42 26] (self : t_Fuse'0) : () = + [%#sfuse7] () - goal vc_produces_refl'0 : [%#sskip0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_trans [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (* as std::iter::Iterator> *) - let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 78 15 78 32 - let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 79 15 79 32 - let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 80 14 80 42 - let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 76 4 76 10 - let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 - let%span sskip5 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 - let%span sskip6 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom produces_refl'0_spec : forall self : t_Fuse'0 . [%#sfuse6] produces'0 self (Seq.empty : Seq.seq t_Item'0) self - type t_I'0 + use prelude.prelude.Borrow - use prelude.prelude.UIntSize + function view'0 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (t_Fuse'0)) : t_Option'0 = + [%#smodel12] view'1 self.current - type t_Skip'0 = - { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) - type t_Item'0 + predicate completed'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 18 4 18 35] (self : borrowed (t_Fuse'0)) = + [%#sfuse4] (view'0 self = C_None'0 + \/ (exists it : borrowed t_I'0 . completed'1 it /\ view'0 self = C_Some'0 (it.current))) + /\ view'1 self.final = C_None'0 - use seq.Seq + constant self : borrowed (t_Fuse'0) - use seq.Seq + constant steps : Seq.seq t_Item'0 - use prelude.prelude.Int + constant next : t_Fuse'0 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function is_fused'0 [#"../../../creusot-contracts/src/std/iter/fuse.rs" 66 4 66 62] (self : borrowed (t_Fuse'0)) (steps : Seq.seq t_Item'0) (next : t_Fuse'0) : () + - use prelude.prelude.UIntSize + goal vc_is_fused'0 : ([%#sfuse1] produces'0 self.final steps next) + -> ([%#sfuse0] completed'0 self) -> ([%#sfuse2] steps = (Seq.empty : Seq.seq t_Item'0) /\ self.final = next) +end +module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_refl [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (* as std::iter::Iterator> *) + let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 80 14 80 45 + let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 78 4 78 10 + let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 + let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 + let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + use seq.Seq - axiom n'0_spec : forall self : t_Skip'0 . [%#sskip5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + type t_B'0 use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + type t_I'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + type t_F'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + type t_Map'0 = + { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x = match x with - | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f end - function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 + function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 - axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip6] inv'0 self -> inv'1 (iter'0 self) + axiom func'0_spec : forall self : t_Map'0 . [%#smap3] inv'0 self -> inv'1 (func'0 self) - use seq.Seq + type t_Item'0 - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - - - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.Borrow - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) + - use seq.Seq + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () + - use prelude.prelude.Borrow + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops11] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - = - [%#sskip4] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o - \/ n'0 o = 0 - /\ Seq.length visited > 0 - /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self - /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) - /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) - - constant a : t_Skip'0 - - constant ab : Seq.seq t_Item'0 - constant b : t_Skip'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) + -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) - constant bc : Seq.seq t_Item'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - constant c : t_Skip'0 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (a : t_Skip'0) (ab : Seq.seq t_Item'0) (b : t_Skip'0) (bc : Seq.seq t_Item'0) (c : t_Skip'0) : () + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - goal vc_produces_trans'0 : ([%#sskip1] produces'0 b bc c) - -> ([%#sskip0] produces'0 a ab b) -> ([%#sskip2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_refl [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (* as std::iter::Iterator> *) - let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 71 14 71 45 - let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 69 4 69 10 - let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 - let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 - let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) + -> ([%#sops6] unnest'0 self res_state) use seq.Seq - type t_Item'0 - use seq.Seq - type t_I'0 - - use prelude.prelude.UIntSize - - type t_Take'0 = - { t_Take__iter'0: t_I'0; t_Take__n'0: usize } - - use prelude.prelude.Int - - constant v_MAX'0 : usize = (18446744073709551615 : usize) - - use prelude.prelude.UIntSize - - function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int - - axiom n'0_spec : forall self : t_Take'0 . [%#stake3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) - use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x - = match x with - | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter - end + function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 - function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + axiom iter'0_spec : forall self : t_Map'0 . [%#smap4] inv'0 self -> inv'2 (iter'0 self) - axiom iter'0_spec : forall self : t_Take'0 . [%#stake4] inv'0 self -> inv'1 (iter'0 self) + use seq.Seq use seq.Seq @@ -6028,148 +6194,159 @@ module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__prod function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) + -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) - - = - [%#stake2] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - constant self : t_Take'0 + use prelude.prelude.Int - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (self : t_Take'0) : () + use seq.Seq - goal vc_produces_refl'0 : [%#stake0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_trans [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (* as std::iter::Iterator> *) - let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32 - let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 77 15 77 32 - let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 78 14 78 42 - let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 74 4 74 10 - let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 - let%span stake5 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 - let%span stake6 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + use seq.Seq - type t_I'0 + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - use prelude.prelude.UIntSize + use seq.Seq - type t_Take'0 = - { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + + = + [%#smap2] unnest'0 (func'0 self) (func'0 succ) + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited + /\ produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + func'0 self = func'0 succ + else + (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 (func'0 self) (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - type t_Item'0 + constant self : t_Map'0 - use seq.Seq + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 81 4 81 26] (self : t_Map'0) : () - use prelude.prelude.Int + goal vc_produces_refl'0 : [%#smap0] produces'0 self (Seq.empty : Seq.seq t_B'0) self +end +module M_creusot_contracts__stdqy35z1__iter__map__qyi6597778842032428791__produces_trans [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (* as std::iter::Iterator> *) + let%span smap0 = "../../../creusot-contracts/src/std/iter/map.rs" 85 15 85 32 + let%span smap1 = "../../../creusot-contracts/src/std/iter/map.rs" 86 15 86 32 + let%span smap2 = "../../../creusot-contracts/src/std/iter/map.rs" 87 14 87 42 + let%span smap3 = "../../../creusot-contracts/src/std/iter/map.rs" 83 4 83 10 + let%span smap4 = "../../../creusot-contracts/src/std/iter/map.rs" 63 12 74 75 + let%span smap5 = "../../../creusot-contracts/src/std/iter/map.rs" 22 14 22 39 + let%span smap6 = "../../../creusot-contracts/src/std/iter/map.rs" 15 14 15 39 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops12 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter16 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter17 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + type t_I'0 - use prelude.prelude.UIntSize + type t_F'0 - function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + type t_Map'0 = + { t_Map__iter'0: t_I'0; t_Map__f'0: t_F'0 } - axiom n'0_spec : forall self : t_Take'0 . [%#stake5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + type t_B'0 use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Map'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Map'0 [inv'0 x] . inv'0 x = match x with - | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter + | {t_Map__iter'0 = iter ; t_Map__f'0 = f} -> inv'2 iter /\ inv'1 f end - function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 - - axiom iter'0_spec : forall self : t_Take'0 . [%#stake6] inv'0 self -> inv'1 (iter'0 self) - - use seq.Seq + function func'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 23 4 23 22] (self : t_Map'0) : t_F'0 - use seq.Seq + axiom func'0_spec : forall self : t_Map'0 . [%#smap5] inv'0 self -> inv'1 (func'0 self) - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + type t_Item'0 - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_Item'0) (result : t_B'0) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + use prelude.prelude.Borrow - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : t_Item'0) (result_state : t_F'0) (result : t_B'0) + - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : t_Item'0) (res : t_B'0) : () - = - [%#stake4] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) - constant a : t_Take'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : t_Item'0, res : t_B'0 . [%#sops13] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - constant ab : Seq.seq t_Item'0 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - constant b : t_Take'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - constant bc : Seq.seq t_Item'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops10] unnest'0 self b) + -> ([%#sops11] unnest'0 b c) -> ([%#sops12] unnest'0 self c) - constant c : t_Take'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (a : t_Take'0) (ab : Seq.seq t_Item'0) (b : t_Take'0) (bc : Seq.seq t_Item'0) (c : t_Take'0) : () + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops9] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : t_Item'0) (res_state : t_F'0) (res : t_B'0) : () - goal vc_produces_trans'0 : ([%#stake1] produces'0 b bc c) - -> ([%#stake0] produces'0 a ab b) -> ([%#stake2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_refl [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (* as std::iter::Iterator> *) - let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45 - let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 53 4 53 10 - let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 - let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 - let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : t_Item'0, res_state : t_F'0, res : t_B'0 . ([%#sops7] postcondition_mut'0 self args res_state res) + -> ([%#sops8] unnest'0 self res_state) use seq.Seq - type t_Item'0 - - type t_Item'1 + use seq.Seq use seq.Seq - type t_A'0 + use seq.Seq - type t_B'0 + use seq.Seq - use prelude.prelude.UIntSize + function iter'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 16 4 16 22] (self : t_Map'0) : t_I'0 - type t_Zip'0 = - { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + axiom iter'0_spec : forall self : t_Map'0 . [%#smap6] inv'0 self -> inv'2 (iter'0 self) use seq.Seq use seq.Seq - use seq.Seq + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use seq.Seq + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter15] produces'1 a ab b) + -> ([%#siter16] produces'1 b bc c) -> ([%#siter17] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter14] produces'1 self (Seq.empty : Seq.seq t_Item'0) self use prelude.prelude.Int @@ -6177,101 +6354,114 @@ module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produc use seq.Seq - use seq.Seq + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_Item'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map.rs" 61 4 61 67] (self : t_Map'0) (visited : Seq.seq t_B'0) (succ : t_Map'0) + + = + [%#smap4] unnest'0 (func'0 self) (func'0 succ) + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 [produces'1 (iter'0 self) s (iter'0 succ)] . Seq.length s = Seq.length visited + /\ produces'1 (iter'0 self) s (iter'0 succ) + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + func'0 self = func'0 succ + else + (Seq.get fs 0).current = func'0 self /\ (Seq.get fs (Seq.length visited - 1)).final = func'0 succ + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 (func'0 self) (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i) (Seq.get fs i).final (Seq.get visited i)))) - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x - = match x with - | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a - /\ inv'2 b - end + constant a : t_Map'0 - function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + constant ab : Seq.seq t_B'0 - axiom itera'0_spec : forall self : t_Zip'0 . [%#szip3] inv'0 self -> inv'1 (itera'0 self) + constant b : t_Map'0 - use seq.Seq + constant bc : Seq.seq t_B'0 - use seq.Seq + constant c : t_Map'0 - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map.rs" 88 4 88 90] (a : t_Map'0) (ab : Seq.seq t_B'0) (b : t_Map'0) (bc : Seq.seq t_B'0) (c : t_Map'0) : () - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () - + goal vc_produces_trans'0 : ([%#smap1] produces'0 b bc c) + -> ([%#smap0] produces'0 a ab b) -> ([%#smap2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_refl [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - axiom produces_trans'0_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + use seq.Seq - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + type t_B'0 - axiom produces_refl'1_spec : forall self : t_A'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + type t_I'0 - axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip4] inv'0 self -> inv'2 (iterb'0 self) + type t_F'0 - use seq.Seq + type t_Item'0 use seq.Seq - predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) - + use prelude.prelude.Snapshot - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () - + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - axiom produces_trans'1_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter6] produces'2 a ab b) - -> ([%#siter7] produces'2 b bc c) -> ([%#siter8] produces'2 a (Seq.(++) ab bc) c) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + - function produces_refl'2 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + use prelude.prelude.Borrow - axiom produces_refl'2_spec : forall self : t_B'0 . [%#siter5] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - = - [%#szip2] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 - /\ Seq.length p2 = Seq.length visited - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) - /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) - constant self : t_Zip'0 + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (self : t_Zip'0) : () + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - goal vc_produces_refl'0 : [%#szip0] produces'0 self (Seq.empty : Seq.seq (t_Item'0, t_Item'1)) self -end -module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_trans [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (* as std::iter::Iterator> *) - let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32 - let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32 - let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42 - let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 58 4 58 10 - let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 - let%span szip5 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 - let%span szip6 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - type t_A'0 + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - type t_B'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) + -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) - use prelude.prelude.UIntSize + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - type t_Zip'0 = - { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self - type t_Item'0 + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () + - type t_Item'1 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) + -> ([%#sops4] unnest'0 self res_state) use seq.Seq @@ -6285,155 +6475,163 @@ module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produc use seq.Seq - use prelude.prelude.Int - - use seq.Seq + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - use seq.Seq + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - use seq.Seq + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'1 a ab b) + -> ([%#siter12] produces'1 b bc c) -> ([%#siter13] produces'1 a (Seq.(++) ab bc) c) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter10] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + use prelude.prelude.Snapshot - axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x - = match x with - | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a - /\ inv'2 b - end + use prelude.prelude.Snapshot - function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + use prelude.prelude.Int - axiom itera'0_spec : forall self : t_Zip'0 . [%#szip5] inv'0 self -> inv'1 (itera'0 self) + use seq.Seq use seq.Seq use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + = + [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - axiom produces_trans'1_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter8] produces'1 a ab b) - -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + constant self : t_MapInv'0 - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () - axiom produces_refl'0_spec : forall self : t_A'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + goal vc_produces_refl'0 : [%#smap_inv0] produces'0 self (Seq.empty : Seq.seq t_B'0) self +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi9026772487048432788__produces_trans [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter14 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter15 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + type t_I'0 - axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip6] inv'0 self -> inv'2 (iterb'0 self) + type t_F'0 + + type t_Item'0 use seq.Seq + use prelude.prelude.Snapshot + + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } + + type t_B'0 + use seq.Seq - predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) - function produces_trans'2 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - axiom produces_trans'2_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter8] produces'2 a ab b) - -> ([%#siter9] produces'2 b bc c) -> ([%#siter10] produces'2 a (Seq.(++) ab bc) c) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops11] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - axiom produces_refl'1_spec : forall self : t_B'0 . [%#siter7] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () - = - [%#szip4] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 - /\ Seq.length p2 = Seq.length visited - /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) - /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) - - use seq.Seq - - constant a : t_Zip'0 - constant ab : Seq.seq (t_Item'0, t_Item'1) - - constant b : t_Zip'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops8] unnest'0 self b) + -> ([%#sops9] unnest'0 b c) -> ([%#sops10] unnest'0 self c) - constant bc : Seq.seq (t_Item'0, t_Item'1) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - constant c : t_Zip'0 + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops7] unnest'0 self self - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (a : t_Zip'0) (ab : Seq.seq (t_Item'0, t_Item'1)) (b : t_Zip'0) (bc : Seq.seq (t_Item'0, t_Item'1)) (c : t_Zip'0) : () + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - goal vc_produces_trans'0 : ([%#szip1] produces'0 b bc c) - -> ([%#szip0] produces'0 a ab b) -> ([%#szip2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_refl [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (* <&mut I as std::iter::Iterator> *) - let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 222 14 222 45 - let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 220 4 220 10 - let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 - let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops5] postcondition_mut'0 self args res_state res) + -> ([%#sops6] unnest'0 self res_state) use seq.Seq - type t_Item'0 + use seq.Seq use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - type t_I'0 + use seq.Seq use seq.Seq predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - - - axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter4] produces'1 a ab b) - -> ([%#siter5] produces'1 b bc c) -> ([%#siter6] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter3] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - = - [%#siter2] produces'1 self.current visited o.current /\ self.final = o.final - constant self : borrowed t_I'0 + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter13] produces'1 a ab b) + -> ([%#siter14] produces'1 b bc c) -> ([%#siter15] produces'1 a (Seq.(++) ab bc) c) - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (self : borrowed t_I'0) : () + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - goal vc_produces_refl'0 : [%#siter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self -end -module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_trans [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (* <&mut I as std::iter::Iterator> *) - let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 227 15 227 32 - let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 228 15 228 32 - let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 229 14 229 42 - let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 225 4 225 10 - let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 - let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 - let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 - let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 - let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter12] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - use prelude.prelude.Borrow + use prelude.prelude.Snapshot - type t_I'0 + use prelude.prelude.Snapshot - type t_Item'0 + use prelude.prelude.Int use seq.Seq @@ -6441,1050 +6639,889 @@ module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_tr use seq.Seq - predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) - + use prelude.prelude.Snapshot - function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) - -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) - - function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - - axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) = - [%#siter4] produces'1 self.current visited o.current /\ self.final = o.final + [%#smap_inv4] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - constant a : borrowed t_I'0 + use seq.Seq - constant ab : Seq.seq t_Item'0 + constant a : t_MapInv'0 - constant b : borrowed t_I'0 + constant ab : Seq.seq t_B'0 - constant bc : Seq.seq t_Item'0 + constant b : t_MapInv'0 - constant c : borrowed t_I'0 + constant bc : Seq.seq t_B'0 - function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (a : borrowed t_I'0) (ab : Seq.seq t_Item'0) (b : borrowed t_I'0) (bc : Seq.seq t_Item'0) (c : borrowed t_I'0) : () + constant c : t_MapInv'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () - goal vc_produces_trans'0 : ([%#siter1] produces'0 b bc c) - -> ([%#siter0] produces'0 a ab b) -> ([%#siter2] produces'0 a (Seq.(++) ab bc) c) + goal vc_produces_trans'0 : ([%#smap_inv1] produces'0 b bc c) + -> ([%#smap_inv0] produces'0 a ab b) -> ([%#smap_inv2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_unwrap_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 103 16 105 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 103 43 103 44 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 103 52 103 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 99 26 102 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi5691635635396426195__resolve_coherence [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (* as resolve::Resolve> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 62 15 62 39 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 63 14 63 31 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 60 4 60 23 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 57 8 57 50 - type t_T'0 + use prelude.prelude.Borrow - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_I'0 type t_F'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_B'0 - use prelude.prelude.Borrow + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use prelude.prelude.Snapshot - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_B'0) } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : Snapshot.snap_ty (Seq.seq t_B'0)) + = + true - axiom inv_axiom'1 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_I'0) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_MapInv'0) = + match _1 with + | {t_MapInv__iter'0 = x0 ; t_MapInv__func'0 = x1 ; t_MapInv__produced'0 = x2} -> resolve'1 x2 + /\ resolve'2 x1 /\ resolve'3 x0 + end - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) - + predicate resolve'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 28] (self : t_MapInv'0) = + [%#smap_inv3] resolve'3 self.t_MapInv__iter'0 /\ resolve'2 self.t_MapInv__func'0 - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_T'0)-> {inv'2 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + constant self : t_MapInv'0 + + function resolve_coherence'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 64 4 64 31] (self : t_MapInv'0) : () - use prelude.prelude.Intrinsic + goal vc_resolve_coherence'0 : ([%#smap_inv0] structural_resolve'0 self) -> ([%#smap_inv1] resolve'0 self) +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4413682431414748756__next [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 90 4 90 44] (* ::Item, F> as std::iter::Iterator> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 91 39 91 58 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 94 16 94 76 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 95 31 95 71 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 99 38 99 88 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 100 32 100 63 + let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 105 32 105 56 + let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 17 90 21 + let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 90 26 90 44 + let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 86 14 89 5 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 103 26 106 17 + let%span sops10 = "../../../creusot-contracts/src/std/ops.rs" 162 27 162 52 + let%span sops11 = "../../../creusot-contracts/src/std/ops.rs" 163 26 163 71 + let%span smap_inv12 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 163 15 163 31 + let%span smap_inv13 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 164 4 164 60 + let%span smap_inv14 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 165 15 165 30 + let%span smap_inv15 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 166 15 166 64 + let%span smap_inv16 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 167 14 167 74 + let%span smap_inv17 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 168 14 168 75 + let%span smap_inv18 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 + let%span smap_inv19 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 + let%span smap_inv20 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9 + let%span smap_inv21 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 74 12 76 73 + let%span smap_inv22 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 + let%span smap_inv23 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 + let%span smap_inv24 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 117 12 119 63 + let%span smap_inv25 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span sresolve26 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smap_inv27 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv28 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv29 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv30 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv31 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv32 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span siter33 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter34 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter35 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter36 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span sops37 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops38 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops39 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops40 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops41 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops42 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops43 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span smap_inv44 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 153 12 156 47 + let%span smap_inv45 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 + let%span sinvariant46 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use prelude.prelude.Borrow - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'2 a_0 - end + use prelude.prelude.Snapshot - meta "compute_max_steps" 1000000 + type t_I'0 - let rec extern_spec_std_option_T_Option_T_unwrap_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- t ] s4 - | s4 = bb8 ] - - | bb8 = bb9 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb9 - | bb9 = bb10 - | bb10 = bb11 - | bb11 = return' {_0} ] - ) - [ & _0 : t_T'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & _7 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body result type invariant] [%#soption2] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> postcondition_once'0 f () result - | C_Some'0 t -> result = t - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_body [#"../../../creusot-contracts/src/std/option.rs" 131 16 133 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 131 35 131 36 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 123 27 126 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 131 44 131 53 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 127 26 130 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - - type t_T'0 - - type t_Option'1 = - | C_None'0 - | C_Some'0 t_T'0 - - let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] - + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) type t_F'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Item'0 - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + use prelude.prelude.Snapshot - type t_U'0 + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_I'0) = + [%#sinvariant46] inv'0 self.current /\ inv'0 self.final - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_I'0) - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + axiom inv_axiom'2 [@rewrite] : forall x : borrowed t_I'0 [inv'4 x] . inv'4 x = invariant'2 x type t_Option'0 = - | C_None'1 - | C_Some'1 t_U'0 - - use prelude.prelude.Borrow - - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + | C_None'0 + | C_Some'0 t_Item'0 - use prelude.prelude.Intrinsic + predicate inv'9 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Item'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'5 x] . inv'5 x = match x with | C_None'0 -> true - | C_Some'0 a_0 -> inv'5 a_0 + | C_Some'0 a_0 -> inv'9 a_0 end - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'4 a_0 - end + use seq.Seq - meta "compute_max_steps" 1000000 + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - let rec extern_spec_std_option_T_Option_T_map_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_map_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_map_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_9 <- (t) ] s2 - | s2 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_7 <- _ret' ] s3) - | s3 = bb7 ] - - | bb7 = bb8 - | bb8 = s0 [ s0 = [ &_0 <- C_Some'1 _7 ] s1 | s1 = bb9 ] - | bb9 = bb10 - | bb10 = bb11 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb11 ] - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'1 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _7 : t_U'0 = any_l () - | & _9 : t_T'0 = any_l () ] + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_map_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'1 - | C_Some'0 t -> exists r : t_U'0 . result = C_Some'1 r /\ postcondition_once'0 f (t) r + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter34] produces'0 a ab b) + -> ([%#siter35] produces'0 b bc c) -> ([%#siter36] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter33] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + + predicate completed'1 [#"../../../creusot-contracts/src/std/iter.rs" 35 4 35 36] (self : borrowed t_I'0) + + use seq.Seq + + let rec next'1 (self:borrowed t_I'0) (return' (ret:t_Option'0))= {[@expl:next 'self' type invariant] inv'4 self} + any + [ return' (result:t_Option'0)-> {inv'5 result} + {[%#siter9] match result with + | C_None'0 -> completed'1 self + | C_Some'0 v -> produces'0 self.current (Seq.singleton v) self.final end} (! return' {result}) ] -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_inspect_body [#"../../../creusot-contracts/src/std/option.rs" 149 16 151 33] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 149 36 149 37 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 140 27 143 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 149 45 149 54 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 145 26 148 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - - type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_Item'0))= any + [ good (field_0:t_Item'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_Item'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - type t_F'0 + use prelude.prelude.Snapshot - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - use prelude.prelude.Borrow + use prelude.prelude.Snapshot - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant6] inv'4 self + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_F'0) = + [%#sinvariant46] inv'1 self.current /\ inv'1 self.final - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_F'0) - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + axiom inv_axiom'4 [@rewrite] : forall x : borrowed t_F'0 [inv'6 x] . inv'6 x = invariant'3 x - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = (let (x0) = x in inv'5 x0) + axiom inv_axiom'5 [@rewrite] : forall x : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) [inv'7 x] . inv'7 x + = (let (x0, x1) = x in inv'9 x0) - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + type t_B'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : ()) + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:()))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'2 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any [ return' (result:())-> {inv'3 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops43] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'2 res_state) - use prelude.prelude.Intrinsic + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops40] unnest'0 self b) + -> ([%#sops41] unnest'0 b c) -> ([%#sops42] unnest'0 self c) - meta "compute_max_steps" 1000000 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - let rec extern_spec_std_option_T_Option_T_inspect_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = bb3 - | bb3 = any [ br0 -> {self_ = C_None'0 } (! bb5) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb6) ] - | bb6 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_12 <- t ] s2 - | s2 = [ &_10 <- (_12) ] s3 - | s3 = call_once'0 {f} {_10} (fun (_ret':()) -> [ &_8 <- _ret' ] s4) - | s4 = bb8 ] - - | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] - | bb9 = bb10 - | bb10 = bb11 - | bb5 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb7 ] - | bb7 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb11 ] - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _8 : () = any_l () - | & _10 : t_T'0 = any_l () - | & _12 : t_T'0 = any_l () ] + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops39] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_inspect_body result type invariant] [%#soption3] inv'1 result} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #0] [%#soption0] result = self_} - {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #1] [%#soption4] match self_ with - | C_None'0 -> true - | C_Some'0 t -> postcondition_once'0 f (t) () - end} + + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops37] postcondition_mut'0 self args res_state res) + -> ([%#sops38] unnest'0 self res_state) + + let rec call_mut'0 (self:borrowed t_F'0) (args:(t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (return' (ret:t_B'0))= {[@expl:call_mut 'self' type invariant] inv'6 self} + {[@expl:call_mut 'args' type invariant] inv'7 args} + {[@expl:call_mut requires] [%#sops10] precondition'0 self.current args} + any + [ return' (result:t_B'0)-> {inv'8 result} + {[%#sops11] postcondition_mut'0 self.current args self.final result} (! return' {result}) ] -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_body [#"../../../creusot-contracts/src/std/option.rs" 166 16 168 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 166 38 166 45 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 166 50 166 51 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 158 27 161 17 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 166 59 166 60 - let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 162 26 165 17 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - type t_T'0 + predicate next_precondition'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 115 4 115 78] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + + = + [%#smap_inv24] forall e : t_Item'0, i : t_I'0 . produces'0 iter (Seq.singleton e) i + -> precondition'0 func (e, Snapshot.new produced) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) + + = + [%#smap_inv45] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new s) + -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - type t_U'0 + predicate reinitialize'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 151 4 151 33] (_1 : ()) = + [%#smap_inv44] forall iter : borrowed t_I'0, func : t_F'0 . completed'1 iter + -> next_precondition'0 iter.final func (Seq.empty : Seq.seq t_Item'0) /\ preservation'0 iter.final func - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) + + = + [%#smap_inv23] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) - use prelude.prelude.Borrow + axiom preservation_inv'0_spec : forall iter : t_I'0, func : t_F'0, produced : Seq.seq t_Item'0 . [%#smap_inv22] produced + = (Seq.empty : Seq.seq t_Item'0) -> preservation_inv'0 iter func produced = preservation'0 iter func - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_U'0) + predicate invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 72 4 72 30] (self : t_MapInv'0) = + [%#smap_inv21] reinitialize'0 () + /\ preservation_inv'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) + /\ next_precondition'0 self.t_MapInv__iter'0 self.t_MapInv__func'0 (Snapshot.inner self.t_MapInv__produced'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_one_invariant'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 169 4 169 73] (self : t_MapInv'0) (e : t_Item'0) (r : t_B'0) (f : borrowed t_F'0) (iter : t_I'0) : () - type t_F'0 - - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) - - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + axiom produces_one_invariant'0_spec : forall self : t_MapInv'0, e : t_Item'0, r : t_B'0, f : borrowed t_F'0, iter : t_I'0 . ([%#smap_inv12] invariant'0 self) + -> ([%#smap_inv13] produces'0 self.t_MapInv__iter'0 (Seq.singleton e) iter) + -> ([%#smap_inv14] f.current = self.t_MapInv__func'0) + -> ([%#smap_inv15] postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final r) + -> ([%#smap_inv16] preservation_inv'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) + && ([%#smap_inv17] next_precondition'0 iter f.final (Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e)) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Snapshot - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + use prelude.prelude.Snapshot - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops6] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'0 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] - + use seq.Seq - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - use prelude.prelude.Intrinsic + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + use seq.Seq - meta "compute_max_steps" 1000000 + use seq.Seq - let rec extern_spec_std_option_T_Option_T_map_or_body'0 (self_:t_Option'0) (default:t_U'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'default' type invariant] [%#soption1] inv'0 default} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'f' type invariant] [%#soption2] inv'1 f} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body requires] [%#soption3] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 default} s1 - | s1 = -{resolve'0 default}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_9 <- (t) ] s4 - | s4 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) - | s5 = bb7 ] - - | bb7 = bb8 - | bb8 = bb9 - | bb9 = bb10 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- default ] s1 | s1 = bb10 ] - | bb10 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_U'0 = any_l () - | & self_ : t_Option'0 = self_ - | & default : t_U'0 = default - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _9 : t_T'0 = any_l () ] - - [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_body result type invariant] [%#soption4] inv'0 result} - {[@expl:extern_spec_std_option_T_Option_T_map_or_body ensures] [%#soption5] match self_ with - | C_None'0 -> result = default - | C_Some'0 t -> postcondition_once'0 f (t) result - end} - (! return' {result}) ] - -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 183 16 186 37] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 183 46 183 53 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 183 58 183 59 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 175 27 178 17 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 183 67 183 68 - let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 179 26 182 17 - let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + use prelude.prelude.Snapshot - type t_T'0 + use prelude.prelude.Int - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use seq.Seq - type t_D'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_D'0) + use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_D'0) + predicate produces'1 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) + + = + [%#smap_inv25] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'0 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () + = + [%#smap_inv32] () - type t_F'0 + axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv29] produces'1 a ab b) + -> ([%#smap_inv30] produces'1 b bc c) -> ([%#smap_inv31] produces'1 a (Seq.(++) ab bc) c) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = + [%#smap_inv28] () - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv27] produces'1 self (Seq.empty : Seq.seq t_B'0) self - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) + + = + [%#smap_inv19] exists f : borrowed t_F'0, e : t_Item'0 . f.current = self.t_MapInv__func'0 + /\ f.final = succ.t_MapInv__func'0 + /\ produces'0 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e + /\ precondition'0 f.current (e, self.t_MapInv__produced'0) + /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = (let (x0) = x in inv'6 x0) + axiom produces_one'0_spec : forall self : t_MapInv'0, visited : t_B'0, succ : t_MapInv'0 . [%#smap_inv18] produces_one'0 self visited succ + = produces'1 self (Seq.singleton visited) succ - predicate precondition'1 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + predicate inv'10 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_MapInv'0) - type t_U'0 + axiom inv_axiom'6 [@rewrite] : forall x : t_MapInv'0 [inv'10 x] . inv'10 x + = (invariant'0 x + /\ match x with + | {t_MapInv__iter'0 = iter ; t_MapInv__func'0 = func ; t_MapInv__produced'0 = produced} -> inv'0 iter /\ inv'1 func + end) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_MapInv'0)) = + [%#sinvariant46] inv'10 self.current /\ inv'10 self.final - predicate postcondition_once'1 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) - + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_MapInv'0)) - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'4 args} - {[@expl:call_once requires] [%#sops6] precondition'1 self args} - any - [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'1 self args result} (! return' {result}) ] - + axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_MapInv'0) [inv'2 x] . inv'2 x = invariant'1 x - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_MapInv'0)) = + [%#sresolve26] self.final = self.current - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_MapInv'0)) = + resolve'1 _1 - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true - - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_D'0) (args : ()) + type t_Option'1 = + | C_None'1 + | C_Some'1 t_B'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_D'0) (args : ()) (result : t_U'0) - + use prelude.prelude.Intrinsic - let rec call_once'1 (self:t_D'0) (args:()) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops6] precondition'0 self args} - any - [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] - + use prelude.prelude.Snapshot - use prelude.prelude.Intrinsic + use prelude.prelude.Snapshot - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'1 [inv'3 x] . inv'3 x = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'6 a_0 + | C_None'1 -> true + | C_Some'1 a_0 -> inv'8 a_0 end + predicate completed'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 14 4 14 35] (self : borrowed (t_MapInv'0)) + + = + [%#smap_inv20] Snapshot.inner (self.final).t_MapInv__produced'0 = (Seq.empty : Seq.seq t_Item'0) + /\ completed'1 (Borrow.borrow_logic (self.current).t_MapInv__iter'0 (self.final).t_MapInv__iter'0 (Borrow.inherit_id (Borrow.get_id self) 1)) + /\ (self.current).t_MapInv__func'0 = (self.final).t_MapInv__func'0 + meta "compute_max_steps" 1000000 - let rec extern_spec_std_option_T_Option_T_map_or_else_body'0 (self_:t_Option'0) (default:t_D'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'default' type invariant] [%#soption1] inv'0 default} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'f' type invariant] [%#soption2] inv'1 f} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body requires] [%#soption3] match self_ with - | C_None'0 -> precondition'0 default () - | C_Some'0 t -> precondition'1 f (t) - end} + let rec next'0 (self:borrowed (t_MapInv'0)) (return' (ret:t_Option'1))= {[@expl:next 'self' type invariant] [%#smap_inv6] inv'2 self} (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 default} s1 - | s1 = -{resolve'0 default}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_11 <- (t) ] s4 - | s4 = call_once'0 {f} {_11} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) - | s5 = bb8 ] + [ bb0 = s0 [ s0 = [ &old_self <- [%#smap_inv0] Snapshot.new self.current ] s1 | s1 = bb1 ] + | bb1 = s0 + [ s0 = {inv'0 (self.current).t_MapInv__iter'0} + Borrow.borrow_final {(self.current).t_MapInv__iter'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_I'0) -> + [ &_6 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { self.current with t_MapInv__iter'0 = _ret'.final } } ] + s1) + | s1 = next'1 {_6} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s2) + | s2 = bb2 ] + + | bb2 = any [ br0 -> {_5 = C_None'0 } (! bb5) | br1 (x0:t_Item'0)-> {_5 = C_Some'0 x0} (! bb4) ] + | bb4 = bb6 + | bb6 = s0 + [ s0 = v_Some'0 {_5} (fun (r0'0:t_Item'0) -> [ &v <- r0'0 ] s1) + | s1 = {[@expl:assertion] [%#smap_inv1] precondition'0 (self.current).t_MapInv__func'0 (v, (self.current).t_MapInv__produced'0)} + s2 + | s2 = bb7 ] + + | bb7 = s0 + [ s0 = + [ &produced <- [%#smap_inv2] Snapshot.new (Seq.snoc (Snapshot.inner (self.current).t_MapInv__produced'0) v) ] + + s1 + | s1 = bb8 ] + + | bb8 = s0 + [ s0 = {inv'1 (self.current).t_MapInv__func'0} + Borrow.borrow_final {(self.current).t_MapInv__func'0} {Borrow.inherit_id (Borrow.get_id self) 2} + (fun (_ret':borrowed t_F'0) -> + [ &_14 <- _ret' ] + -{inv'1 _ret'.final}- + [ &self <- { self with current = { self.current with t_MapInv__func'0 = _ret'.final } } ] + s1) + | s1 = [ &_15 <- (v, (self.current).t_MapInv__produced'0) ] s2 + | s2 = call_mut'0 {_14} {_15} (fun (_ret':t_B'0) -> [ &r <- _ret' ] s3) + | s3 = bb9 ] - | bb8 = bb9 | bb9 = bb10 - | bb10 = bb11 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = call_once'1 {default} {_8} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb11 - | bb11 = bb12 - | bb12 = bb13 + | bb10 = s0 + [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = produced } } ] s1 + | s1 = [ &_19 <- [%#smap_inv3] Snapshot.new (let _ = () in ()) ] s2 + | s2 = bb11 ] + + | bb11 = s0 + [ s0 = {[@expl:assertion] [%#smap_inv4] produces_one'0 (Snapshot.inner old_self) r self.current} s1 | s1 = bb12 ] + + | bb12 = s0 + [ s0 = {[@expl:type invariant] inv'2 self} s1 + | s1 = -{resolve'0 self}- s2 + | s2 = [ &_0 <- C_Some'1 r ] s3 + | s3 = bb13 ] + | bb13 = bb14 - | bb14 = return' {_0} ] + | bb14 = bb15 + | bb15 = bb17 + | bb5 = s0 [ s0 = [ &_24 <- [%#smap_inv5] Snapshot.new (Seq.empty : Seq.seq t_Item'0) ] s1 | s1 = bb16 ] + | bb16 = s0 + [ s0 = [ &self <- { self with current = { self.current with t_MapInv__produced'0 = _24 } } ] s1 + | s1 = {[@expl:type invariant] inv'2 self} s2 + | s2 = -{resolve'0 self}- s3 + | s3 = [ &_0 <- C_None'1 ] s4 + | s4 = bb17 ] + + | bb17 = bb18 + | bb18 = return' {_0} ] ) - [ & _0 : t_U'0 = any_l () - | & self_ : t_Option'0 = self_ - | & default : t_D'0 = default - | & f : t_F'0 = f - | & _8 : () = any_l () - | & t : t_T'0 = any_l () - | & _11 : t_T'0 = any_l () ] + [ & _0 : t_Option'1 = any_l () + | & self : borrowed (t_MapInv'0) = self + | & old_self : Snapshot.snap_ty (t_MapInv'0) = any_l () + | & _5 : t_Option'0 = any_l () + | & _6 : borrowed t_I'0 = any_l () + | & v : t_Item'0 = any_l () + | & produced : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () + | & r : t_B'0 = any_l () + | & _14 : borrowed t_F'0 = any_l () + | & _15 : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)) = any_l () + | & _19 : Snapshot.snap_ty () = any_l () + | & _24 : Snapshot.snap_ty (Seq.seq t_Item'0) = any_l () ] - [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body result type invariant] [%#soption4] inv'3 result} - {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body ensures] [%#soption5] match self_ with - | C_None'0 -> postcondition_once'0 default () result - | C_Some'0 t -> postcondition_once'1 f (t) result + [ return' (result:t_Option'1)-> {[@expl:next result type invariant] [%#smap_inv7] inv'3 result} + {[@expl:next ensures] [%#smap_inv8] match result with + | C_None'1 -> completed'0 self + | C_Some'1 v -> produces_one'0 self.current v self.final end} (! return' {result}) ] end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_ok_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 204 16 206 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 204 42 204 45 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 204 53 204 65 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 200 26 203 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__preservation_inv [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (* std::iter::map_inv::MapInv::Item, F> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 124 14 124 81 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 127 12 132 88 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 140 12 145 71 + let%span sops3 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops8 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops9 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter13 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 - type t_T'0 + use seq.Seq - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_Item'0 - type t_F'0 + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_I'0 + + type t_F'0 use prelude.prelude.Borrow + type t_B'0 + + use prelude.prelude.Snapshot + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) - type t_E'0 + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - type t_Result'0 = - | C_Ok'0 t_T'0 - | C_Err'0 t_E'0 + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops9] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () + - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops6] unnest'0 self b) + -> ([%#sops7] unnest'0 b c) -> ([%#sops8] unnest'0 self c) - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_E'0) + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_E'0) - + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops5] unnest'0 self self - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_E'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_E'0)-> {inv'4 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - use prelude.prelude.Intrinsic + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops3] postcondition_mut'0 self args res_state res) + -> ([%#sops4] unnest'0 self res_state) - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'5 a_0 - end + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Result'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - axiom inv_axiom'1 [@rewrite] : forall x : t_Result'0 [inv'2 x] . inv'2 x - = match x with - | C_Ok'0 a_0 -> inv'5 a_0 - | C_Err'0 a_0 -> inv'4 a_0 - end + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter11] produces'0 a ab b) + -> ([%#siter12] produces'0 b bc c) -> ([%#siter13] produces'0 a (Seq.(++) ab bc) c) - meta "compute_max_steps" 1000000 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - let rec extern_spec_std_option_T_Option_T_ok_or_else_body'0 (self_:t_Option'0) (err:t_F'0) (return' (ret:t_Result'0))= {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'err' type invariant] [%#soption1] inv'0 err} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 err ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 err} s1 - | s1 = -{resolve'0 err}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- C_Ok'0 t ] s4 - | s4 = bb9 ] - - | bb9 = bb10 - | bb10 = bb11 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {err} {_8} (fun (_ret':t_E'0) -> [ &_6 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = s0 [ s0 = [ &_0 <- C_Err'0 _6 ] s1 | s1 = bb8 ] - | bb8 = bb11 - | bb11 = bb12 - | bb12 = bb13 - | bb13 = return' {_0} ] - ) - [ & _0 : t_Result'0 = any_l () - | & self_ : t_Option'0 = self_ - | & err : t_F'0 = err - | & _6 : t_E'0 = any_l () - | & _8 : () = any_l () - | & t : t_T'0 = any_l () ] + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter10] produces'0 self (Seq.empty : Seq.seq t_Item'0) self + + use prelude.prelude.Snapshot + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) - [ return' (result:t_Result'0)-> {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body result type invariant] [%#soption2] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> exists r : t_E'0 . result = C_Err'0 r /\ postcondition_once'0 err () r - | C_Some'0 t -> result = C_Ok'0 t - end} - (! return' {result}) ] + + predicate preservation'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 138 4 138 49] (iter : t_I'0) (func : t_F'0) -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_and_then_body [#"../../../creusot-contracts/src/std/option.rs" 234 16 236 45] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 234 40 234 41 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 226 27 229 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 234 49 234 58 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 230 26 233 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + = + [%#smap_inv2] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new s) + -> postcondition_mut'0 f.current (e1, Snapshot.new s) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc s e1)) - type t_T'0 + constant iter : t_I'0 - type t_Option'1 = - | C_None'0 - | C_Some'0 t_T'0 + constant func : t_F'0 - let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + constant produced : Seq.seq t_Item'0 + + predicate preservation_inv'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 125 4 125 73] (iter : t_I'0) (func : t_F'0) (produced : Seq.seq t_Item'0) - type t_F'0 + goal vc_preservation_inv'0 : [%#smap_inv0] produced = (Seq.empty : Seq.seq t_Item'0) + -> ([%#smap_inv1] forall s : Seq.seq t_Item'0, e1 : t_Item'0, e2 : t_Item'0, f : borrowed t_F'0, b : t_B'0, i : t_I'0 . unnest'0 func f.current + -> produces'0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut'0 f.current (e1, Snapshot.new (Seq.(++) produced s)) f.final b + -> precondition'0 f.final (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) + = preservation'0 iter func +end +module M_creusot_contracts__stdqy35z1__iter__map_inv__qyi4899712594723907874__produces_one [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (* std::iter::map_inv::MapInv::Item, F> *) + let%span smap_inv0 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 179 14 179 68 + let%span smap_inv1 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 182 12 187 74 + let%span smap_inv2 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9 + let%span smap_inv3 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45 + let%span smap_inv4 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 21 4 21 10 + let%span smap_inv5 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32 + let%span smap_inv6 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32 + let%span smap_inv7 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42 + let%span smap_inv8 = "../../../creusot-contracts/src/std/iter/map_inv.rs" 26 4 26 10 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter11 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter12 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + let%span sops13 = "../../../creusot-contracts/src/std/ops.rs" 109 15 109 59 + let%span sops14 = "../../../creusot-contracts/src/std/ops.rs" 110 14 110 36 + let%span sops15 = "../../../creusot-contracts/src/std/ops.rs" 115 14 115 31 + let%span sops16 = "../../../creusot-contracts/src/std/ops.rs" 120 15 120 29 + let%span sops17 = "../../../creusot-contracts/src/std/ops.rs" 121 15 121 26 + let%span sops18 = "../../../creusot-contracts/src/std/ops.rs" 122 14 122 28 + let%span sops19 = "../../../creusot-contracts/src/std/ops.rs" 127 14 128 105 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_I'0 - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + type t_F'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + type t_Item'0 - type t_U'0 + use seq.Seq - type t_Option'0 = - | C_None'1 - | C_Some'1 t_U'0 + use prelude.prelude.Snapshot - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + type t_MapInv'0 = + { t_MapInv__iter'0: t_I'0; t_MapInv__func'0: t_F'0; t_MapInv__produced'0: Snapshot.snap_ty (Seq.seq t_Item'0) } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + type t_B'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'5 a_0 - end + use seq.Seq - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_Option'0) - + use seq.Seq - let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_Option'0)-> {inv'2 result} - {[%#sops5] postcondition_once'0 self args result} - (! return' {result}) ] + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result : t_B'0) use prelude.prelude.Borrow predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) - use prelude.prelude.Intrinsic + predicate postcondition_mut'0 [#"../../../creusot-contracts/src/std/ops.rs" 95 4 95 92] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (result_state : t_F'0) (result : t_B'0) + - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + function fn_mut_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 129 4 129 55] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res : t_B'0) : () + - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + axiom fn_mut_once'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res : t_B'0 . [%#sops19] postcondition_once'0 self args res + = (exists res_state : t_F'0 . postcondition_mut'0 self args res_state res /\ resolve'0 res_state) - meta "compute_max_steps" 1000000 + predicate unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 103 4 103 36] (self : t_F'0) (_2 : t_F'0) - let rec extern_spec_std_option_T_Option_T_and_then_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 f (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_8 <- (t) ] s2 - | s2 = call_once'0 {f} {_8} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s3) - | s3 = bb7 ] - - | bb7 = bb8 - | bb8 = bb9 - | bb9 = bb10 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb10 ] - | bb10 = bb11 - | bb11 = bb12 - | bb12 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'1 = self_ - | & f : t_F'0 = f - | & t : t_T'0 = any_l () - | & _8 : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_and_then_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_and_then_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'1 - | C_Some'0 t -> postcondition_once'0 f (t) result - end} - (! return' {result}) ] + function unnest_trans'0 [#"../../../creusot-contracts/src/std/ops.rs" 123 4 123 43] (self : t_F'0) (b : t_F'0) (c : t_F'0) : () -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_filter_body [#"../../../creusot-contracts/src/std/option.rs" 254 16 256 41] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 254 35 254 44 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 243 27 246 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 254 52 254 61 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 247 26 253 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - type t_T'0 + axiom unnest_trans'0_spec : forall self : t_F'0, b : t_F'0, c : t_F'0 . ([%#sops16] unnest'0 self b) + -> ([%#sops17] unnest'0 b c) -> ([%#sops18] unnest'0 self c) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function unnest_refl'0 [#"../../../creusot-contracts/src/std/ops.rs" 116 4 116 24] (self : t_F'0) : () - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + axiom unnest_refl'0_spec : forall self : t_F'0 . [%#sops15] unnest'0 self self + + function postcondition_mut_unnest'0 [#"../../../creusot-contracts/src/std/ops.rs" 111 4 111 85] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) (res_state : t_F'0) (res : t_B'0) : () - type t_P'0 + axiom postcondition_mut_unnest'0_spec : forall self : t_F'0, args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0)), res_state : t_F'0, res : t_B'0 . ([%#sops13] postcondition_mut'0 self args res_state res) + -> ([%#sops14] unnest'0 self res_state) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant6] inv'0 self + use seq.Seq - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + use seq.Seq - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : t_T'0) + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter10] produces'1 a ab b) + -> ([%#siter11] produces'1 b bc c) -> ([%#siter12] produces'1 a (Seq.(++) ab bc) c) - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () - axiom inv_axiom'2 [@rewrite] : forall x : bool [inv'4 x] . inv'4 x = true + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter9] produces'1 self (Seq.empty : Seq.seq t_Item'0) self - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : t_T'0) (result : bool) - + use prelude.prelude.Snapshot - let rec call_once'0 (self:t_P'0) (args:t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'1 self} - {[@expl:call_once 'args' type invariant] inv'3 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:bool)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + use prelude.prelude.Snapshot - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + use prelude.prelude.Int - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + use seq.Seq - use prelude.prelude.Intrinsic + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'0 a_0 - end + use prelude.prelude.Snapshot - meta "compute_max_steps" 1000000 + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : (t_Item'0, Snapshot.snap_ty (Seq.seq t_Item'0))) + - let rec extern_spec_std_option_T_Option_T_filter_body'0 (self_:t_Option'0) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_filter_body 'self_' type invariant] [%#soption0] inv'2 self_} - {[@expl:extern_spec_std_option_T_Option_T_filter_body 'predicate' type invariant] [%#soption1] inv'1 predicate'} - {[@expl:extern_spec_std_option_T_Option_T_filter_body requires] [%#soption2] match self_ with - | C_None'0 -> true - | C_Some'0 t -> precondition'0 predicate' (t) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) - | s1 = [ &_11 <- t ] s2 - | s2 = [ &_9 <- (_11) ] s3 - | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) - | s4 = bb7 ] - - | bb7 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] - | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] - | bb9 = bb12 - | bb10 = s0 [ s0 = {[@expl:type invariant] inv'0 t} s1 | s1 = -{resolve'0 t}- s2 | s2 = bb11 ] - | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] - | bb12 = bb13 - | bb13 = bb14 - | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 predicate'} s1 | s1 = -{resolve'1 predicate'}- s2 | s2 = bb6 ] - | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb14 ] - | bb14 = bb15 - | bb15 = bb16 - | bb16 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & predicate' : t_P'0 = predicate' - | & t : t_T'0 = any_l () - | & _7 : bool = any_l () - | & _9 : t_T'0 = any_l () - | & _11 : t_T'0 = any_l () ] + use seq.Seq + + predicate produces'0 [@inline:trivial] [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 36 4 36 67] (self : t_MapInv'0) (visited : Seq.seq t_B'0) (succ : t_MapInv'0) - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_filter_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_filter_body ensures] [%#soption4] match self_ with - | C_None'0 -> result = C_None'0 - | C_Some'0 t -> match result with - | C_None'0 -> postcondition_once'0 predicate' (t) false /\ resolve'0 t - | C_Some'0 r -> postcondition_once'0 predicate' (t) true /\ r = t - end - end} - (! return' {result}) ] + = + [%#smap_inv2] unnest'0 self.t_MapInv__func'0 succ.t_MapInv__func'0 + /\ (exists fs : Seq.seq (borrowed t_F'0) . Seq.length fs = Seq.length visited + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = Seq.length visited + /\ produces'1 self.t_MapInv__iter'0 s succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) s + /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> (Seq.get fs (i - 1)).final = (Seq.get fs i).current) + /\ (if Seq.length visited = 0 then + self.t_MapInv__func'0 = succ.t_MapInv__func'0 + else + (Seq.get fs 0).current = self.t_MapInv__func'0 + /\ (Seq.get fs (Seq.length visited - 1)).final = succ.t_MapInv__func'0 + ) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest'0 self.t_MapInv__func'0 (Seq.get fs i).current + /\ precondition'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) + /\ postcondition_mut'0 (Seq.get fs i).current (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner self.t_MapInv__produced'0) (Seq.([..]) s 0 i))) (Seq.get fs i).final (Seq.get visited i)))) + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 31 4 31 90] (a : t_MapInv'0) (ab : Seq.seq t_B'0) (b : t_MapInv'0) (bc : Seq.seq t_B'0) (c : t_MapInv'0) : () -end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 273 16 275 44] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 273 36 273 37 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 273 45 273 54 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 269 26 272 17 - let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + = + [%#smap_inv8] () - type t_T'0 + axiom produces_trans'0_spec : forall a : t_MapInv'0, ab : Seq.seq t_B'0, b : t_MapInv'0, bc : Seq.seq t_B'0, c : t_MapInv'0 . ([%#smap_inv5] produces'0 a ab b) + -> ([%#smap_inv6] produces'0 b bc c) -> ([%#smap_inv7] produces'0 a (Seq.(++) ab bc) c) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 24 4 24 26] (self : t_MapInv'0) : () = + [%#smap_inv4] () - type t_F'0 + axiom produces_refl'0_spec : forall self : t_MapInv'0 . [%#smap_inv3] produces'0 self (Seq.empty : Seq.seq t_B'0) self - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + use seq.Seq - use prelude.prelude.Borrow + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + constant self : t_MapInv'0 - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + constant visited : t_B'0 + + constant succ : t_MapInv'0 + + predicate produces_one'0 [#"../../../creusot-contracts/src/std/iter/map_inv.rs" 180 4 180 57] (self : t_MapInv'0) (visited : t_B'0) (succ : t_MapInv'0) - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + goal vc_produces_one'0 : [%#smap_inv0] ([%#smap_inv1] exists f : borrowed t_F'0, e : t_Item'0 . f.current + = self.t_MapInv__func'0 + /\ f.final = succ.t_MapInv__func'0 + /\ produces'1 self.t_MapInv__iter'0 (Seq.singleton e) succ.t_MapInv__iter'0 + /\ Snapshot.inner succ.t_MapInv__produced'0 = Seq.snoc (Snapshot.inner self.t_MapInv__produced'0) e + /\ precondition'0 f.current (e, self.t_MapInv__produced'0) + /\ postcondition_mut'0 f.current (e, self.t_MapInv__produced'0) f.final visited) + = produces'0 self (Seq.singleton visited) succ +end +module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_refl [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (* as std::iter::Iterator> *) + let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 31 14 31 45 + let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 29 4 29 10 + let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 - axiom inv_axiom'1 [@rewrite] : forall x : () [inv'2 x] . inv'2 x = true + use seq.Seq - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + type t_T'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'3 a_0 - end + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_Option'0) - + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'2 args} - {[@expl:call_once requires] [%#sops4] precondition'0 self args} - any - [ return' (result:t_Option'0)-> {inv'1 result} - {[%#sops4] postcondition_once'0 self args result} - (! return' {result}) ] - + type t_Once'0 = + { t_Once__inner'0: t_IntoIter'0 } - use prelude.prelude.Intrinsic + function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - meta "compute_max_steps" 1000000 + use seq.Seq - let rec extern_spec_std_option_T_Option_T_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body requires] [%#soption0] self_ = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) - | s3 = [ &_0 <- C_Some'0 t ] s4 - | s4 = bb8 ] - - | bb8 = bb9 - | bb9 = bb10 - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = bb10 - | bb10 = bb11 - | bb11 = bb12 - | bb12 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : t_Option'0 = self_ - | & f : t_F'0 = f - | & _7 : () = any_l () - | & t : t_T'0 = any_l () ] - - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_or_else_body result type invariant] [%#soption2] inv'1 result} - {[@expl:extern_spec_std_option_T_Option_T_or_else_body ensures] [%#soption3] match self_ with - | C_None'0 -> postcondition_once'0 f () result - | C_Some'0 t -> result = C_Some'0 t - end} - (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + = + [%#sonce2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + constant self : t_Once'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 32 4 32 26] (self : t_Once'0) : () + + goal vc_produces_refl'0 : [%#sonce0] produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_get_or_insert_with_body [#"../../../creusot-contracts/src/std/option.rs" 311 16 313 36] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 311 52 311 53 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 306 27 306 63 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 311 61 311 67 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 307 26 310 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 - let%span soption6 = "../../../creusot-contracts/src/std/option.rs" 62 26 62 75 - let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 64 20 65 100 - let%span sresolve8 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sresolve9 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - let%span sinvariant10 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 +module M_creusot_contracts__stdqy35z1__iter__once__qyi8116812009287608646__produces_trans [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (* as std::iter::Iterator> *) + let%span sonce0 = "../../../creusot-contracts/src/std/iter/once.rs" 36 15 36 32 + let%span sonce1 = "../../../creusot-contracts/src/std/iter/once.rs" 37 15 37 32 + let%span sonce2 = "../../../creusot-contracts/src/std/iter/once.rs" 38 14 38 42 + let%span sonce3 = "../../../creusot-contracts/src/std/iter/once.rs" 34 4 34 10 + let%span sonce4 = "../../../creusot-contracts/src/std/iter/once.rs" 24 12 25 96 type t_T'0 @@ -7492,3592 +7529,6917 @@ module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T | C_None'0 | C_Some'0 t_T'0 - type t_F'0 + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - use prelude.prelude.Borrow + type t_Once'0 = + { t_Once__inner'0: t_IntoIter'0 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + use seq.Seq - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + function view'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 8 4 8 30] (self : t_Once'0) : t_Option'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant10] inv'1 self.current /\ inv'1 self.final + use seq.Seq - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 22 4 22 64] (self : t_Once'0) (visited : Seq.seq t_T'0) (o : t_Once'0) + + = + [%#sonce4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + use seq.Seq - predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve8] self.final = self.current + constant a : t_Once'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'4 _1 + constant ab : Seq.seq t_T'0 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + constant b : t_Once'0 - axiom inv_axiom'3 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + constant bc : Seq.seq t_T'0 - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + constant c : t_Once'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/once.rs" 39 4 39 90] (a : t_Once'0) (ab : Seq.seq t_T'0) (b : t_Once'0) (bc : Seq.seq t_T'0) (c : t_Once'0) : () - let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:t_T'0)-> {inv'1 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + goal vc_produces_trans'0 : ([%#sonce1] produces'0 b bc c) + -> ([%#sonce0] produces'0 a ab b) -> ([%#sonce2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 30 4 30 10 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'1 a_0 - end + type t_Idx'0 - predicate resolve'7 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + use seq.Seq - predicate resolve'5 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = - [%#sresolve9] match self with - | C_Some'0 x -> resolve'7 x - | C_None'0 -> true - end + type t_Range'0 = + { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Option'0) = - resolve'5 _1 + use prelude.prelude.Int - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = - [%#sinvariant10] inv'3 self.current /\ inv'3 self.final + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + use seq.Seq - axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'4 x] . inv'4 x = invariant'1 x + use seq.Seq - type t_Option'1 = - | C_None'1 - | C_Some'1 (borrowed t_T'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) + + = + [%#srange2] self.t_Range__end'0 = o.t_Range__end'0 + /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 + /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) + /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + constant self : t_Range'0 - axiom inv_axiom'4 [@rewrite] : forall x : t_Option'1 [inv'6 x] . inv'6 x - = match x with - | C_None'1 -> true - | C_Some'1 a_0 -> inv'2 a_0 - end + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 33 4 33 26] (self : t_Range'0) : () - let rec as_mut'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'1))= {[@expl:as_mut 'self' type invariant] inv'4 self} - any - [ return' (result:t_Option'1)-> {inv'6 result} - {[%#soption6] self.current = C_None'0 -> result = C_None'1 /\ self.final = C_None'0} - {[%#soption7] self.current = C_None'0 - \/ (exists r : borrowed t_T'0 . result = C_Some'1 r - /\ self.current = C_Some'0 (r.current) /\ self.final = C_Some'0 (r.final))} - (! return' {result}) ] - + goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi16860283617022118777__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 35 4 35 10 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 22 12 26 70 - let rec unwrap'0 (self:t_Option'1) (return' (ret:borrowed t_T'0))= {[@expl:unwrap 'self' type invariant] inv'6 self} - {[@expl:unwrap requires] [%#soption0] self <> C_None'1} - any [ return' (result:borrowed t_T'0)-> {inv'2 result} {[%#soption0] C_Some'1 result = self} (! return' {result}) ] + type t_Idx'0 - predicate resolve'6 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = - [%#sresolve8] self.final = self.current + type t_Range'0 = + { t_Range__start'0: t_Idx'0; t_Range__end'0: t_Idx'0 } - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = - resolve'6 _1 + use seq.Seq - use prelude.prelude.Intrinsic + use prelude.prelude.Int - meta "compute_max_steps" 1000000 + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int - let rec extern_spec_std_option_T_Option_T_get_or_insert_with_body'0 (self_:borrowed (t_Option'0)) (f:t_F'0) (return' (ret:borrowed t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'self_' type invariant] [%#soption0] inv'4 self_} - {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'f' type invariant] [%#soption1] inv'0 f} - {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body requires] [%#soption2] self_.current = C_None'0 - -> precondition'0 f ()} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = {[@expl:type invariant] inv'0 f} s1 - | s1 = -{resolve'0 f}- s2 - | s2 = v_Some'0 {self_.current} - (fun (r0'0:t_T'0) -> - {inv'1 r0'0} - Borrow.borrow_final {r0'0} {Borrow.inherit_id (Borrow.get_id self_) 1} - (fun (_ret':borrowed t_T'0) -> - [ &t <- _ret' ] - -{inv'1 _ret'.final}- - [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] - s3)) - | s3 = {inv'1 t.current} - Borrow.borrow_final {t.current} {Borrow.get_id t} - (fun (_ret':borrowed t_T'0) -> - [ &_6 <- _ret' ] - -{inv'1 _ret'.final}- - [ &t <- { t with current = _ret'.final } ] - s4) - | s4 = {[@expl:type invariant] inv'2 t} s5 - | s5 = -{resolve'1 t}- s6 - | s6 = bb14 ] - - | bb4 = bb6 - | bb6 = s0 [ s0 = call_once'0 {f} {_12} (fun (_ret':t_T'0) -> [ &_10 <- _ret' ] s1) | s1 = bb7 ] - | bb7 = s0 [ s0 = [ &_9 <- C_Some'0 _10 ] s1 | s1 = bb8 ] - | bb8 = bb9 - | bb9 = s0 - [ s0 = {[@expl:type invariant] match self_ with - | {current = x'0} -> inv'3 x'0 - | _ -> true - end} - s1 - | s1 = -{match self_ with - | {current = x'1} -> resolve'2 x'1 - | _ -> true - end}- - s2 - | s2 = [ &self_ <- { self_ with current = _9 } ] s3 - | s3 = bb11 ] - - | bb11 = s0 - [ s0 = {inv'3 self_.current} - Borrow.borrow_final {self_.current} {Borrow.get_id self_} - (fun (_ret':borrowed (t_Option'0)) -> - [ &_15 <- _ret' ] - -{inv'3 _ret'.final}- - [ &self_ <- { self_ with current = _ret'.final } ] - s1) - | s1 = as_mut'0 {_15} (fun (_ret':t_Option'1) -> [ &_14 <- _ret' ] s2) - | s2 = bb12 ] - - | bb12 = s0 [ s0 = unwrap'0 {_14} (fun (_ret':borrowed t_T'0) -> [ &_13 <- _ret' ] s1) | s1 = bb13 ] - | bb13 = s0 - [ s0 = {inv'1 _13.current} - Borrow.borrow_final {_13.current} {Borrow.get_id _13} - (fun (_ret':borrowed t_T'0) -> - [ &_8 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_13 <- { _13 with current = _ret'.final } ] - s1) - | s1 = {inv'1 _8.current} - Borrow.borrow_final {_8.current} {Borrow.get_id _8} - (fun (_ret':borrowed t_T'0) -> - [ &_6 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_8 <- { _8 with current = _ret'.final } ] - s2) - | s2 = {[@expl:type invariant] inv'2 _13} s3 - | s3 = -{resolve'1 _13}- s4 - | s4 = {[@expl:type invariant] inv'2 _8} s5 - | s5 = -{resolve'1 _8}- s6 - | s6 = bb14 ] - - | bb14 = s0 - [ s0 = {inv'1 _6.current} - Borrow.borrow_final {_6.current} {Borrow.get_id _6} - (fun (_ret':borrowed t_T'0) -> - [ &_3 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_6 <- { _6 with current = _ret'.final } ] - s1) - | s1 = {inv'1 _3.current} - Borrow.borrow_final {_3.current} {Borrow.get_id _3} - (fun (_ret':borrowed t_T'0) -> - [ &_0 <- _ret' ] - -{inv'1 _ret'.final}- - [ &_3 <- { _3 with current = _ret'.final } ] - s2) - | s2 = {[@expl:type invariant] inv'2 _6} s3 - | s3 = -{resolve'1 _6}- s4 - | s4 = {[@expl:type invariant] inv'2 _3} s5 - | s5 = -{resolve'1 _3}- s6 - | s6 = bb15 ] - - | bb15 = s0 [ s0 = {[@expl:type invariant] inv'4 self_} s1 | s1 = -{resolve'3 self_}- s2 | s2 = return' {_0} ] ] - ) - [ & _0 : borrowed t_T'0 = any_l () - | & self_ : borrowed (t_Option'0) = self_ - | & f : t_F'0 = f - | & _3 : borrowed t_T'0 = any_l () - | & _6 : borrowed t_T'0 = any_l () - | & _8 : borrowed t_T'0 = any_l () - | & _9 : t_Option'0 = any_l () - | & _10 : t_T'0 = any_l () - | & _12 : () = any_l () - | & _13 : borrowed t_T'0 = any_l () - | & _14 : t_Option'1 = any_l () - | & _15 : borrowed (t_Option'0) = any_l () - | & t : borrowed t_T'0 = any_l () ] + use seq.Seq + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 20 4 20 64] (self : t_Range'0) (visited : Seq.seq t_Idx'0) (o : t_Range'0) - [ return' (result:borrowed t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body ensures] [%#soption4] match self_.current with - | C_None'0 -> postcondition_once'0 f () result.current /\ self_.final = C_Some'0 (result.final) - | C_Some'0 _ -> self_.current = C_Some'0 (result.current) /\ self_.final = C_Some'0 (result.final) - end} - (! return' {result}) ] + = + [%#srange4] self.t_Range__end'0 = o.t_Range__end'0 + /\ deep_model'0 self.t_Range__start'0 <= deep_model'0 o.t_Range__start'0 + /\ (Seq.length visited > 0 -> deep_model'0 o.t_Range__start'0 <= deep_model'0 o.t_Range__end'0) + /\ Seq.length visited = deep_model'0 o.t_Range__start'0 - deep_model'0 self.t_Range__start'0 + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 self.t_Range__start'0 + i) + + use seq.Seq + + constant a : t_Range'0 + + constant ab : Seq.seq t_Idx'0 + + constant b : t_Range'0 + + constant bc : Seq.seq t_Idx'0 + + constant c : t_Range'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 40 4 40 90] (a : t_Range'0) (ab : Seq.seq t_Idx'0) (b : t_Range'0) (bc : Seq.seq t_Idx'0) (c : t_Range'0) : () + + goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) + -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_take_if_body [#"../../../creusot-contracts/src/std/option.rs" 338 16 340 45] - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 338 41 338 50 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 324 27 327 17 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 338 58 338 67 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 328 26 337 17 - let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 +module M_creusot_contracts__stdqy35z1__iter__range__range_inclusive_len [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span sops1 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + + type t_Idx'0 + + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + + use prelude.prelude.Int + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops1] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + + constant r : t_RangeInclusive'0 + + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + + + goal vc_range_inclusive_len'0 : ([%#sops1] not is_empty_log'0 r + -> deep_model'0 (start_log'0 r) <= deep_model'0 (end_log'0 r)) + -> (if is_empty_log'0 r then + [%#srange0] is_empty_log'0 r = (0 = 0) + else + [%#srange0] is_empty_log'0 r = (deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 = 0) + ) +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_refl [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + + use seq.Seq + + type t_Idx'0 + + use seq.Seq + + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + + use seq.Seq + + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + + use prelude.prelude.Int + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops5] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + + = + [%#srange4] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + + axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange3] is_empty_log'0 r + = (range_inclusive_len'0 r = 0) + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + + = + [%#srange2] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o + /\ (is_empty_log'0 self -> is_empty_log'0 o) + /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) + + constant self : t_RangeInclusive'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 77 4 77 26] (self : t_RangeInclusive'0) : () + + + goal vc_produces_refl'0 : [%#srange0] produces'0 self (Seq.empty : Seq.seq t_Idx'0) self +end +module M_creusot_contracts__stdqy35z1__iter__range__qyi11108913944999844411__produces_trans [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (* as std::iter::Iterator> *) + let%span srange0 = "../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32 + let%span srange1 = "../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32 + let%span srange2 = "../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42 + let%span srange3 = "../../../creusot-contracts/src/std/iter/range.rs" 79 4 79 10 + let%span srange4 = "../../../creusot-contracts/src/std/iter/range.rs" 66 12 70 76 + let%span srange5 = "../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43 + let%span srange6 = "../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5 + let%span sops7 = "../../../creusot-contracts/src/std/ops.rs" 205 14 205 86 + + type t_Idx'0 + + type t_RangeInclusive'0 = + { t_RangeInclusive__start'0: t_Idx'0; t_RangeInclusive__end'0: t_Idx'0; t_RangeInclusive__exhausted'0: bool } + + use seq.Seq + + use seq.Seq + + function start_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 193 4 193 29] (self : t_RangeInclusive'0) : t_Idx'0 + + use prelude.prelude.Int + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_Idx'0) : int + + function end_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 199 4 199 27] (self : t_RangeInclusive'0) : t_Idx'0 + + function is_empty_log'0 [#"../../../creusot-contracts/src/std/ops.rs" 206 4 209 35] (self : t_RangeInclusive'0) : bool + + axiom is_empty_log'0_spec : forall self : t_RangeInclusive'0 . [%#sops7] not is_empty_log'0 self + -> deep_model'0 (start_log'0 self) <= deep_model'0 (end_log'0 self) + + function range_inclusive_len'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 46 0 46 92] (r : t_RangeInclusive'0) : int + + = + [%#srange6] if is_empty_log'0 r then 0 else deep_model'0 (end_log'0 r) - deep_model'0 (start_log'0 r) + 1 + + axiom range_inclusive_len'0_spec : forall r : t_RangeInclusive'0 . [%#srange5] is_empty_log'0 r + = (range_inclusive_len'0 r = 0) + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 64 4 64 64] (self : t_RangeInclusive'0) (visited : Seq.seq t_Idx'0) (o : t_RangeInclusive'0) + + = + [%#srange4] Seq.length visited = range_inclusive_len'0 self - range_inclusive_len'0 o + /\ (is_empty_log'0 self -> is_empty_log'0 o) + /\ (is_empty_log'0 o \/ end_log'0 self = end_log'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model'0 (Seq.get visited i) = deep_model'0 (start_log'0 self) + i) + + use seq.Seq + + constant a : t_RangeInclusive'0 + + constant ab : Seq.seq t_Idx'0 + + constant b : t_RangeInclusive'0 + + constant bc : Seq.seq t_Idx'0 + + constant c : t_RangeInclusive'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/range.rs" 84 4 84 90] (a : t_RangeInclusive'0) (ab : Seq.seq t_Idx'0) (b : t_RangeInclusive'0) (bc : Seq.seq t_Idx'0) (c : t_RangeInclusive'0) : () + + + goal vc_produces_trans'0 : ([%#srange1] produces'0 b bc c) + -> ([%#srange0] produces'0 a ab b) -> ([%#srange2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_refl [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (* as std::iter::Iterator> *) + let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 31 14 31 45 + let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 29 4 29 10 + let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + + use seq.Seq + + type t_T'0 + + use seq.Seq + + type t_Repeat'0 = + { t_Repeat__element'0: t_T'0 } + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + + = + [%#srepeat2] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) + + constant self : t_Repeat'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 32 4 32 26] (self : t_Repeat'0) : () + + goal vc_produces_refl'0 : [%#srepeat0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__iter__repeat__qyi8658929399712466629__produces_trans [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (* as std::iter::Iterator> *) + let%span srepeat0 = "../../../creusot-contracts/src/std/iter/repeat.rs" 36 15 36 32 + let%span srepeat1 = "../../../creusot-contracts/src/std/iter/repeat.rs" 37 15 37 32 + let%span srepeat2 = "../../../creusot-contracts/src/std/iter/repeat.rs" 38 14 38 42 + let%span srepeat3 = "../../../creusot-contracts/src/std/iter/repeat.rs" 34 4 34 10 + let%span srepeat4 = "../../../creusot-contracts/src/std/iter/repeat.rs" 24 12 25 78 + + type t_T'0 + + type t_Repeat'0 = + { t_Repeat__element'0: t_T'0 } + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 8 4 8 22] (self : t_Repeat'0) : t_T'0 + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 22 4 22 64] (self : t_Repeat'0) (visited : Seq.seq t_T'0) (o : t_Repeat'0) + + = + [%#srepeat4] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = view'0 self) + + use seq.Seq + + constant a : t_Repeat'0 + + constant ab : Seq.seq t_T'0 + + constant b : t_Repeat'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_Repeat'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/repeat.rs" 39 4 39 90] (a : t_Repeat'0) (ab : Seq.seq t_T'0) (b : t_Repeat'0) (bc : Seq.seq t_T'0) (c : t_Repeat'0) : () + + + goal vc_produces_trans'0 : ([%#srepeat1] produces'0 b bc c) + -> ([%#srepeat0] produces'0 a ab b) -> ([%#srepeat2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_refl [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (* as std::iter::Iterator> *) + let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 73 14 73 45 + let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 71 4 71 10 + let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 + let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 + let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + use seq.Seq + + type t_I'0 + + use prelude.prelude.UIntSize + + type t_Skip'0 = + { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + + use prelude.prelude.Int + + constant v_MAX'0 : usize = (18446744073709551615 : usize) + + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + + axiom n'0_spec : forall self : t_Skip'0 . [%#sskip3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip4] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + use seq.Seq + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + + = + [%#sskip2] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o + \/ n'0 o = 0 + /\ Seq.length visited > 0 + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self + /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) + + constant self : t_Skip'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 74 4 74 26] (self : t_Skip'0) : () + + goal vc_produces_refl'0 : [%#sskip0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__skip__qyi3195031491774060502__produces_trans [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (* as std::iter::Iterator> *) + let%span sskip0 = "../../../creusot-contracts/src/std/iter/skip.rs" 78 15 78 32 + let%span sskip1 = "../../../creusot-contracts/src/std/iter/skip.rs" 79 15 79 32 + let%span sskip2 = "../../../creusot-contracts/src/std/iter/skip.rs" 80 14 80 42 + let%span sskip3 = "../../../creusot-contracts/src/std/iter/skip.rs" 76 4 76 10 + let%span sskip4 = "../../../creusot-contracts/src/std/iter/skip.rs" 62 12 67 74 + let%span sskip5 = "../../../creusot-contracts/src/std/iter/skip.rs" 21 14 21 50 + let%span sskip6 = "../../../creusot-contracts/src/std/iter/skip.rs" 14 14 14 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_I'0 + + use prelude.prelude.UIntSize + + type t_Skip'0 = + { t_Skip__iter'0: t_I'0; t_Skip__n'0: usize } + + type t_Item'0 + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + constant v_MAX'0 : usize = (18446744073709551615 : usize) + + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 22 4 22 21] (self : t_Skip'0) : int + + axiom n'0_spec : forall self : t_Skip'0 . [%#sskip5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Skip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Skip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Skip__iter'0 = iter ; t_Skip__n'0 = n} -> inv'1 iter + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 15 4 15 22] (self : t_Skip'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Skip'0 . [%#sskip6] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + use seq.Seq + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Item'0) + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 60 4 60 64] (self : t_Skip'0) (visited : Seq.seq t_Item'0) (o : t_Skip'0) + + = + [%#sskip4] visited = (Seq.empty : Seq.seq t_Item'0) /\ self = o + \/ n'0 o = 0 + /\ Seq.length visited > 0 + /\ (exists s : Seq.seq t_Item'0 . Seq.length s = n'0 self + /\ produces'1 (iter'0 self) (Seq.(++) s visited) (iter'0 o) + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve'0 (Seq.get s i))) + + constant a : t_Skip'0 + + constant ab : Seq.seq t_Item'0 + + constant b : t_Skip'0 + + constant bc : Seq.seq t_Item'0 + + constant c : t_Skip'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/skip.rs" 81 4 81 90] (a : t_Skip'0) (ab : Seq.seq t_Item'0) (b : t_Skip'0) (bc : Seq.seq t_Item'0) (c : t_Skip'0) : () + + + goal vc_produces_trans'0 : ([%#sskip1] produces'0 b bc c) + -> ([%#sskip0] produces'0 a ab b) -> ([%#sskip2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_refl [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (* as std::iter::Iterator> *) + let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 71 14 71 45 + let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 69 4 69 10 + let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 + let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 + let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + use seq.Seq + + type t_I'0 + + use prelude.prelude.UIntSize + + type t_Take'0 = + { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + + use prelude.prelude.Int + + constant v_MAX'0 : usize = (18446744073709551615 : usize) + + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + + axiom n'0_spec : forall self : t_Take'0 . [%#stake3] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x + = match x with + | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Take'0 . [%#stake4] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + + = + [%#stake2] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) + + constant self : t_Take'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 72 4 72 26] (self : t_Take'0) : () + + goal vc_produces_refl'0 : [%#stake0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__take__qyi12344256497067751022__produces_trans [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (* as std::iter::Iterator> *) + let%span stake0 = "../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32 + let%span stake1 = "../../../creusot-contracts/src/std/iter/take.rs" 77 15 77 32 + let%span stake2 = "../../../creusot-contracts/src/std/iter/take.rs" 78 14 78 42 + let%span stake3 = "../../../creusot-contracts/src/std/iter/take.rs" 74 4 74 10 + let%span stake4 = "../../../creusot-contracts/src/std/iter/take.rs" 65 12 65 88 + let%span stake5 = "../../../creusot-contracts/src/std/iter/take.rs" 31 14 31 50 + let%span stake6 = "../../../creusot-contracts/src/std/iter/take.rs" 17 14 17 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_I'0 + + use prelude.prelude.UIntSize + + type t_Take'0 = + { t_Take__iter'0: t_I'0; t_Take__n'0: usize } + + type t_Item'0 + + use seq.Seq + + use prelude.prelude.Int + + constant v_MAX'0 : usize = (18446744073709551615 : usize) + + use prelude.prelude.UIntSize + + function n'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 32 4 32 21] (self : t_Take'0) : int + + axiom n'0_spec : forall self : t_Take'0 . [%#stake5] n'0 self >= 0 /\ n'0 self <= UIntSize.to_int (v_MAX'0 : usize) + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_I'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Take'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Take'0 [inv'0 x] . inv'0 x + = match x with + | {t_Take__iter'0 = iter ; t_Take__n'0 = n} -> inv'1 iter + end + + function iter'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 18 4 18 22] (self : t_Take'0) : t_I'0 + + axiom iter'0_spec : forall self : t_Take'0 . [%#stake6] inv'0 self -> inv'1 (iter'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 63 4 63 64] (self : t_Take'0) (visited : Seq.seq t_Item'0) (o : t_Take'0) + + = + [%#stake4] n'0 self = n'0 o + Seq.length visited /\ produces'1 (iter'0 self) visited (iter'0 o) + + constant a : t_Take'0 + + constant ab : Seq.seq t_Item'0 + + constant b : t_Take'0 + + constant bc : Seq.seq t_Item'0 + + constant c : t_Take'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/take.rs" 79 4 79 90] (a : t_Take'0) (ab : Seq.seq t_Item'0) (b : t_Take'0) (bc : Seq.seq t_Item'0) (c : t_Take'0) : () + + + goal vc_produces_trans'0 : ([%#stake1] produces'0 b bc c) + -> ([%#stake0] produces'0 a ab b) -> ([%#stake2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_refl [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (* as std::iter::Iterator> *) + let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45 + let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 53 4 53 10 + let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 + let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 + let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + type t_Item'1 + + use seq.Seq + + type t_A'0 + + type t_B'0 + + use prelude.prelude.UIntSize + + type t_Zip'0 = + { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a + /\ inv'2 b + end + + function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + + axiom itera'0_spec : forall self : t_Zip'0 . [%#szip3] inv'0 self -> inv'1 (itera'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + + + axiom produces_trans'0_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + + axiom produces_refl'1_spec : forall self : t_A'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + + axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip4] inv'0 self -> inv'2 (iterb'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + + + axiom produces_trans'1_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter6] produces'2 a ab b) + -> ([%#siter7] produces'2 b bc c) -> ([%#siter8] produces'2 a (Seq.(++) ab bc) c) + + function produces_refl'2 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + + axiom produces_refl'2_spec : forall self : t_B'0 . [%#siter5] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + + = + [%#szip2] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 + /\ Seq.length p2 = Seq.length visited + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) + /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + + constant self : t_Zip'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 56 4 56 26] (self : t_Zip'0) : () + + goal vc_produces_refl'0 : [%#szip0] produces'0 self (Seq.empty : Seq.seq (t_Item'0, t_Item'1)) self +end +module M_creusot_contracts__stdqy35z1__iter__zip__qyi2281060687216883844__produces_trans [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (* as std::iter::Iterator> *) + let%span szip0 = "../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32 + let%span szip1 = "../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32 + let%span szip2 = "../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42 + let%span szip3 = "../../../creusot-contracts/src/std/iter/zip.rs" 58 4 58 10 + let%span szip4 = "../../../creusot-contracts/src/std/iter/zip.rs" 46 12 49 95 + let%span szip5 = "../../../creusot-contracts/src/std/iter/zip.rs" 14 14 14 39 + let%span szip6 = "../../../creusot-contracts/src/std/iter/zip.rs" 21 14 21 39 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter9 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter10 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + type t_A'0 + + type t_B'0 + + use prelude.prelude.UIntSize + + type t_Zip'0 = + { t_Zip__a'0: t_A'0; t_Zip__b'0: t_B'0; t_Zip__index'0: usize; t_Zip__len'0: usize; t_Zip__a_len'0: usize } + + type t_Item'0 + + type t_Item'1 + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use prelude.prelude.Int + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_A'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_B'0) + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Zip'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Zip'0 [inv'0 x] . inv'0 x + = match x with + | {t_Zip__a'0 = a ; t_Zip__b'0 = b ; t_Zip__index'0 = index ; t_Zip__len'0 = len ; t_Zip__a_len'0 = a_len} -> inv'1 a + /\ inv'2 b + end + + function itera'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 15 4 15 23] (self : t_Zip'0) : t_A'0 + + axiom itera'0_spec : forall self : t_Zip'0 . [%#szip5] inv'0 self -> inv'1 (itera'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_A'0) (visited : Seq.seq t_Item'0) (o : t_A'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_A'0) (ab : Seq.seq t_Item'0) (b : t_A'0) (bc : Seq.seq t_Item'0) (c : t_A'0) : () + + + axiom produces_trans'1_spec : forall a : t_A'0, ab : Seq.seq t_Item'0, b : t_A'0, bc : Seq.seq t_Item'0, c : t_A'0 . ([%#siter8] produces'1 a ab b) + -> ([%#siter9] produces'1 b bc c) -> ([%#siter10] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_A'0) : () + + axiom produces_refl'0_spec : forall self : t_A'0 . [%#siter7] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + function iterb'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 22 4 22 23] (self : t_Zip'0) : t_B'0 + + axiom iterb'0_spec : forall self : t_Zip'0 . [%#szip6] inv'0 self -> inv'2 (iterb'0 self) + + use seq.Seq + + use seq.Seq + + predicate produces'2 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_B'0) (visited : Seq.seq t_Item'1) (o : t_B'0) + + + function produces_trans'2 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_B'0) (ab : Seq.seq t_Item'1) (b : t_B'0) (bc : Seq.seq t_Item'1) (c : t_B'0) : () + + + axiom produces_trans'2_spec : forall a : t_B'0, ab : Seq.seq t_Item'1, b : t_B'0, bc : Seq.seq t_Item'1, c : t_B'0 . ([%#siter8] produces'2 a ab b) + -> ([%#siter9] produces'2 b bc c) -> ([%#siter10] produces'2 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_B'0) : () + + axiom produces_refl'1_spec : forall self : t_B'0 . [%#siter7] produces'2 self (Seq.empty : Seq.seq t_Item'1) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 43 4 43 64] (self : t_Zip'0) (visited : Seq.seq (t_Item'0, t_Item'1)) (o : t_Zip'0) + + = + [%#szip4] exists p1 : Seq.seq t_Item'0, p2 : Seq.seq t_Item'1 . Seq.length p1 = Seq.length p2 + /\ Seq.length p2 = Seq.length visited + /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) + /\ produces'1 (itera'0 self) p1 (itera'0 o) /\ produces'2 (iterb'0 self) p2 (iterb'0 o) + + use seq.Seq + + constant a : t_Zip'0 + + constant ab : Seq.seq (t_Item'0, t_Item'1) + + constant b : t_Zip'0 + + constant bc : Seq.seq (t_Item'0, t_Item'1) + + constant c : t_Zip'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter/zip.rs" 63 4 63 90] (a : t_Zip'0) (ab : Seq.seq (t_Item'0, t_Item'1)) (b : t_Zip'0) (bc : Seq.seq (t_Item'0, t_Item'1)) (c : t_Zip'0) : () + + + goal vc_produces_trans'0 : ([%#szip1] produces'0 b bc c) + -> ([%#szip0] produces'0 a ab b) -> ([%#szip2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_refl [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (* <&mut I as std::iter::Iterator> *) + let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 222 14 222 45 + let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 220 4 220 10 + let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 + let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use seq.Seq + + type t_Item'0 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_I'0 + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'0_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter4] produces'1 a ab b) + -> ([%#siter5] produces'1 b bc c) -> ([%#siter6] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'1_spec : forall self : t_I'0 . [%#siter3] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + + = + [%#siter2] produces'1 self.current visited o.current /\ self.final = o.final + + constant self : borrowed t_I'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 223 4 223 26] (self : borrowed t_I'0) : () + + goal vc_produces_refl'0 : [%#siter0] produces'0 self (Seq.empty : Seq.seq t_Item'0) self +end +module M_creusot_contracts__stdqy35z1__iter__qyi8355237225316942617__produces_trans [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (* <&mut I as std::iter::Iterator> *) + let%span siter0 = "../../../creusot-contracts/src/std/iter.rs" 227 15 227 32 + let%span siter1 = "../../../creusot-contracts/src/std/iter.rs" 228 15 228 32 + let%span siter2 = "../../../creusot-contracts/src/std/iter.rs" 229 14 229 42 + let%span siter3 = "../../../creusot-contracts/src/std/iter.rs" 225 4 225 10 + let%span siter4 = "../../../creusot-contracts/src/std/iter.rs" 211 20 211 64 + let%span siter5 = "../../../creusot-contracts/src/std/iter.rs" 38 14 38 45 + let%span siter6 = "../../../creusot-contracts/src/std/iter.rs" 42 15 42 32 + let%span siter7 = "../../../creusot-contracts/src/std/iter.rs" 43 15 43 32 + let%span siter8 = "../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 + + use prelude.prelude.Borrow + + type t_I'0 + + type t_Item'0 + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate produces'1 [#"../../../creusot-contracts/src/std/iter.rs" 32 4 32 65] (self : t_I'0) (visited : Seq.seq t_Item'0) (o : t_I'0) + + + function produces_trans'1 [#"../../../creusot-contracts/src/std/iter.rs" 45 4 45 91] (a : t_I'0) (ab : Seq.seq t_Item'0) (b : t_I'0) (bc : Seq.seq t_Item'0) (c : t_I'0) : () + + + axiom produces_trans'1_spec : forall a : t_I'0, ab : Seq.seq t_Item'0, b : t_I'0, bc : Seq.seq t_Item'0, c : t_I'0 . ([%#siter6] produces'1 a ab b) + -> ([%#siter7] produces'1 b bc c) -> ([%#siter8] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'0 [#"../../../creusot-contracts/src/std/iter.rs" 39 4 39 27] (self : t_I'0) : () + + axiom produces_refl'0_spec : forall self : t_I'0 . [%#siter5] produces'1 self (Seq.empty : Seq.seq t_Item'0) self + + predicate produces'0 [#"../../../creusot-contracts/src/std/iter.rs" 210 4 210 64] (self : borrowed t_I'0) (visited : Seq.seq t_Item'0) (o : borrowed t_I'0) + + = + [%#siter4] produces'1 self.current visited o.current /\ self.final = o.final + + constant a : borrowed t_I'0 + + constant ab : Seq.seq t_Item'0 + + constant b : borrowed t_I'0 + + constant bc : Seq.seq t_Item'0 + + constant c : borrowed t_I'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/iter.rs" 230 4 230 90] (a : borrowed t_I'0) (ab : Seq.seq t_Item'0) (b : borrowed t_I'0) (bc : Seq.seq t_Item'0) (c : borrowed t_I'0) : () + + + goal vc_produces_trans'0 : ([%#siter1] produces'0 b bc c) + -> ([%#siter0] produces'0 a ab b) -> ([%#siter2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_unwrap_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 103 16 105 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 103 43 103 44 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 103 52 103 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 99 26 102 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'1 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_T'0)-> {inv'2 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'2 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_unwrap_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- t ] s4 + | s4 = bb8 ] + + | bb8 = bb9 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_T'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb9 + | bb9 = bb10 + | bb10 = bb11 + | bb11 = return' {_0} ] + ) + [ & _0 : t_T'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & _7 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body result type invariant] [%#soption2] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_unwrap_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> postcondition_once'0 f () result + | C_Some'0 t -> result = t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_body [#"../../../creusot-contracts/src/std/option.rs" 131 16 133 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 131 35 131 36 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 123 27 126 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 131 44 131 53 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 127 26 130 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'1 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + type t_Option'0 = + | C_None'1 + | C_Some'1 t_U'0 + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'5 a_0 + end + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_map_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_map_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_9 <- (t) ] s2 + | s2 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_7 <- _ret' ] s3) + | s3 = bb7 ] + + | bb7 = bb8 + | bb8 = s0 [ s0 = [ &_0 <- C_Some'1 _7 ] s1 | s1 = bb9 ] + | bb9 = bb10 + | bb10 = bb11 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb11 ] + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'1 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _7 : t_U'0 = any_l () + | & _9 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_map_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'1 + | C_Some'0 t -> exists r : t_U'0 . result = C_Some'1 r /\ postcondition_once'0 f (t) r + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_inspect_body [#"../../../creusot-contracts/src/std/option.rs" 149 16 151 33] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 149 36 149 37 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 140 27 143 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 149 45 149 54 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 145 26 148 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant6] inv'4 self + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : ()) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:()))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'2 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any [ return' (result:())-> {inv'3 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_inspect_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = bb3 + | bb3 = any [ br0 -> {self_ = C_None'0 } (! bb5) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb6) ] + | bb6 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_12 <- t ] s2 + | s2 = [ &_10 <- (_12) ] s3 + | s3 = call_once'0 {f} {_10} (fun (_ret':()) -> [ &_8 <- _ret' ] s4) + | s4 = bb8 ] + + | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] + | bb9 = bb10 + | bb10 = bb11 + | bb5 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb7 ] + | bb7 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb11 ] + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _8 : () = any_l () + | & _10 : t_T'0 = any_l () + | & _12 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_inspect_body result type invariant] [%#soption3] inv'1 result} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #0] [%#soption0] result = self_} + {[@expl:extern_spec_std_option_T_Option_T_inspect_body ensures #1] [%#soption4] match self_ with + | C_None'0 -> true + | C_Some'0 t -> postcondition_once'0 f (t) () + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_body [#"../../../creusot-contracts/src/std/option.rs" 166 16 168 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 166 38 166 45 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 166 50 166 51 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 158 27 161 17 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 166 59 166 60 + let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 162 26 165 17 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_U'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_U'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops6] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'0 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_or_body'0 (self_:t_Option'0) (default:t_U'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'default' type invariant] [%#soption1] inv'0 default} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body 'f' type invariant] [%#soption2] inv'1 f} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body requires] [%#soption3] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 default} s1 + | s1 = -{resolve'0 default}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_9 <- (t) ] s4 + | s4 = call_once'0 {f} {_9} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) + | s5 = bb7 ] + + | bb7 = bb8 + | bb8 = bb9 + | bb9 = bb10 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- default ] s1 | s1 = bb10 ] + | bb10 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_U'0 = any_l () + | & self_ : t_Option'0 = self_ + | & default : t_U'0 = default + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _9 : t_T'0 = any_l () ] + + [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_body result type invariant] [%#soption4] inv'0 result} + {[@expl:extern_spec_std_option_T_Option_T_map_or_body ensures] [%#soption5] match self_ with + | C_None'0 -> result = default + | C_Some'0 t -> postcondition_once'0 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_map_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 183 16 186 37] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 183 46 183 53 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 183 58 183 59 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 175 27 178 17 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 183 67 183 68 + let%span soption5 = "../../../creusot-contracts/src/std/option.rs" 179 26 182 17 + let%span sops6 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_D'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_D'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_D'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = (let (x0) = x in inv'6 x0) + + predicate precondition'1 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate postcondition_once'1 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_U'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'4 args} + {[@expl:call_once requires] [%#sops6] precondition'1 self args} + any + [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'1 self args result} (! return' {result}) ] + + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_D'0) (args : ()) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_D'0) (args : ()) (result : t_U'0) + + + let rec call_once'1 (self:t_D'0) (args:()) (return' (ret:t_U'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops6] precondition'0 self args} + any + [ return' (result:t_U'0)-> {inv'3 result} {[%#sops6] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'6 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_map_or_else_body'0 (self_:t_Option'0) (default:t_D'0) (f:t_F'0) (return' (ret:t_U'0))= {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'default' type invariant] [%#soption1] inv'0 default} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body 'f' type invariant] [%#soption2] inv'1 f} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body requires] [%#soption3] match self_ with + | C_None'0 -> precondition'0 default () + | C_Some'0 t -> precondition'1 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 default} s1 + | s1 = -{resolve'0 default}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_11 <- (t) ] s4 + | s4 = call_once'0 {f} {_11} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s5) + | s5 = bb8 ] + + | bb8 = bb9 + | bb9 = bb10 + | bb10 = bb11 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 f} s1 | s1 = -{resolve'1 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = call_once'1 {default} {_8} (fun (_ret':t_U'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = bb14 + | bb14 = return' {_0} ] + ) + [ & _0 : t_U'0 = any_l () + | & self_ : t_Option'0 = self_ + | & default : t_D'0 = default + | & f : t_F'0 = f + | & _8 : () = any_l () + | & t : t_T'0 = any_l () + | & _11 : t_T'0 = any_l () ] + + [ return' (result:t_U'0)-> {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body result type invariant] [%#soption4] inv'3 result} + {[@expl:extern_spec_std_option_T_Option_T_map_or_else_body ensures] [%#soption5] match self_ with + | C_None'0 -> postcondition_once'0 default () result + | C_Some'0 t -> postcondition_once'1 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_ok_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 204 16 206 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 204 42 204 45 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 204 53 204 65 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 200 26 203 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_E'0 + + type t_Result'0 = + | C_Ok'0 t_T'0 + | C_Err'0 t_E'0 + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'2 [@rewrite] : forall x : () [inv'3 x] . inv'3 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_E'0) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_E'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_E'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_E'0)-> {inv'4 result} {[%#sops4] postcondition_once'0 self args result} (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'5 a_0 + end + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Result'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Result'0 [inv'2 x] . inv'2 x + = match x with + | C_Ok'0 a_0 -> inv'5 a_0 + | C_Err'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_ok_or_else_body'0 (self_:t_Option'0) (err:t_F'0) (return' (ret:t_Result'0))= {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body 'err' type invariant] [%#soption1] inv'0 err} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 err ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 err} s1 + | s1 = -{resolve'0 err}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- C_Ok'0 t ] s4 + | s4 = bb9 ] + + | bb9 = bb10 + | bb10 = bb11 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {err} {_8} (fun (_ret':t_E'0) -> [ &_6 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = s0 [ s0 = [ &_0 <- C_Err'0 _6 ] s1 | s1 = bb8 ] + | bb8 = bb11 + | bb11 = bb12 + | bb12 = bb13 + | bb13 = return' {_0} ] + ) + [ & _0 : t_Result'0 = any_l () + | & self_ : t_Option'0 = self_ + | & err : t_F'0 = err + | & _6 : t_E'0 = any_l () + | & _8 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_Result'0)-> {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body result type invariant] [%#soption2] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_ok_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> exists r : t_E'0 . result = C_Err'0 r /\ postcondition_once'0 err () r + | C_Some'0 t -> result = C_Ok'0 t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_and_then_body [#"../../../creusot-contracts/src/std/option.rs" 234 16 236 45] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 234 40 234 41 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 226 27 229 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 234 49 234 58 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 230 26 233 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'1 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'1) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'1] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'4 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : t_T'0) + + type t_U'0 + + type t_Option'0 = + | C_None'1 + | C_Some'1 t_U'0 + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_U'0) + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'5 a_0 + end + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : t_T'0) (result : t_Option'0) + + + let rec call_once'0 (self:t_F'0) (args:t_T'0) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_Option'0)-> {inv'2 result} + {[%#sops5] postcondition_once'0 self args result} + (! return' {result}) ] + + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + use prelude.prelude.Intrinsic + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'1 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_and_then_body'0 (self_:t_Option'1) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 f (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_8 <- (t) ] s2 + | s2 = call_once'0 {f} {_8} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s3) + | s3 = bb7 ] + + | bb7 = bb8 + | bb8 = bb9 + | bb9 = bb10 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'0 f} s1 | s1 = -{resolve'0 f}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'1 ] s1 | s1 = bb10 ] + | bb10 = bb11 + | bb11 = bb12 + | bb12 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'1 = self_ + | & f : t_F'0 = f + | & t : t_T'0 = any_l () + | & _8 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_and_then_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_and_then_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'1 + | C_Some'0 t -> postcondition_once'0 f (t) result + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_filter_body [#"../../../creusot-contracts/src/std/option.rs" 254 16 256 41] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 254 35 254 44 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 243 27 246 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 254 52 254 61 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 247 26 253 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span sinvariant6 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_P'0 + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + + use prelude.prelude.Borrow + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant6] inv'0 self + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'0 x + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = (let (x0) = x in inv'5 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : t_T'0) + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + + axiom inv_axiom'2 [@rewrite] : forall x : bool [inv'4 x] . inv'4 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : t_T'0) (result : bool) + + + let rec call_once'0 (self:t_P'0) (args:t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'1 self} + {[@expl:call_once 'args' type invariant] inv'3 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:bool)-> {inv'4 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + + use prelude.prelude.Intrinsic + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'0 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_filter_body'0 (self_:t_Option'0) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_filter_body 'self_' type invariant] [%#soption0] inv'2 self_} + {[@expl:extern_spec_std_option_T_Option_T_filter_body 'predicate' type invariant] [%#soption1] inv'1 predicate'} + {[@expl:extern_spec_std_option_T_Option_T_filter_body requires] [%#soption2] match self_ with + | C_None'0 -> true + | C_Some'0 t -> precondition'0 predicate' (t) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s1) + | s1 = [ &_11 <- t ] s2 + | s2 = [ &_9 <- (_11) ] s3 + | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) + | s4 = bb7 ] + + | bb7 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] + | bb8 = s0 [ s0 = [ &_0 <- C_Some'0 t ] s1 | s1 = bb9 ] + | bb9 = bb12 + | bb10 = s0 [ s0 = {[@expl:type invariant] inv'0 t} s1 | s1 = -{resolve'0 t}- s2 | s2 = bb11 ] + | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] + | bb12 = bb13 + | bb13 = bb14 + | bb4 = s0 [ s0 = {[@expl:type invariant] inv'1 predicate'} s1 | s1 = -{resolve'1 predicate'}- s2 | s2 = bb6 ] + | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb14 ] + | bb14 = bb15 + | bb15 = bb16 + | bb16 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & predicate' : t_P'0 = predicate' + | & t : t_T'0 = any_l () + | & _7 : bool = any_l () + | & _9 : t_T'0 = any_l () + | & _11 : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_filter_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_filter_body ensures] [%#soption4] match self_ with + | C_None'0 -> result = C_None'0 + | C_Some'0 t -> match result with + | C_None'0 -> postcondition_once'0 predicate' (t) false /\ resolve'0 t + | C_Some'0 r -> postcondition_once'0 predicate' (t) true /\ r = t + end + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_or_else_body [#"../../../creusot-contracts/src/std/option.rs" 273 16 275 44] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 273 36 273 37 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 273 45 273 54 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 269 26 272 17 + let%span sops4 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'1 [@rewrite] : forall x : () [inv'2 x] . inv'2 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_Option'0 [inv'1 x] . inv'1 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'3 a_0 + end + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_Option'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_Option'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'2 args} + {[@expl:call_once requires] [%#sops4] precondition'0 self args} + any + [ return' (result:t_Option'0)-> {inv'1 result} + {[%#sops4] postcondition_once'0 self args result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_or_else_body'0 (self_:t_Option'0) (f:t_F'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'self_' type invariant] [%#soption0] inv'1 self_} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body requires] [%#soption0] self_ = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_ = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_ = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_} (fun (r0'0:t_T'0) -> [ &t <- r0'0 ] s3) + | s3 = [ &_0 <- C_Some'0 t ] s4 + | s4 = bb8 ] + + | bb8 = bb9 + | bb9 = bb10 + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_7} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = bb10 + | bb10 = bb11 + | bb11 = bb12 + | bb12 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : t_Option'0 = self_ + | & f : t_F'0 = f + | & _7 : () = any_l () + | & t : t_T'0 = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_or_else_body result type invariant] [%#soption2] inv'1 result} + {[@expl:extern_spec_std_option_T_Option_T_or_else_body ensures] [%#soption3] match self_ with + | C_None'0 -> postcondition_once'0 f () result + | C_Some'0 t -> result = C_Some'0 t + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_get_or_insert_with_body [#"../../../creusot-contracts/src/std/option.rs" 311 16 313 36] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 311 52 311 53 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 306 27 306 63 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 311 61 311 67 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 307 26 310 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 + let%span soption6 = "../../../creusot-contracts/src/std/option.rs" 62 26 62 75 + let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 64 20 65 100 + let%span sresolve8 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sresolve9 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 + let%span sinvariant10 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_F'0 + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_F'0) + + use prelude.prelude.Borrow + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_F'0) + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant10] inv'1 self.current /\ inv'1 self.final + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + + predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve8] self.final = self.current + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'4 _1 + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : ()) + + axiom inv_axiom'3 [@rewrite] : forall x : () [inv'5 x] . inv'5 x = true + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_F'0) (args : ()) + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_F'0) (args : ()) (result : t_T'0) + + + let rec call_once'0 (self:t_F'0) (args:()) (return' (ret:t_T'0))= {[@expl:call_once 'self' type invariant] inv'0 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:t_T'0)-> {inv'1 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'1 a_0 + end + + predicate resolve'7 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + + predicate resolve'5 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = + [%#sresolve9] match self with + | C_Some'0 x -> resolve'7 x + | C_None'0 -> true + end + + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_Option'0) = + resolve'5 _1 + + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = + [%#sinvariant10] inv'3 self.current /\ inv'3 self.final + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + + axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'4 x] . inv'4 x = invariant'1 x + + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_T'0) + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'1) + + axiom inv_axiom'4 [@rewrite] : forall x : t_Option'1 [inv'6 x] . inv'6 x + = match x with + | C_None'1 -> true + | C_Some'1 a_0 -> inv'2 a_0 + end + + let rec as_mut'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'1))= {[@expl:as_mut 'self' type invariant] inv'4 self} + any + [ return' (result:t_Option'1)-> {inv'6 result} + {[%#soption6] self.current = C_None'0 -> result = C_None'1 /\ self.final = C_None'0} + {[%#soption7] self.current = C_None'0 + \/ (exists r : borrowed t_T'0 . result = C_Some'1 r + /\ self.current = C_Some'0 (r.current) /\ self.final = C_Some'0 (r.final))} + (! return' {result}) ] + + + let rec unwrap'0 (self:t_Option'1) (return' (ret:borrowed t_T'0))= {[@expl:unwrap 'self' type invariant] inv'6 self} + {[@expl:unwrap requires] [%#soption0] self <> C_None'1} + any [ return' (result:borrowed t_T'0)-> {inv'2 result} {[%#soption0] C_Some'1 result = self} (! return' {result}) ] + + predicate resolve'6 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = + [%#sresolve8] self.final = self.current + + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = + resolve'6 _1 + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_get_or_insert_with_body'0 (self_:borrowed (t_Option'0)) (f:t_F'0) (return' (ret:borrowed t_T'0))= {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'self_' type invariant] [%#soption0] inv'4 self_} + {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body 'f' type invariant] [%#soption1] inv'0 f} + {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body requires] [%#soption2] self_.current = C_None'0 + -> precondition'0 f ()} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = {[@expl:type invariant] inv'0 f} s1 + | s1 = -{resolve'0 f}- s2 + | s2 = v_Some'0 {self_.current} + (fun (r0'0:t_T'0) -> + {inv'1 r0'0} + Borrow.borrow_final {r0'0} {Borrow.inherit_id (Borrow.get_id self_) 1} + (fun (_ret':borrowed t_T'0) -> + [ &t <- _ret' ] + -{inv'1 _ret'.final}- + [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] + s3)) + | s3 = {inv'1 t.current} + Borrow.borrow_final {t.current} {Borrow.get_id t} + (fun (_ret':borrowed t_T'0) -> + [ &_6 <- _ret' ] + -{inv'1 _ret'.final}- + [ &t <- { t with current = _ret'.final } ] + s4) + | s4 = {[@expl:type invariant] inv'2 t} s5 + | s5 = -{resolve'1 t}- s6 + | s6 = bb14 ] + + | bb4 = bb6 + | bb6 = s0 [ s0 = call_once'0 {f} {_12} (fun (_ret':t_T'0) -> [ &_10 <- _ret' ] s1) | s1 = bb7 ] + | bb7 = s0 [ s0 = [ &_9 <- C_Some'0 _10 ] s1 | s1 = bb8 ] + | bb8 = bb9 + | bb9 = s0 + [ s0 = {[@expl:type invariant] match self_ with + | {current = x'0} -> inv'3 x'0 + | _ -> true + end} + s1 + | s1 = -{match self_ with + | {current = x'1} -> resolve'2 x'1 + | _ -> true + end}- + s2 + | s2 = [ &self_ <- { self_ with current = _9 } ] s3 + | s3 = bb11 ] + + | bb11 = s0 + [ s0 = {inv'3 self_.current} + Borrow.borrow_final {self_.current} {Borrow.get_id self_} + (fun (_ret':borrowed (t_Option'0)) -> + [ &_15 <- _ret' ] + -{inv'3 _ret'.final}- + [ &self_ <- { self_ with current = _ret'.final } ] + s1) + | s1 = as_mut'0 {_15} (fun (_ret':t_Option'1) -> [ &_14 <- _ret' ] s2) + | s2 = bb12 ] + + | bb12 = s0 [ s0 = unwrap'0 {_14} (fun (_ret':borrowed t_T'0) -> [ &_13 <- _ret' ] s1) | s1 = bb13 ] + | bb13 = s0 + [ s0 = {inv'1 _13.current} + Borrow.borrow_final {_13.current} {Borrow.get_id _13} + (fun (_ret':borrowed t_T'0) -> + [ &_8 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_13 <- { _13 with current = _ret'.final } ] + s1) + | s1 = {inv'1 _8.current} + Borrow.borrow_final {_8.current} {Borrow.get_id _8} + (fun (_ret':borrowed t_T'0) -> + [ &_6 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_8 <- { _8 with current = _ret'.final } ] + s2) + | s2 = {[@expl:type invariant] inv'2 _13} s3 + | s3 = -{resolve'1 _13}- s4 + | s4 = {[@expl:type invariant] inv'2 _8} s5 + | s5 = -{resolve'1 _8}- s6 + | s6 = bb14 ] + + | bb14 = s0 + [ s0 = {inv'1 _6.current} + Borrow.borrow_final {_6.current} {Borrow.get_id _6} + (fun (_ret':borrowed t_T'0) -> + [ &_3 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_6 <- { _6 with current = _ret'.final } ] + s1) + | s1 = {inv'1 _3.current} + Borrow.borrow_final {_3.current} {Borrow.get_id _3} + (fun (_ret':borrowed t_T'0) -> + [ &_0 <- _ret' ] + -{inv'1 _ret'.final}- + [ &_3 <- { _3 with current = _ret'.final } ] + s2) + | s2 = {[@expl:type invariant] inv'2 _6} s3 + | s3 = -{resolve'1 _6}- s4 + | s4 = {[@expl:type invariant] inv'2 _3} s5 + | s5 = -{resolve'1 _3}- s6 + | s6 = bb15 ] + + | bb15 = s0 [ s0 = {[@expl:type invariant] inv'4 self_} s1 | s1 = -{resolve'3 self_}- s2 | s2 = return' {_0} ] ] + ) + [ & _0 : borrowed t_T'0 = any_l () + | & self_ : borrowed (t_Option'0) = self_ + | & f : t_F'0 = f + | & _3 : borrowed t_T'0 = any_l () + | & _6 : borrowed t_T'0 = any_l () + | & _8 : borrowed t_T'0 = any_l () + | & _9 : t_Option'0 = any_l () + | & _10 : t_T'0 = any_l () + | & _12 : () = any_l () + | & _13 : borrowed t_T'0 = any_l () + | & _14 : t_Option'1 = any_l () + | & _15 : borrowed (t_Option'0) = any_l () + | & t : borrowed t_T'0 = any_l () ] + + [ return' (result:borrowed t_T'0)-> {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_get_or_insert_with_body ensures] [%#soption4] match self_.current with + | C_None'0 -> postcondition_once'0 f () result.current /\ self_.final = C_Some'0 (result.final) + | C_Some'0 _ -> self_.current = C_Some'0 (result.current) /\ self_.final = C_Some'0 (result.final) + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__extern_spec_std_option_T_Option_T_take_if_body [#"../../../creusot-contracts/src/std/option.rs" 338 16 340 45] + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 338 41 338 50 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 324 27 327 17 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 338 58 338 67 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 328 26 337 17 + let%span sops5 = "../../../creusot-contracts/src/std/ops.rs" 152 0 174 1 let%span sresolve6 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant7 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - type t_T'0 + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + use prelude.prelude.Borrow + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any + [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) + | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] + + + type t_P'0 + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant7] inv'0 self.current /\ inv'0 self.final + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'5 x] . inv'5 x = (let (x0) = x in inv'1 x0) + + predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : borrowed t_T'0) + + + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + + axiom inv_axiom'4 [@rewrite] : forall x : bool [inv'6 x] . inv'6 x = true + + predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : borrowed t_T'0) (result : bool) + + + let rec call_once'0 (self:t_P'0) (args:borrowed t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'4 self} + {[@expl:call_once 'args' type invariant] inv'5 args} + {[@expl:call_once requires] [%#sops5] precondition'0 self args} + any + [ return' (result:bool)-> {inv'6 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] + + + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve6] self.final = self.current + + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'3 _1 + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'0 a_0 + end + + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = + [%#sinvariant7] inv'2 self.current /\ inv'2 self.final + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + + axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'3 x] . inv'3 x = invariant'1 x + + let rec take'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'0))= {[@expl:take 'self' type invariant] inv'3 self} + any + [ return' (result:t_Option'0)-> {inv'2 result} + {[%#soption0] result = self.current /\ self.final = C_None'0} + (! return' {result}) ] + + + predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = + [%#sresolve6] self.final = self.current + + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = + resolve'4 _1 + + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec extern_spec_std_option_T_Option_T_take_if_body'0 (self_:borrowed (t_Option'0)) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'self_' type invariant] [%#soption0] inv'3 self_} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'predicate' type invariant] [%#soption1] inv'4 predicate'} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body requires] [%#soption2] match self_.current with + | C_None'0 -> true + | C_Some'0 t -> forall b : borrowed t_T'0 . inv'1 b /\ b.current = t -> precondition'0 predicate' (b) + end} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] + | bb5 = s0 + [ s0 = v_Some'0 {self_.current} + (fun (r0'0:t_T'0) -> + {inv'0 r0'0} + Borrow.borrow_mut {r0'0} + (fun (_ret':borrowed t_T'0) -> + [ &t <- _ret' ] + -{inv'0 _ret'.final}- + [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] + s1)) + | s1 = {inv'0 t.current} + Borrow.borrow_final {t.current} {Borrow.get_id t} + (fun (_ret':borrowed t_T'0) -> + [ &_10 <- _ret' ] + -{inv'0 _ret'.final}- + [ &t <- { t with current = _ret'.final } ] + s2) + | s2 = [ &_9 <- (_10) ] s3 + | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) + | s4 = bb7 ] + + | bb7 = s0 + [ s0 = {[@expl:type invariant] inv'1 t} s1 + | s1 = -{resolve'0 t}- s2 + | s2 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] ] + + | bb8 = s0 + [ s0 = {inv'2 self_.current} + Borrow.borrow_final {self_.current} {Borrow.get_id self_} + (fun (_ret':borrowed (t_Option'0)) -> + [ &_11 <- _ret' ] + -{inv'2 _ret'.final}- + [ &self_ <- { self_ with current = _ret'.final } ] + s1) + | s1 = take'0 {_11} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s2) + | s2 = bb9 ] + + | bb9 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb12 ] + | bb10 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb11 ] + | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] + | bb12 = bb13 + | bb4 = s0 + [ s0 = {[@expl:type invariant] inv'4 predicate'} s1 + | s1 = -{resolve'2 predicate'}- s2 + | s2 = {[@expl:type invariant] inv'3 self_} s3 + | s3 = -{resolve'1 self_}- s4 + | s4 = bb6 ] + + | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb13 ] + | bb13 = bb14 + | bb14 = return' {_0} ] + ) + [ & _0 : t_Option'0 = any_l () + | & self_ : borrowed (t_Option'0) = self_ + | & predicate' : t_P'0 = predicate' + | & t : borrowed t_T'0 = any_l () + | & _7 : bool = any_l () + | & _9 : borrowed t_T'0 = any_l () + | & _10 : borrowed t_T'0 = any_l () + | & _11 : borrowed (t_Option'0) = any_l () ] + + [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_take_if_body result type invariant] [%#soption3] inv'2 result} + {[@expl:extern_spec_std_option_T_Option_T_take_if_body ensures] [%#soption4] match self_.current with + | C_None'0 -> result = C_None'0 /\ self_.final = C_None'0 + | C_Some'0 cur -> exists b : borrowed t_T'0, res : bool . inv'1 b + /\ cur = b.current + /\ postcondition_once'0 predicate' (b) res + /\ (if res then + self_.final = C_None'0 /\ result = C_Some'0 (b.final) + else + self_.final = C_Some'0 (b.final) /\ result = C_None'0 + ) + end} + (! return' {result}) ] + +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Greater'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Less'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o <> C_Less'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Option'0) (o : t_Option'0) : bool + + = + [%#sord2] cmp_log'0 self o = C_Greater'0 + + constant x : t_Option'0 + + constant y : t_Option'0 + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption2] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : t_Option'0) : () + + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption4] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + constant z : t_Option'0 + + constant o : t_Ordering'0 + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : t_Option'0) (y : t_Option'0) (z : t_Option'0) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + + axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + + = + [%#soption3] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end + + constant x : t_Option'0 + + constant y : t_Option'0 + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : t_Option'0) (y : t_Option'0) : () + + + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_T'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + + + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + + axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + + axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Borrow + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () - let rec v_Some'0 (input:t_Option'0) (ret (field_0:t_T'0))= any - [ good (field_0:t_T'0)-> {C_Some'0 field_0 = input} (! ret {field_0}) - | bad -> {forall field_0 : t_T'0 [C_Some'0 field_0 : t_Option'0] . C_Some'0 field_0 <> input} (! {false} any) ] - + axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - type t_P'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_P'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant7] inv'0 self.current /\ inv'0 self.final + axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'5 x] . inv'5 x = (let (x0) = x in inv'1 x0) + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool - predicate precondition'0 [#"../../../creusot-contracts/src/std/ops.rs" 77 4 77 45] (self : t_P'0) (args : borrowed t_T'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + + axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + = + [%#soption2] match (self, o) with + | (C_None'0, C_None'0) -> C_Equal'0 + | (C_None'0, C_Some'0 _) -> C_Less'0 + | (C_Some'0 _, C_None'0) -> C_Greater'0 + | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y + end - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : bool) + constant x : t_Option'0 - axiom inv_axiom'4 [@rewrite] : forall x : bool [inv'6 x] . inv'6 x = true + constant y : t_Option'0 - predicate postcondition_once'0 [#"../../../creusot-contracts/src/std/ops.rs" 85 4 85 73] (self : t_P'0) (args : borrowed t_T'0) (result : bool) - + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : t_Option'0) (y : t_Option'0) : () - let rec call_once'0 (self:t_P'0) (args:borrowed t_T'0) (return' (ret:bool))= {[@expl:call_once 'self' type invariant] inv'4 self} - {[@expl:call_once 'args' type invariant] inv'5 args} - {[@expl:call_once requires] [%#sops5] precondition'0 self args} - any - [ return' (result:bool)-> {inv'6 result} {[%#sops5] postcondition_once'0 self args result} (! return' {result}) ] - + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 476 14 476 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 474 4 474 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve6] self.final = self.current + use seq.Seq - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'3 _1 + type t_T'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'0 a_0 - end + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_Option'0)) = - [%#sinvariant7] inv'2 self.current /\ inv'2 self.final + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_Option'0)) + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } - axiom inv_axiom'2 [@rewrite] : forall x : borrowed (t_Option'0) [inv'3 x] . inv'3 x = invariant'1 x + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 - let rec take'0 (self:borrowed (t_Option'0)) (return' (ret:t_Option'0))= {[@expl:take 'self' type invariant] inv'3 self} - any - [ return' (result:t_Option'0)-> {inv'2 result} - {[%#soption0] result = self.current /\ self.final = C_None'0} - (! return' {result}) ] + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - predicate resolve'4 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_Option'0)) = - [%#sresolve6] self.final = self.current + constant self : t_IntoIter'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_Option'0)) = - resolve'4 _1 + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (self : t_IntoIter'0) : () - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_P'0) + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 481 15 481 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 482 15 482 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 483 14 483 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 479 4 479 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 - use prelude.prelude.Intrinsic + type t_T'0 - meta "compute_max_steps" 1000000 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - let rec extern_spec_std_option_T_Option_T_take_if_body'0 (self_:borrowed (t_Option'0)) (predicate':t_P'0) (return' (ret:t_Option'0))= {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'self_' type invariant] [%#soption0] inv'3 self_} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body 'predicate' type invariant] [%#soption1] inv'4 predicate'} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body requires] [%#soption2] match self_.current with - | C_None'0 -> true - | C_Some'0 t -> forall b : borrowed t_T'0 . inv'1 b /\ b.current = t -> precondition'0 predicate' (b) - end} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = any [ br0 -> {self_.current = C_None'0 } (! bb4) | br1 (x0:t_T'0)-> {self_.current = C_Some'0 x0} (! bb5) ] - | bb5 = s0 - [ s0 = v_Some'0 {self_.current} - (fun (r0'0:t_T'0) -> - {inv'0 r0'0} - Borrow.borrow_mut {r0'0} - (fun (_ret':borrowed t_T'0) -> - [ &t <- _ret' ] - -{inv'0 _ret'.final}- - [ &self_ <- { self_ with current = C_Some'0 _ret'.final } ] - s1)) - | s1 = {inv'0 t.current} - Borrow.borrow_final {t.current} {Borrow.get_id t} - (fun (_ret':borrowed t_T'0) -> - [ &_10 <- _ret' ] - -{inv'0 _ret'.final}- - [ &t <- { t with current = _ret'.final } ] - s2) - | s2 = [ &_9 <- (_10) ] s3 - | s3 = call_once'0 {predicate'} {_9} (fun (_ret':bool) -> [ &_7 <- _ret' ] s4) - | s4 = bb7 ] - - | bb7 = s0 - [ s0 = {[@expl:type invariant] inv'1 t} s1 - | s1 = -{resolve'0 t}- s2 - | s2 = any [ br0 -> {_7 = false} (! bb10) | br1 -> {_7} (! bb8) ] ] - - | bb8 = s0 - [ s0 = {inv'2 self_.current} - Borrow.borrow_final {self_.current} {Borrow.get_id self_} - (fun (_ret':borrowed (t_Option'0)) -> - [ &_11 <- _ret' ] - -{inv'2 _ret'.final}- - [ &self_ <- { self_ with current = _ret'.final } ] - s1) - | s1 = take'0 {_11} (fun (_ret':t_Option'0) -> [ &_0 <- _ret' ] s2) - | s2 = bb9 ] - - | bb9 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb12 ] - | bb10 = s0 [ s0 = {[@expl:type invariant] inv'3 self_} s1 | s1 = -{resolve'1 self_}- s2 | s2 = bb11 ] - | bb11 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb12 ] - | bb12 = bb13 - | bb4 = s0 - [ s0 = {[@expl:type invariant] inv'4 predicate'} s1 - | s1 = -{resolve'2 predicate'}- s2 - | s2 = {[@expl:type invariant] inv'3 self_} s3 - | s3 = -{resolve'1 self_}- s4 - | s4 = bb6 ] - - | bb6 = s0 [ s0 = [ &_0 <- C_None'0 ] s1 | s1 = bb13 ] - | bb13 = bb14 - | bb14 = return' {_0} ] - ) - [ & _0 : t_Option'0 = any_l () - | & self_ : borrowed (t_Option'0) = self_ - | & predicate' : t_P'0 = predicate' - | & t : borrowed t_T'0 = any_l () - | & _7 : bool = any_l () - | & _9 : borrowed t_T'0 = any_l () - | & _10 : borrowed t_T'0 = any_l () - | & _11 : borrowed (t_Option'0) = any_l () ] + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_IntoIter'0 = + { t_IntoIter__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - [ return' (result:t_Option'0)-> {[@expl:extern_spec_std_option_T_Option_T_take_if_body result type invariant] [%#soption3] inv'2 result} - {[@expl:extern_spec_std_option_T_Option_T_take_if_body ensures] [%#soption4] match self_.current with - | C_None'0 -> result = C_None'0 /\ self_.final = C_None'0 - | C_Some'0 cur -> exists b : borrowed t_T'0, res : bool . inv'1 b - /\ cur = b.current - /\ postcondition_once'0 predicate' (b) res - /\ (if res then - self_.final = C_None'0 /\ result = C_Some'0 (b.final) - else - self_.final = C_Some'0 (b.final) /\ result = C_None'0 - ) - end} - (! return' {result}) ] + = + [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + + use seq.Seq + + constant a : t_IntoIter'0 + + constant ab : Seq.seq t_T'0 + + constant b : t_IntoIter'0 + + constant bc : Seq.seq t_T'0 + + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 529 14 529 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 527 4 527 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + + use seq.Seq + + use prelude.prelude.Borrow type t_T'0 + use seq.Seq + type t_Option'0 = | C_None'0 | C_Some'0 t_T'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + type t_Iter'0 = + { t_Iter__inner'0: t_Item'0 } + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant self : t_Iter'0 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (self : t_Iter'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 534 15 534 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 535 15 535 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 536 14 536 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 532 4 532 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Borrow - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } + + type t_Iter'0 = + { t_Iter__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o + \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant a : t_Iter'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + constant ab : Seq.seq t_T'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + constant b : t_Iter'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + constant bc : Seq.seq t_T'0 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + constant c : t_Iter'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 585 14 585 45 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 583 4 583 10 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use seq.Seq - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Borrow - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_T'0) - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - axiom cmp_le_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + type t_IterMut'0 = + { t_IterMut__inner'0: t_Item'0 } - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - - = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_Option'0) (o : t_Option'0) : bool + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) = - [%#sord2] cmp_log'0 self o <> C_Greater'0 - - constant x : t_Option'0 + [%#soption2] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o + \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - constant y : t_Option'0 + constant self : t_IterMut'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : t_Option'0) (y : t_Option'0) : () - + function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (self : t_IterMut'0) : () - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (* as std::iter::Iterator> *) + let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 590 15 590 32 + let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 591 15 591 32 + let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 592 14 592 42 + let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 588 4 588 10 + let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + + use prelude.prelude.Borrow type t_T'0 type t_Option'0 = | C_None'0 - | C_Some'0 t_T'0 + | C_Some'0 (borrowed t_T'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Item'0 = + { t_Item__opt'0: t_Option'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + type t_IterMut'0 = + { t_IterMut__inner'0: t_Item'0 } + + use seq.Seq + + use seq.Seq + + function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + + use seq.Seq + + predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + = + [%#soption4] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o + \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant a : t_IterMut'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + constant ab : Seq.seq (borrowed t_T'0) - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + constant b : t_IterMut'0 + + constant bc : Seq.seq (borrowed t_T'0) + + constant c : t_IterMut'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () + + + goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) + -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__ptr__qyi17063894948818224584__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (* <*const T as std::ptr::PointerExt> *) + let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + + use prelude.prelude.Opaque + + use prelude.prelude.Int + + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + + constant self : opaque_ptr + + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool + + goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) +end +module M_creusot_contracts__stdqy35z1__ptr__qyi4877913266695965320__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (* <*mut T as std::ptr::PointerExt> *) + let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 96 14 96 48 + let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 98 8 98 30 + + use prelude.prelude.Opaque + + use prelude.prelude.Int + + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 90 4 90 30] (self : opaque_ptr) : int + + constant self : opaque_ptr + + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (self : opaque_ptr) : bool + + goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) +end +module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 411 14 411 45 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 409 4 409 10 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + + use seq.Seq + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Opaque - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + type t_Iter'0 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Slice - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.UIntSize - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + constant v_MAX'0 : usize = (18446744073709551615 : usize) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Int - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Slice - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_lt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice8] view'2 self = Slice.id self) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel5] view'2 self - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sindex6] Seq.get (view'2 self) ix - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_Option'0) (o : t_Option'0) : bool - - = - [%#sord2] cmp_log'0 self o = C_Less'0 + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - constant x : t_Option'0 + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - constant y : t_Option'0 + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : t_Option'0) (y : t_Option'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + = + [%#sslice2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant self : t_Iter'0 - type t_T'0 + function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (self : t_Iter'0) : () - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 416 15 416 32 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 417 15 417 32 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 418 14 418 42 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 414 4 414 10 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 + let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use prelude.prelude.Opaque - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_Iter'0 = + { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + use prelude.prelude.Borrow - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Slice - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use seq.Seq - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.UIntSize - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + constant v_MAX'0 : usize = (18446744073709551615 : usize) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Int - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Slice - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_ge_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice10] view'2 self = Slice.id self) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = + [%#smodel7] view'2 self - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex8] Seq.get (view'2 self) ix - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) + = Seq.length (view'1 self)) + && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) + -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 - - = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_Option'0) (o : t_Option'0) : bool + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) = - [%#sord2] cmp_log'0 self o <> C_Less'0 + [%#sslice4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant x : t_Option'0 + constant a : t_Iter'0 - constant y : t_Option'0 + constant ab : Seq.seq t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : t_Option'0) (y : t_Option'0) : () - + constant b : t_Iter'0 - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant bc : Seq.seq t_T'0 - type t_T'0 + constant c : t_Iter'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) + -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 465 14 465 45 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 463 4 463 10 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + let%span smodel8 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sindex9 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Borrow - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_T'0 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Opaque - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_IterMut'0 = + { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.UIntSize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use prelude.prelude.UIntSize - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Int - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Slice - axiom cmp_gt_log'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Slice - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice6] Seq.length (view'1 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice7] view'1 self = Slice.id self) - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice3] Seq.length (view'1 (view'0 self).final) + = Seq.length (view'1 (view'0 self).current) - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + + = + [%#smodel8] view'1 self.current - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#sindex9] Seq.get (view'1 self) ix - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_Option'0) (o : t_Option'0) : bool + function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - = - [%#sord2] cmp_log'0 self o = C_Greater'0 - constant x : t_Option'0 + axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice4] Seq.length (to_mut_seq'0 self) + = Seq.length (view'2 self)) + && ([%#sslice5] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) + -> Seq.get (to_mut_seq'0 self) i + = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) - constant y : t_Option'0 + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : t_Option'0) (y : t_Option'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + = + [%#sslice2] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) + constant self : t_IterMut'0 + + function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (self : t_IterMut'0) : () + + goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (* as std::iter::Iterator> *) + let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 470 15 470 32 + let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 471 15 471 32 + let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 472 14 472 42 + let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 468 4 468 10 + let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 + let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 + let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 + let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 + let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 + let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + let%span smodel10 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sindex11 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - type t_T'0 + use prelude.prelude.Opaque - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_IterMut'0 = + { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 - + use prelude.prelude.Borrow - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + use prelude.prelude.UIntSize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + constant v_MAX'0 : usize = (18446744073709551615 : usize) - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.UIntSize - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.Int - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use prelude.prelude.Slice - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + use prelude.prelude.Slice - axiom refl'1_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice8] Seq.length (view'1 self) + <= UIntSize.to_int (v_MAX'0 : usize)) + && ([%#sslice9] view'1 self = Slice.id self) - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice5] Seq.length (view'1 (view'0 self).final) + = Seq.length (view'1 (view'0 self).current) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + + = + [%#smodel10] view'1 self.current - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + use seq.Seq - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + + = + [%#sindex11] Seq.get (view'1 self) ix - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice6] Seq.length (to_mut_seq'0 self) + = Seq.length (view'2 self)) + && ([%#sslice7] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) + -> Seq.get (to_mut_seq'0 self) i + = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) = - [%#soption2] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end - - constant x : t_Option'0 + [%#sslice4] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : t_Option'0) : () + constant a : t_IterMut'0 - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + constant ab : Seq.seq (borrowed t_T'0) - type t_T'0 + constant b : t_IterMut'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + constant bc : Seq.seq (borrowed t_T'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + constant c : t_IterMut'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) + -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_refl [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (* as std::iter::Iterator> *) + let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 270 14 270 45 + let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 268 4 268 10 + let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + use seq.Seq - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 + + use seq.Seq + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + use prelude.prelude.UIntSize - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + type t_A'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_A'0 } - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + type t_IntoIter'0 = + { t_IntoIter__buf'0: t_NonNull'0; + t_IntoIter__phantom'0: (); + t_IntoIter__cap'0: usize; + t_IntoIter__alloc'0: t_ManuallyDrop'0; + t_IntoIter__ptr'0: t_NonNull'0; + t_IntoIter__end'0: opaque_ptr } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom trans'1_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + + = + [%#svec2] view'0 self = Seq.(++) visited (view'0 rhs) - axiom refl'0_spec : forall x : t_T'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + constant self : t_IntoIter'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + function produces_refl'0 [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (self : t_IntoIter'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + goal vc_produces_refl'0 : [%#svec0] produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_trans [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (* as std::iter::Iterator> *) + let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 275 15 275 32 + let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 276 15 276 32 + let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 277 14 277 42 + let%span svec3 = "../../../creusot-contracts/src/std/vec.rs" 273 4 273 10 + let%span svec4 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Opaque - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.UIntSize - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_A'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_A'0 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + type t_IntoIter'0 = + { t_IntoIter__buf'0: t_NonNull'0; + t_IntoIter__phantom'0: (); + t_IntoIter__cap'0: usize; + t_IntoIter__alloc'0: t_ManuallyDrop'0; + t_IntoIter__ptr'0: t_NonNull'0; + t_IntoIter__end'0: opaque_ptr } - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_T'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) = - [%#soption4] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#svec4] view'0 self = Seq.(++) visited (view'0 rhs) - constant x : t_Option'0 + constant a : t_IntoIter'0 - constant y : t_Option'0 + constant ab : Seq.seq t_T'0 - constant z : t_Option'0 + constant b : t_IntoIter'0 - constant o : t_Ordering'0 + constant bc : Seq.seq t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : t_Option'0) (y : t_Option'0) (z : t_Option'0) (o : t_Ordering'0) : () + constant c : t_IntoIter'0 + + function produces_trans'0 [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) + goal vc_produces_trans'0 : ([%#svec1] produces'0 b bc c) + -> ([%#svec0] produces'0 a ab b) -> ([%#svec2] produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_T'0 + use prelude.prelude.Real - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : Real.real - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : Real.real) (y : Real.real) : () + - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + goal vc_cmp_le_log'0 : [%#sord0] Real.(<=) x y = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom antisym1'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Real - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + constant x : Real.real - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant y : Real.real - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : Real.real) (y : Real.real) : () + - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_cmp_lt_log'0 : [%#sord0] Real.(<) x y = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.Real - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + constant x : Real.real - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + constant y : Real.real - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : Real.real) (y : Real.real) : () + - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + goal vc_cmp_ge_log'0 : [%#sord0] Real.(>=) x y = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + use prelude.prelude.Real - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use prelude.prelude.Real - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : t_Option'0 + constant x : Real.real - constant y : t_Option'0 + constant y : Real.real - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : t_Option'0) (y : t_Option'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : Real.real) (y : Real.real) : () - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) + goal vc_cmp_gt_log'0 : [%#sord0] Real.(>) x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 - - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 +module M_creusot_contracts__num_rational__qyi7156484438548626841__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : Real.real) : () - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span snum_rational4 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - axiom antisym2'1_spec : forall x : t_T'0, y : t_T'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Real - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Real - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational4] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + constant x : Real.real - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + constant y : Real.real - axiom refl'0_spec : forall x : t_T'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + constant z : Real.real - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + constant o : t_Ordering'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : Real.real) (y : Real.real) (z : Real.real) (o : t_Ordering'0) : () + - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + use prelude.prelude.Real - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Real - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + + = + [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + constant y : Real.real - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : Real.real) (y : Real.real) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use prelude.prelude.Real - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 = - [%#soption3] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end + [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : t_Option'0 + constant x : Real.real - constant y : t_Option'0 + constant y : Real.real - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : t_Option'0) (y : t_Option'0) : () - + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : Real.real) (y : Real.real) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__stdqy35z1__option__qyi10751279649878241649__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* as logic::ord::OrdLogic> *) +module M_creusot_contracts__num_rational__qyi7156484438548626841__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 437 8 442 9 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_T'0 + let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.Real type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_T'0) (other : t_T'0) : t_Ordering'0 + use prelude.prelude.Real + + function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + = + [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_T'0) (y : t_T'0) : () + constant x : Real.real - axiom eq_cmp'1_spec : forall x : t_T'0, y : t_T'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : Real.real - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_T'0) (y : t_T'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : Real.real) (y : Real.real) : () - axiom antisym2'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__ghost__qyi17645547594388049322__clone [#"../../../creusot-contracts/src/ghost.rs" 50 4 50 27] (* as std::clone::Clone> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 50 14 50 18 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 50 23 50 27 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 49 14 49 29 + let%span sclone3 = "../../../creusot-contracts/src/std/clone.rs" 7 0 20 1 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_T'0) (y : t_T'0) : () + type t_T'0 - axiom antisym1'0_spec : forall x : t_T'0, y : t_T'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_T'0) (y : t_T'0) (z : t_T'0) (o : t_Ordering'0) : () - + use prelude.prelude.Borrow - axiom trans'0_spec : forall x : t_T'0, y : t_T'0, z : t_T'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_T'0) : () + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'4 self - axiom refl'0_spec : forall x : t_T'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_T'0) (o : t_T'0) : bool + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'2 x - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_T'0) (y : t_T'0) : () + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant4] inv'3 self - axiom cmp_gt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_T'0) (o : t_T'0) : bool + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_T'0) (y : t_T'0) : () + let rec clone'1 (self:t_T'0) (return' (ret:t_T'0))= {[@expl:clone 'self' type invariant] inv'2 self} + any [ return' (result:t_T'0)-> {inv'3 result} {[%#sclone3] result = self} (! return' {result}) ] - axiom cmp_ge_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Intrinsic - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'3 a_0 + end - axiom cmp_lt_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = + [%#sinvariant4] inv'1 self - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_T'0) (o : t_T'0) : bool + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_T'0) (y : t_T'0) : () + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x - axiom cmp_le_log'0_spec : forall x : t_T'0, y : t_T'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + meta "compute_max_steps" 1000000 - function cmp_log'0 [#"../../../creusot-contracts/src/std/option.rs" 436 4 436 41] (self : t_Option'0) (o : t_Option'0) : t_Ordering'0 + let rec clone'0 (self:t_GhostBox'0) (return' (ret:t_GhostBox'0))= {[@expl:clone 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 [ s0 = clone'1 {self.t_GhostBox__0'0} (fun (_ret':t_T'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = _3 } ] s1 | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'0 = self | & _3 : t_T'0 = any_l () ] + [ return' (result:t_GhostBox'0)-> {[@expl:clone result type invariant] [%#sghost1] inv'1 result} + {[@expl:clone ensures] [%#sghost2] result = self} + (! return' {result}) ] - = - [%#soption2] match (self, o) with - | (C_None'0, C_None'0) -> C_Equal'0 - | (C_None'0, C_Some'0 _) -> C_Less'0 - | (C_Some'0 _, C_None'0) -> C_Greater'0 - | (C_Some'0 x, C_Some'0 y) -> cmp_log'1 x y - end +end +module M_creusot_contracts__ghost__qyi1862168959261460300__deref [#"../../../creusot-contracts/src/ghost.rs" 69 4 69 36] (* as std::ops::Deref> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 69 23 69 36 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 + let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + + type t_T'0 + + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } + + use prelude.prelude.Borrow + + use prelude.prelude.Intrinsic + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'3 self + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'2 x] . inv'2 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end + + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = + [%#sinvariant3] inv'2 self + + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant x : t_Option'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x - constant y : t_Option'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant3] inv'3 self - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : t_Option'0) (y : t_Option'0) : () + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'1 x + + meta "compute_max_steps" 1000000 + + let rec deref'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:deref 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 + [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 + | s1 = [ &_4 <- _5 ] s2 + | s2 = [ &_2 <- _4 ] s3 + | s3 = [ &_0 <- _2 ] s4 + | s4 = return' {_0} ] + ] + ) + [ & _0 : t_T'0 = any_l () + | & self : t_GhostBox'0 = self + | & _2 : t_T'0 = any_l () + | & _4 : t_T'0 = any_l () + | & _5 : t_T'0 = any_l () ] + + [ return' (result:t_T'0)-> {[@expl:deref result type invariant] [%#sghost1] inv'1 result} + {[@expl:deref ensures] [%#sghost2] self.t_GhostBox__0'0 = result} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 476 14 476 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 474 4 474 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 +module M_creusot_contracts__ghost__qyi17214052996668775070__deref_mut [#"../../../creusot-contracts/src/ghost.rs" 85 4 85 48] (* as std::ops::DerefMut> *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 85 22 85 26 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 85 31 85 48 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 84 14 84 36 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use seq.Seq + use prelude.prelude.Borrow type t_T'0 - use seq.Seq + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant4] inv'0 self.current /\ inv'0 self.final - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - use seq.Seq + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'2 _1 - constant self : t_IntoIter'0 + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'0 self - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 477 4 477 26] (self : t_IntoIter'0) : () + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__option__qyi15354566128244900690__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 481 15 481 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 482 15 482 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 483 14 483 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 479 4 479 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 469 12 470 96 + axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - type t_T'0 + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'0)) = + [%#sinvariant4] inv'3 self.current /\ inv'3 self.final - type t_IntoIter'0 = - { t_IntoIter__inner'0: t_Item'0 } + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'0)) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'0) [inv'2 x] . inv'2 x = invariant'1 x - use seq.Seq + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'0)) = + [%#sresolve3] self.final = self.current - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 453 4 453 30] (self : t_IntoIter'0) : t_Option'0 + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'0)) = + resolve'3 _1 - use seq.Seq + use prelude.prelude.Intrinsic - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 467 4 467 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + meta "compute_max_steps" 1000000 + + let rec deref_mut'0 (self:borrowed (t_GhostBox'0)) (return' (ret:borrowed t_T'0))= {[@expl:deref_mut 'self' type invariant] [%#sghost0] inv'2 self} + (! bb0 + [ bb0 = s0 + [ s0 = {inv'0 (self.current).t_GhostBox__0'0} + Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_T'0) -> + [ &_5 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] + s1) + | s1 = {inv'0 _5.current} + Borrow.borrow_final {_5.current} {Borrow.get_id _5} + (fun (_ret':borrowed t_T'0) -> + [ &_4 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_5 <- { _5 with current = _ret'.final } ] + s2) + | s2 = {inv'0 _4.current} + Borrow.borrow_final {_4.current} {Borrow.get_id _4} + (fun (_ret':borrowed t_T'0) -> + [ &_2 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_4 <- { _4 with current = _ret'.final } ] + s3) + | s3 = {inv'0 _2.current} + Borrow.borrow_final {_2.current} {Borrow.get_id _2} + (fun (_ret':borrowed t_T'0) -> + [ &_0 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_2 <- { _2 with current = _ret'.final } ] + s4) + | s4 = {[@expl:type invariant] inv'1 _5} s5 + | s5 = -{resolve'0 _5}- s6 + | s6 = {[@expl:type invariant] inv'1 _4} s7 + | s7 = -{resolve'0 _4}- s8 + | s8 = {[@expl:type invariant] inv'1 _2} s9 + | s9 = -{resolve'0 _2}- s10 + | s10 = {[@expl:type invariant] inv'2 self} s11 + | s11 = -{resolve'1 self}- s12 + | s12 = return' {_0} ] + ] + ) + [ & _0 : borrowed t_T'0 = any_l () + | & self : borrowed (t_GhostBox'0) = self + | & _2 : borrowed t_T'0 = any_l () + | & _4 : borrowed t_T'0 = any_l () + | & _5 : borrowed t_T'0 = any_l () ] - = - [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + [ return' (result:borrowed t_T'0)-> {[@expl:deref_mut result type invariant] [%#sghost1] inv'1 result} + {[@expl:deref_mut ensures] [%#sghost2] result + = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi2175792468772189056__borrow [#"../../../creusot-contracts/src/ghost.rs" 124 4 124 40] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 124 19 124 23 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 124 28 124 40 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 123 14 123 35 + let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use seq.Seq + type t_T'0 - constant a : t_IntoIter'0 + type t_GhostBox'1 = + { t_GhostBox__0'0: t_T'0 } - constant ab : Seq.seq t_T'0 + use prelude.prelude.Borrow - constant b : t_IntoIter'0 + type t_GhostBox'0 = + { t_GhostBox__0'1: t_T'0 } - constant bc : Seq.seq t_T'0 + use prelude.prelude.Intrinsic - constant c : t_IntoIter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 484 4 484 90] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'6 self - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 529 14 529 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 527 4 527 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'4 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - use prelude.prelude.Borrow + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - type t_T'0 + axiom inv_axiom'3 [@rewrite] : forall x : t_GhostBox'1 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'1) = + [%#sinvariant3] inv'3 self - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'1 [inv'0 x] . inv'0 x = invariant'0 x - type t_Iter'0 = - { t_Iter__inner'0: t_Item'0 } + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = + [%#sinvariant3] inv'6 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'3 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) - - = - [%#soption2] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed4] inv'5 self - constant self : t_Iter'0 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 530 4 530 26] (self : t_Iter'0) : () + axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq t_T'0) self + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'1 = a_0} -> inv'2 a_0 + end + + meta "compute_max_steps" 1000000 + + let rec borrow'0 (self:t_GhostBox'1) (return' (ret:t_GhostBox'0))= {[@expl:borrow 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 + [ bb0 = s0 [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _5 } ] s1 | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'1 = self | & _5 : t_T'0 = any_l () ] + [ return' (result:t_GhostBox'0)-> {[@expl:borrow result type invariant] [%#sghost1] inv'1 result} + {[@expl:borrow ensures] [%#sghost2] result.t_GhostBox__0'1 = self.t_GhostBox__0'0} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__option__qyi15411423289202690388__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 534 15 534 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 535 15 535 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 536 14 536 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 532 4 532 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 522 12 523 96 +module M_creusot_contracts__ghost__qyi2175792468772189056__borrow_mut [#"../../../creusot-contracts/src/ghost.rs" 138 4 138 52] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 138 27 138 31 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 138 36 138 52 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 137 14 137 39 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 + let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + type t_GhostBox'1 = + { t_GhostBox__0'0: t_T'0 } - type t_Iter'0 = - { t_Iter__inner'0: t_Item'0 } + type t_GhostBox'0 = + { t_GhostBox__0'1: borrowed t_T'0 } - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = + [%#sinvariant4] inv'0 self.current /\ inv'0 self.final - use seq.Seq + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 506 4 506 34] (self : t_Iter'0) : t_Option'0 + axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - use seq.Seq + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 520 4 520 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq t_T'0) /\ self = o - \/ (exists e : t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = + resolve'2 _1 - use seq.Seq + predicate invariant'3 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed5] inv'0 self - constant a : t_Iter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - constant ab : Seq.seq t_T'0 + axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'6 x] . inv'6 x = invariant'3 x - constant b : t_Iter'0 + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) - constant bc : Seq.seq t_T'0 + axiom inv_axiom'4 [@rewrite] : forall x : t_GhostBox'1 [inv'5 x] . inv'5 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'6 a_0 + end - constant c : t_Iter'0 + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'1)) = + [%#sinvariant4] inv'5 self.current /\ inv'5 self.final - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 537 4 537 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () - + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'1)) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_refl [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 585 14 585 45 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 583 4 583 10 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 + axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'1) [inv'2 x] . inv'2 x = invariant'1 x - use seq.Seq + predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'1)) = + [%#sresolve3] self.final = self.current - use prelude.prelude.Borrow + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'1)) = + resolve'3 _1 - type t_T'0 + use prelude.prelude.Intrinsic - use seq.Seq + predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : borrowed t_T'0) = + [%#sboxed5] inv'1 self - type t_Option'0 = - | C_None'0 - | C_Some'0 (borrowed t_T'0) + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } + axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'4 x] . inv'4 x = invariant'2 x - type t_IterMut'0 = - { t_IterMut__inner'0: t_Item'0 } + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'1 = a_0} -> inv'4 a_0 + end - use seq.Seq + meta "compute_max_steps" 1000000 - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) + let rec borrow_mut'0 (self:borrowed (t_GhostBox'1)) (return' (ret:t_GhostBox'0))= {[@expl:borrow_mut 'self' type invariant] [%#sghost0] inv'2 self} + (! bb0 + [ bb0 = s0 + [ s0 = {inv'0 (self.current).t_GhostBox__0'0} + Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} + (fun (_ret':borrowed t_T'0) -> + [ &_5 <- _ret' ] + -{inv'0 _ret'.final}- + [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] + s1) + | s1 = {inv'0 _5.current} + Borrow.borrow_final {_5.current} {Borrow.get_id _5} + (fun (_ret':borrowed t_T'0) -> + [ &_4 <- _ret' ] + -{inv'0 _ret'.final}- + [ &_5 <- { _5 with current = _ret'.final } ] + s2) + | s2 = bb1 ] + + | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _4 } ] s1 | s1 = bb2 ] + | bb2 = s0 + [ s0 = {[@expl:type invariant] inv'1 _5} s1 + | s1 = -{resolve'0 _5}- s2 + | s2 = {[@expl:type invariant] inv'2 self} s3 + | s3 = -{resolve'1 self}- s4 + | s4 = return' {_0} ] + ] + ) + [ & _0 : t_GhostBox'0 = any_l () + | & self : borrowed (t_GhostBox'1) = self + | & _4 : borrowed t_T'0 = any_l () + | & _5 : borrowed t_T'0 = any_l () ] + + [ return' (result:t_GhostBox'0)-> {[@expl:borrow_mut result type invariant] [%#sghost1] inv'3 result} + {[@expl:borrow_mut ensures] [%#sghost2] result.t_GhostBox__0'1 + = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} + (! return' {result}) ] - = - [%#soption2] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o - \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) - - constant self : t_IterMut'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/option.rs" 586 4 586 26] (self : t_IterMut'0) : () - - goal vc_produces_refl'0 : [%#soption0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self end -module M_creusot_contracts__stdqy35z1__option__qyi6601631924869095363__produces_trans [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (* as std::iter::Iterator> *) - let%span soption0 = "../../../creusot-contracts/src/std/option.rs" 590 15 590 32 - let%span soption1 = "../../../creusot-contracts/src/std/option.rs" 591 15 591 32 - let%span soption2 = "../../../creusot-contracts/src/std/option.rs" 592 14 592 42 - let%span soption3 = "../../../creusot-contracts/src/std/option.rs" 588 4 588 10 - let%span soption4 = "../../../creusot-contracts/src/std/option.rs" 578 12 579 96 - - use prelude.prelude.Borrow +module M_creusot_contracts__ghost__qyi2175792468772189056__conjure [#"../../../creusot-contracts/src/ghost.rs" 155 4 155 28] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 154 15 154 20 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 155 24 155 28 + let%span sboxed2 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 type t_T'0 - type t_Option'0 = - | C_None'0 - | C_Some'0 (borrowed t_T'0) - - type t_Item'0 = - { t_Item__opt'0: t_Option'0 } - - type t_IterMut'0 = - { t_IterMut__inner'0: t_Item'0 } + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - use seq.Seq + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed2] inv'2 self - function view'0 [#"../../../creusot-contracts/src/std/option.rs" 562 4 562 38] (self : t_IterMut'0) : t_Option'0 + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'0 x - predicate produces'0 [#"../../../creusot-contracts/src/std/option.rs" 576 4 576 64] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (o : t_IterMut'0) - - = - [%#soption4] visited = (Seq.empty : Seq.seq (borrowed t_T'0)) /\ self = o - \/ (exists e : borrowed t_T'0 . view'0 self = C_Some'0 e /\ visited = Seq.singleton e /\ view'0 o = C_None'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - use seq.Seq + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'1 a_0 + end - constant a : t_IterMut'0 + meta "compute_max_steps" 1000000 - constant ab : Seq.seq (borrowed t_T'0) + let rec conjure'0 (_1:()) (return' (ret:t_GhostBox'0))= {[@expl:conjure requires] [%#sghost0] false} + (! bb0 [ bb0 = bb1 | bb1 = bb1 [ bb1 = (! bb2) [ bb2 = bb1 ] ] ] ) + [ return' (result:t_GhostBox'0)-> {[@expl:conjure result type invariant] [%#sghost1] inv'0 result} + (! return' {result}) ] + +end +module M_creusot_contracts__ghost__qyi2175792468772189056__new [#"../../../creusot-contracts/src/ghost.rs" 181 4 181 28] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 181 24 181 28 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 + let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - constant b : t_IterMut'0 + type t_T'0 - constant bc : Seq.seq (borrowed t_T'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - constant c : t_IterMut'0 + use prelude.prelude.Intrinsic - function produces_trans'0 [#"../../../creusot-contracts/src/std/option.rs" 593 4 593 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - goal vc_produces_trans'0 : ([%#soption1] produces'0 b bc c) - -> ([%#soption0] produces'0 a ab b) -> ([%#soption2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__ptr__qyi17063894948818224584__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (* <*const T as std::ptr::PointerExt> *) - let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed3] inv'0 self - use prelude.prelude.Opaque + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use prelude.prelude.Int + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - constant self : opaque_ptr + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool + meta "compute_max_steps" 1000000 - goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) + let rec new'0 (x:t_T'0) (return' (ret:t_GhostBox'0))= {[@expl:new 'x' type invariant] [%#sghost0] inv'0 x} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = x } ] s1 | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : t_GhostBox'0 = any_l () | & x : t_T'0 = x ] + [ return' (result:t_GhostBox'0)-> {[@expl:new result type invariant] [%#sghost1] inv'1 result} + {[@expl:new ensures] [%#sghost2] result.t_GhostBox__0'0 = x} + (! return' {result}) ] + end -module M_creusot_contracts__stdqy35z1__ptr__qyi4877913266695965320__is_null_logic [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (* <*mut T as std::ptr::PointerExt> *) - let%span sptr0 = "../../../creusot-contracts/src/std/ptr.rs" 96 14 96 48 - let%span sptr1 = "../../../creusot-contracts/src/std/ptr.rs" 98 8 98 30 +module M_creusot_contracts__ghost__qyi2175792468772189056__into_inner [#"../../../creusot-contracts/src/ghost.rs" 199 4 199 32] (* ghost::GhostBox *) + let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 + let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 199 31 199 32 + let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 + let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use prelude.prelude.Opaque + type t_T'0 - use prelude.prelude.Int + type t_GhostBox'0 = + { t_GhostBox__0'0: t_T'0 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 90 4 90 30] (self : opaque_ptr) : int + use prelude.prelude.Intrinsic - constant self : opaque_ptr + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 97 4 97 34] (self : opaque_ptr) : bool + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed3] inv'1 self - goal vc_is_null_logic'0 : [%#sptr0] (addr_logic'0 self = 0) = (addr_logic'0 self = 0) -end -module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 411 14 411 45 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 409 4 409 10 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel5 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex6 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - use seq.Seq + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - use prelude.prelude.Borrow + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - type t_T'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - use seq.Seq + meta "compute_max_steps" 1000000 - use prelude.prelude.Opaque + let rec into_inner'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:into_inner 'self' type invariant] [%#sghost0] inv'0 self} + (! bb0 [ bb0 = bb1 | bb1 = s0 [ s0 = [ &_0 <- self.t_GhostBox__0'0 ] s1 | s1 = bb2 ] | bb2 = return' {_0} ] ) + [ & _0 : t_T'0 = any_l () | & self : t_GhostBox'0 = self ] + + [ return' (result:t_T'0)-> {[@expl:into_inner result type invariant] [%#sghost1] inv'1 result} + {[@expl:into_inner ensures] [%#sghost2] result = self.t_GhostBox__0'0} + (! return' {result}) ] + +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__subtract [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 195 15 195 33 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 196 14 196 36 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 197 14 197 46 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 198 14 202 5 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 180 14 184 5 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 204 8 204 33 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 154 12 154 89 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 146 19 146 71 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 163 15 163 35 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 164 14 170 5 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 171 14 171 54 + let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap12 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap13 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap16 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap17 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + type t_FMap'0 - type t_Iter'0 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_K'0 - use prelude.prelude.Slice + type t_V'0 - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use seq.Seq + use map.Map - use seq.Seq + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) + - use seq.Seq + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap17] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use prelude.prelude.UIntSize + use map.Map - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap14] Map.get (view'0 self) k - use prelude.prelude.UIntSize + function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + + = + [%#sfmap15] get_unsized'0 self k <> C_None'0 - use prelude.prelude.Int + function subset'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 152 4 152 44] (self : t_FMap'0) (other : t_FMap'0) : bool + + = + [%#sfmap6] forall k : t_K'0 . contains'0 self k -> get_unsized'0 other k = get_unsized'0 self k - use prelude.prelude.Slice + function disjoint'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 145 4 145 46] (self : t_FMap'0) (other : t_FMap'0) : bool + + = + [%#sfmap7] forall k : t_K'0 . not contains'0 self k \/ not contains'0 other k - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + use prelude.prelude.Int - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice7] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice8] view'2 self = Slice.id self) + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel5] view'2 self + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap16] len'0 self >= 0 - use seq.Seq + function union'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 172 4 172 43] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + - use seq.Seq + axiom union'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap8] disjoint'0 self other) + -> ([%#sfmap9] forall k : t_K'0 . get_unsized'0 (union'0 self other) k + = (if contains'0 self k then + get_unsized'0 self k + else + if contains'0 other k then get_unsized'0 other k else C_None'0 + )) + && ([%#sfmap10] len'0 (union'0 self other) = len'0 self + len'0 other) - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool = - [%#sindex6] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice3] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice4] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + [%#sfmap13] view'0 self = view'0 other - use seq.Seq + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap11] ext_eq'0 self other -> self = other) + && ([%#sfmap12] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function subtract_keys'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 185 4 185 51] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - = - [%#sslice2] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - constant self : t_Iter'0 + axiom subtract_keys'0_spec : forall self : t_FMap'0, other : t_FMap'0 . [%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k) - function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 412 4 412 26] (self : t_Iter'0) : () + constant self : t_FMap'0 - goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__slice__qyi8256668011736225471__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 416 15 416 32 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 417 15 417 32 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 418 14 418 42 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 414 4 414 10 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 405 12 405 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 96 14 96 41 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 97 14 97 80 - let%span smodel7 = "../../../creusot-contracts/src/model.rs" 92 8 92 22 - let%span sindex8 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice10 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 + constant other : t_FMap'0 - use prelude.prelude.Opaque + function subtract'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + goal vc_subtract'0 : ([%#sfmap0] subset'0 other self) + -> ([%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k)) + -> (let result = subtract_keys'0 self other in ([%#sfmap1] disjoint'0 result other) + && ([%#sfmap2] ext_eq'0 (union'0 other result) self) + && ([%#sfmap3] forall k : t_K'0 . get_unsized'0 result k + = (if contains'0 other k then C_None'0 else get_unsized'0 self k))) +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__ext_eq [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - type t_Iter'0 = - { t_Iter__ptr'0: t_NonNull'0; t_Iter__end_or_len'0: opaque_ptr; t_Iter__qy95zmarker'0: () } + type t_K'0 - use prelude.prelude.Borrow + type t_FMap'0 - type t_T'0 + type t_V'0 - use seq.Seq + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use prelude.prelude.Slice + use map.Map - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 389 4 389 33] (self : t_Iter'0) : slice t_T'0 + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) + - use seq.Seq + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use seq.Seq + use map.Map - use seq.Seq + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + + = + [%#sfmap4] Map.get (view'0 self) k - use prelude.prelude.UIntSize + constant self : t_FMap'0 - constant v_MAX'0 : usize = (18446744073709551615 : usize) + constant other : t_FMap'0 - use prelude.prelude.UIntSize + function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool + - use prelude.prelude.Int + goal vc_ext_eq'0 : ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) + -> ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) + -> (let result = view'0 self = view'0 other in ([%#sfmap0] result -> self = other) + && ([%#sfmap1] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> result)) +end +module M_creusot_contracts__logic__fmap__qyi9892930999379617882__contains_ghost [#"../../../creusot-contracts/src/logic/fmap.rs" 285 4 285 49] (* logic::fmap::FMap *) + let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 285 27 285 31 + let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 285 33 285 36 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 284 14 284 43 + let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 314 22 314 26 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 314 28 314 31 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 314 40 314 50 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 306 4 313 11 + let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 36 26 36 51 + let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 + let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sutil11 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil12 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 + let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 + let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 452 20 452 91 + let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - use prelude.prelude.Slice + use prelude.prelude.Borrow - function view'2 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + type t_FMap'0 - axiom view'2_spec : forall self : slice t_T'0 . ([%#sslice9] Seq.length (view'2 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice10] view'2 self = Slice.id self) + type t_K'0 - function view'1 [#"../../../creusot-contracts/src/model.rs" 91 4 91 33] (self : slice t_T'0) : Seq.seq t_T'0 = - [%#smodel7] view'2 self + type t_V'0 - use seq.Seq + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - use seq.Seq + use map.Map - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 + function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - = - [%#sindex8] Seq.get (view'2 self) ix - - function to_ref_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 98 4 98 35] (self : slice t_T'0) : Seq.seq t_T'0 - axiom to_ref_seq'0_spec : forall self : slice t_T'0 . ([%#sslice5] Seq.length (to_ref_seq'0 self) - = Seq.length (view'1 self)) - && ([%#sslice6] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq'0 self) - -> Seq.get (to_ref_seq'0 self) i = index_logic'0 self i) + axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap14] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'0 m1 <> view'0 m2 - use seq.Seq + use map.Map - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 403 4 403 65] (self : t_Iter'0) (visited : Seq.seq t_T'0) (tl : t_Iter'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 = - [%#sslice4] to_ref_seq'0 (view'0 self) = Seq.(++) visited (to_ref_seq'0 (view'0 tl)) - - constant a : t_Iter'0 + [%#sfmap10] Map.get (view'0 self) k - constant ab : Seq.seq t_T'0 + function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + + = + [%#sfmap8] get_unsized'0 self k <> C_None'1 - constant b : t_Iter'0 + predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - constant bc : Seq.seq t_T'0 + function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'1) : t_V'0 - constant c : t_Iter'0 + axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil11] op <> C_None'1) + -> ([%#sutil12] C_Some'1 (unwrap'0 op) = op) - function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 419 4 419 90] (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + function lookup_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 123 4 123 50] (self : t_FMap'0) (k : t_K'0) : t_V'0 + = + [%#sfmap9] unwrap'0 (get_unsized'0 self k) - goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) - -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) -end -module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_refl [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 465 14 465 45 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 463 4 463 10 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - let%span smodel8 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sindex9 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - use seq.Seq + predicate invariant'5 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_V'0) = + [%#sboxed16] inv'7 self - use prelude.prelude.Borrow + predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - type t_T'0 + axiom inv_axiom'6 [@rewrite] : forall x : t_V'0 [inv'8 x] . inv'8 x = invariant'5 x - use seq.Seq + predicate invariant'4 [#"../../../creusot-contracts/src/logic/fmap.rs" 451 4 451 30] (self : t_FMap'0) = + [%#sfmap15] forall k : t_K'0 . contains'0 self k -> inv'6 k /\ inv'8 (lookup_unsized'0 self k) - use prelude.prelude.Opaque + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + axiom inv_axiom'5 [@rewrite] : forall x : t_FMap'0 [inv'5 x] . inv'5 x = invariant'4 x - type t_IterMut'0 = - { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } + predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_FMap'0) = + [%#sinvariant13] inv'5 self - use seq.Seq + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) - use prelude.prelude.UIntSize + axiom inv_axiom'0 [@rewrite] : forall x : t_FMap'0 [inv'0 x] . inv'0 x = invariant'0 x - constant v_MAX'0 : usize = (18446744073709551615 : usize) + predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_K'0) = + [%#sinvariant13] inv'6 self - use prelude.prelude.UIntSize + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - use prelude.prelude.Int + axiom inv_axiom'1 [@rewrite] : forall x : t_K'0 [inv'1 x] . inv'1 x = invariant'1 x - use prelude.prelude.Slice + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - use prelude.prelude.Slice + predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_V'0) = + [%#sinvariant13] inv'7 self - use seq.Seq + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) - function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + axiom inv_axiom'4 [@rewrite] : forall x : t_V'0 [inv'4 x] . inv'4 x = invariant'3 x - axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice6] Seq.length (view'1 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice7] view'1 self = Slice.id self) + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) + axiom inv_axiom'2 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x + = match x with + | C_None'0 -> true + | C_Some'0 a_0 -> inv'4 a_0 + end + + let rec get_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:t_Option'0))= {[@expl:get_ghost 'self' type invariant] [%#sfmap3] inv'0 self} + {[@expl:get_ghost 'key' type invariant] [%#sfmap4] inv'1 key} + any + [ return' (result:t_Option'0)-> {[%#sfmap5] inv'2 result} + {[%#sfmap6] if contains'0 self key then + match result with + | C_None'0 -> false + | C_Some'0 r -> lookup_unsized'0 self key = r + end + else + result = C_None'0 + } + (! return' {result}) ] - axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice3] Seq.length (view'1 (view'0 self).final) - = Seq.length (view'1 (view'0 self).current) + predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Option'0) = + [%#sinvariant13] inv'2 self - use seq.Seq + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) - function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 - - = - [%#smodel8] view'1 self.current + axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x = invariant'2 x - use seq.Seq + let rec is_some'0 (self:t_Option'0) (return' (ret:bool))= {[@expl:is_some 'self' type invariant] inv'3 self} + any [ return' (result:bool)-> {[%#soption7] result = (self <> C_None'0)} (! return' {result}) ] - use seq.Seq + use prelude.prelude.Intrinsic - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex9] Seq.get (view'1 self) ix + meta "compute_max_steps" 1000000 - function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) + let rec contains_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:bool))= {[@expl:contains_ghost 'self' type invariant] [%#sfmap0] inv'0 self} + {[@expl:contains_ghost 'key' type invariant] [%#sfmap1] inv'1 key} + (! bb0 + [ bb0 = s0 [ s0 = get_ghost'0 {self} {key} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = is_some'0 {_5} (fun (_ret':bool) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : bool = any_l () | & self : t_FMap'0 = self | & key : t_K'0 = key | & _5 : t_Option'0 = any_l () ] + [ return' (result:bool)-> {[@expl:contains_ghost ensures] [%#sfmap2] result = contains'0 self key} + (! return' {result}) ] +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice4] Seq.length (to_mut_seq'0 self) - = Seq.length (view'2 self)) - && ([%#sslice5] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) - -> Seq.get (to_mut_seq'0 self) i - = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#sslice2] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - - constant self : t_IterMut'0 - - function produces_refl'0 [#"../../../creusot-contracts/src/std/slice.rs" 466 4 466 26] (self : t_IterMut'0) : () + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - goal vc_produces_refl'0 : [%#sslice0] produces'0 self (Seq.empty : Seq.seq (borrowed t_T'0)) self -end -module M_creusot_contracts__stdqy35z1__slice__qyi7128337469104663169__produces_trans [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (* as std::iter::Iterator> *) - let%span sslice0 = "../../../creusot-contracts/src/std/slice.rs" 470 15 470 32 - let%span sslice1 = "../../../creusot-contracts/src/std/slice.rs" 471 15 471 32 - let%span sslice2 = "../../../creusot-contracts/src/std/slice.rs" 472 14 472 42 - let%span sslice3 = "../../../creusot-contracts/src/std/slice.rs" 468 4 468 10 - let%span sslice4 = "../../../creusot-contracts/src/std/slice.rs" 459 12 459 66 - let%span sslice5 = "../../../creusot-contracts/src/std/slice.rs" 427 14 427 50 - let%span sslice6 = "../../../creusot-contracts/src/std/slice.rs" 87 14 87 41 - let%span sslice7 = "../../../creusot-contracts/src/std/slice.rs" 88 14 88 84 - let%span sslice8 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 - let%span sslice9 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 - let%span smodel10 = "../../../creusot-contracts/src/model.rs" 110 8 110 22 - let%span sindex11 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 + constant x : int - use prelude.prelude.Opaque + constant y : int - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int) (y : int) : () - type t_IterMut'0 = - { t_IterMut__ptr'0: t_NonNull'0; t_IterMut__end_or_len'0: opaque_ptr; t_IterMut__qy95zmarker'0: () } + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - use prelude.prelude.UIntSize + constant y : int - constant v_MAX'0 : usize = (18446744073709551615 : usize) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int) (y : int) : () - use prelude.prelude.UIntSize + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Slice + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Slice + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - function view'1 [#"../../../creusot-contracts/src/std/slice.rs" 30 4 30 33] (self : slice t_T'0) : Seq.seq t_T'0 + constant y : int - axiom view'1_spec : forall self : slice t_T'0 . ([%#sslice8] Seq.length (view'1 self) - <= UIntSize.to_int (v_MAX'0 : usize)) - && ([%#sslice9] view'1 self = Slice.id self) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int) (y : int) : () - function view'0 [#"../../../creusot-contracts/src/std/slice.rs" 428 4 428 33] (self : t_IterMut'0) : borrowed (slice t_T'0) - + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom view'0_spec : forall self : t_IterMut'0 . [%#sslice5] Seq.length (view'1 (view'0 self).final) - = Seq.length (view'1 (view'0 self).current) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function view'2 [#"../../../creusot-contracts/src/model.rs" 109 4 109 33] (self : borrowed (slice t_T'0)) : Seq.seq t_T'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#smodel10] view'1 self.current + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use seq.Seq + constant x : int - use seq.Seq + constant y : int - function index_logic'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/ops/index.rs" 48 4 48 47] (self : slice t_T'0) (ix : int) : t_T'0 - - = - [%#sindex11] Seq.get (view'1 self) ix + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int) (y : int) : () - function to_mut_seq'0 [#"../../../creusot-contracts/src/std/slice.rs" 90 4 90 43] (self : borrowed (slice t_T'0)) : Seq.seq (borrowed t_T'0) - + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom to_mut_seq'0_spec : forall self : borrowed (slice t_T'0) . ([%#sslice6] Seq.length (to_mut_seq'0 self) - = Seq.length (view'2 self)) - && ([%#sslice7] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq'0 self) - -> Seq.get (to_mut_seq'0 self) i - = Borrow.borrow_logic (index_logic'0 self.current i) (index_logic'0 self.final i) (Borrow.inherit_id (Borrow.get_id self) i)) + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/slice.rs" 457 4 457 65] (self : t_IterMut'0) (visited : Seq.seq (borrowed t_T'0)) (tl : t_IterMut'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#sslice4] to_mut_seq'0 (view'0 self) = Seq.(++) visited (to_mut_seq'0 (view'0 tl)) - - constant a : t_IterMut'0 - - constant ab : Seq.seq (borrowed t_T'0) - - constant b : t_IterMut'0 - - constant bc : Seq.seq (borrowed t_T'0) + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant c : t_IterMut'0 + constant x : int - function produces_trans'0 [#"../../../creusot-contracts/src/std/slice.rs" 473 4 473 90] (a : t_IterMut'0) (ab : Seq.seq (borrowed t_T'0)) (b : t_IterMut'0) (bc : Seq.seq (borrowed t_T'0)) (c : t_IterMut'0) : () - + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int) : () - goal vc_produces_trans'0 : ([%#sslice1] produces'0 b bc c) - -> ([%#sslice0] produces'0 a ab b) -> ([%#sslice2] produces'0 a (Seq.(++) ab bc) c) + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_refl [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (* as std::iter::Iterator> *) - let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 270 14 270 45 - let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 268 4 268 10 - let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 +module M_creusot_contracts__logic__ord__qyi8355372356285216375__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use seq.Seq + use prelude.prelude.Int - type t_T'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use seq.Seq + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Opaque + constant x : int - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + constant y : int - use prelude.prelude.UIntSize + constant z : int - type t_A'0 + constant o : t_Ordering'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_A'0 } + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int) (y : int) (z : int) (o : t_Ordering'0) : () + - type t_IntoIter'0 = - { t_IntoIter__buf'0: t_NonNull'0; - t_IntoIter__phantom'0: (); - t_IntoIter__cap'0: usize; - t_IntoIter__alloc'0: t_ManuallyDrop'0; - t_IntoIter__ptr'0: t_NonNull'0; - t_IntoIter__end'0: opaque_ptr } + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#svec2] view'0 self = Seq.(++) visited (view'0 rhs) + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant self : t_IntoIter'0 + constant x : int - function produces_refl'0 [#"../../../creusot-contracts/src/std/vec.rs" 271 4 271 26] (self : t_IntoIter'0) : () + constant y : int - goal vc_produces_refl'0 : [%#svec0] produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__vec__qyi12862303518309667396__produces_trans [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (* as std::iter::Iterator> *) - let%span svec0 = "../../../creusot-contracts/src/std/vec.rs" 275 15 275 32 - let%span svec1 = "../../../creusot-contracts/src/std/vec.rs" 276 15 276 32 - let%span svec2 = "../../../creusot-contracts/src/std/vec.rs" 277 14 277 42 - let%span svec3 = "../../../creusot-contracts/src/std/vec.rs" 273 4 273 10 - let%span svec4 = "../../../creusot-contracts/src/std/vec.rs" 264 12 264 41 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int) (y : int) : () - use prelude.prelude.Opaque + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_NonNull'0 = - { t_NonNull__pointer'0: opaque_ptr } + use prelude.prelude.Int - use prelude.prelude.UIntSize + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_A'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_A'0 } + constant x : int - type t_IntoIter'0 = - { t_IntoIter__buf'0: t_NonNull'0; - t_IntoIter__phantom'0: (); - t_IntoIter__cap'0: usize; - t_IntoIter__alloc'0: t_ManuallyDrop'0; - t_IntoIter__ptr'0: t_NonNull'0; - t_IntoIter__end'0: opaque_ptr } + constant y : int - type t_T'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int) (y : int) : () - use seq.Seq + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi8355372356285216375__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/std/vec.rs" 234 4 234 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + use prelude.prelude.Int - use seq.Seq + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate produces'0 [#"../../../creusot-contracts/src/std/vec.rs" 262 4 262 57] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (rhs : t_IntoIter'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 = - [%#svec4] view'0 self = Seq.(++) visited (view'0 rhs) - - constant a : t_IntoIter'0 - - constant ab : Seq.seq t_T'0 - - constant b : t_IntoIter'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant bc : Seq.seq t_T'0 + constant x : int - constant c : t_IntoIter'0 + constant y : int - function produces_trans'0 [#"../../../creusot-contracts/src/std/vec.rs" 278 4 278 72] (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () - + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int) (y : int) : () - goal vc_produces_trans'0 : ([%#svec1] produces'0 b bc c) - -> ([%#svec0] produces'0 a ab b) -> ([%#svec2] produces'0 a (Seq.(++) ab bc) c) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : Real.real) (y : Real.real) : () - + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint8) (y : uint8) : () - goal vc_cmp_le_log'0 : [%#sord0] Real.(<=) x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : Real.real) (y : Real.real) : () - + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint8) (y : uint8) : () - goal vc_cmp_lt_log'0 : [%#sord0] Real.(<) x y = (cmp_log'0 x y = C_Less'0) + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 - | C_Greater'0 - - use prelude.prelude.Real + | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : Real.real) (y : Real.real) : () - + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint8) (y : uint8) : () - goal vc_cmp_ge_log'0 : [%#sord0] Real.(>=) x y = (cmp_log'0 x y <> C_Less'0) + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.Int - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real - - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : Real.real) (y : Real.real) : () - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint8) (y : uint8) : () - goal vc_cmp_gt_log'0 : [%#sord0] Real.(>) x y = (cmp_log'0 x y = C_Greater'0) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : Real.real) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint8) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__num_rational__qyi7156484438548626841__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span snum_rational4 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational4] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - constant z : Real.real + constant z : uint8 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : Real.real) (y : Real.real) (z : Real.real) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint8) (y : uint8) (z : uint8) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : Real.real) (y : Real.real) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint8) (y : uint8) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span snum_rational3 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational3] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : Real.real) (y : Real.real) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint8) (y : uint8) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__num_rational__qyi7156484438548626841__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span snum_rational2 = "../../../creusot-contracts/src/num_rational.rs" 29 4 29 12 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Real + use prelude.prelude.UInt8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Real + use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/num_rational.rs" 31 4 31 41] (self : Real.real) (o : Real.real) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 = - [%#snum_rational2] if Real.(<) self o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : Real.real + constant x : uint8 - constant y : Real.real + constant y : uint8 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : Real.real) (y : Real.real) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint8) (y : uint8) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__ghost__qyi17645547594388049322__clone [#"../../../creusot-contracts/src/ghost.rs" 50 4 50 27] (* as std::clone::Clone> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 50 14 50 18 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 50 23 50 27 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 49 14 49 29 - let%span sclone3 = "../../../creusot-contracts/src/std/clone.rs" 7 0 20 1 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - - type t_T'0 - - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } - - use prelude.prelude.Borrow - - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'4 self - - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'2 x - - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant4] inv'3 self - - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x - - let rec clone'1 (self:t_T'0) (return' (ret:t_T'0))= {[@expl:clone 'self' type invariant] inv'2 self} - any [ return' (result:t_T'0)-> {inv'3 result} {[%#sclone3] result = self} (! return' {result}) ] +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.Int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt16 - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'3 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = - [%#sinvariant4] inv'1 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant x : uint16 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x + constant y : uint16 - meta "compute_max_steps" 1000000 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint16) (y : uint16) : () - let rec clone'0 (self:t_GhostBox'0) (return' (ret:t_GhostBox'0))= {[@expl:clone 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 [ s0 = clone'1 {self.t_GhostBox__0'0} (fun (_ret':t_T'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = _3 } ] s1 | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'0 = self | & _3 : t_T'0 = any_l () ] - [ return' (result:t_GhostBox'0)-> {[@expl:clone result type invariant] [%#sghost1] inv'1 result} - {[@expl:clone ensures] [%#sghost2] result = self} - (! return' {result}) ] - + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__ghost__qyi1862168959261460300__deref [#"../../../creusot-contracts/src/ghost.rs" 69 4 69 36] (* as std::ops::Deref> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 69 23 69 36 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.Int - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + use prelude.prelude.UInt16 - use prelude.prelude.Borrow + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Intrinsic + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint16 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'3 self + constant y : uint16 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint16) (y : uint16) : () - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.Int - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'2 x] . inv'2 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + use prelude.prelude.UInt16 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'0) = - [%#sinvariant3] inv'2 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x = invariant'0 x + constant x : uint16 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant3] inv'3 self + constant y : uint16 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint16) (y : uint16) : () - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'1 x + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec deref'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:deref 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 - [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 - | s1 = [ &_4 <- _5 ] s2 - | s2 = [ &_2 <- _4 ] s3 - | s3 = [ &_0 <- _2 ] s4 - | s4 = return' {_0} ] - ] - ) - [ & _0 : t_T'0 = any_l () - | & self : t_GhostBox'0 = self - | & _2 : t_T'0 = any_l () - | & _4 : t_T'0 = any_l () - | & _5 : t_T'0 = any_l () ] - - [ return' (result:t_T'0)-> {[@expl:deref result type invariant] [%#sghost1] inv'1 result} - {[@expl:deref ensures] [%#sghost2] self.t_GhostBox__0'0 = result} - (! return' {result}) ] - -end -module M_creusot_contracts__ghost__qyi17214052996668775070__deref_mut [#"../../../creusot-contracts/src/ghost.rs" 85 4 85 48] (* as std::ops::DerefMut> *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 85 22 85 26 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 85 31 85 48 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 84 14 84 36 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + use prelude.prelude.UInt16 - use prelude.prelude.Borrow + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_T'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint16 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + constant y : uint16 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant4] inv'0 self.current /\ inv'0 self.final + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint16) (y : uint16) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + use prelude.prelude.UInt16 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'2 _1 + use prelude.prelude.Int - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'0 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint16 - axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint16) : () - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + use prelude.prelude.UInt16 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'0)) = - [%#sinvariant4] inv'3 self.current /\ inv'3 self.final + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'0)) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'0) [inv'2 x] . inv'2 x = invariant'1 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'0)) = - [%#sresolve3] self.final = self.current + constant x : uint16 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'0)) = - resolve'3 _1 + constant y : uint16 - use prelude.prelude.Intrinsic + constant z : uint16 - meta "compute_max_steps" 1000000 + constant o : t_Ordering'0 - let rec deref_mut'0 (self:borrowed (t_GhostBox'0)) (return' (ret:borrowed t_T'0))= {[@expl:deref_mut 'self' type invariant] [%#sghost0] inv'2 self} - (! bb0 - [ bb0 = s0 - [ s0 = {inv'0 (self.current).t_GhostBox__0'0} - Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_T'0) -> - [ &_5 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] - s1) - | s1 = {inv'0 _5.current} - Borrow.borrow_final {_5.current} {Borrow.get_id _5} - (fun (_ret':borrowed t_T'0) -> - [ &_4 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_5 <- { _5 with current = _ret'.final } ] - s2) - | s2 = {inv'0 _4.current} - Borrow.borrow_final {_4.current} {Borrow.get_id _4} - (fun (_ret':borrowed t_T'0) -> - [ &_2 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_4 <- { _4 with current = _ret'.final } ] - s3) - | s3 = {inv'0 _2.current} - Borrow.borrow_final {_2.current} {Borrow.get_id _2} - (fun (_ret':borrowed t_T'0) -> - [ &_0 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_2 <- { _2 with current = _ret'.final } ] - s4) - | s4 = {[@expl:type invariant] inv'1 _5} s5 - | s5 = -{resolve'0 _5}- s6 - | s6 = {[@expl:type invariant] inv'1 _4} s7 - | s7 = -{resolve'0 _4}- s8 - | s8 = {[@expl:type invariant] inv'1 _2} s9 - | s9 = -{resolve'0 _2}- s10 - | s10 = {[@expl:type invariant] inv'2 self} s11 - | s11 = -{resolve'1 self}- s12 - | s12 = return' {_0} ] - ] - ) - [ & _0 : borrowed t_T'0 = any_l () - | & self : borrowed (t_GhostBox'0) = self - | & _2 : borrowed t_T'0 = any_l () - | & _4 : borrowed t_T'0 = any_l () - | & _5 : borrowed t_T'0 = any_l () ] - - [ return' (result:borrowed t_T'0)-> {[@expl:deref_mut result type invariant] [%#sghost1] inv'1 result} - {[@expl:deref_mut ensures] [%#sghost2] result - = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} - (! return' {result}) ] + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint16) (y : uint16) (z : uint16) (o : t_Ordering'0) : () + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__ghost__qyi2175792468772189056__borrow [#"../../../creusot-contracts/src/ghost.rs" 124 4 124 40] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 124 19 124 23 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 124 28 124 40 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 123 14 123 35 - let%span sinvariant3 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sboxed4 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.UInt16 - type t_GhostBox'1 = - { t_GhostBox__0'0: t_T'0 } + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_GhostBox'0 = - { t_GhostBox__0'1: t_T'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Intrinsic + constant x : uint16 - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant y : uint16 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'6 self + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint16) (y : uint16) : () - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'4 [@rewrite] : forall x : t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + use prelude.prelude.UInt16 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'3 [@rewrite] : forall x : t_GhostBox'1 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + use prelude.prelude.Int - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_GhostBox'1) = - [%#sinvariant3] inv'3 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + constant x : uint16 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'1 [inv'0 x] . inv'0 x = invariant'0 x + constant y : uint16 - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_T'0) = - [%#sinvariant3] inv'6 self + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint16) (y : uint16) : () - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'5 x] . inv'5 x = invariant'3 x + use prelude.prelude.UInt16 - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed4] inv'5 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Int - axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'1 x + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant x : uint16 - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'1 = a_0} -> inv'2 a_0 - end + constant y : uint16 - meta "compute_max_steps" 1000000 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint16) (y : uint16) : () - let rec borrow'0 (self:t_GhostBox'1) (return' (ret:t_GhostBox'0))= {[@expl:borrow 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 - [ bb0 = s0 [ s0 = [ &_5 <- self.t_GhostBox__0'0 ] s1 | s1 = bb1 ] - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _5 } ] s1 | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & self : t_GhostBox'1 = self | & _5 : t_T'0 = any_l () ] - [ return' (result:t_GhostBox'0)-> {[@expl:borrow result type invariant] [%#sghost1] inv'1 result} - {[@expl:borrow ensures] [%#sghost2] result.t_GhostBox__0'1 = self.t_GhostBox__0'0} - (! return' {result}) ] - + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__ghost__qyi2175792468772189056__borrow_mut [#"../../../creusot-contracts/src/ghost.rs" 138 4 138 52] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 138 27 138 31 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 138 36 138 52 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 137 14 137 39 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sboxed5 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_T'0 + use prelude.prelude.UInt32 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_GhostBox'1 = - { t_GhostBox__0'0: t_T'0 } + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_GhostBox'0 = - { t_GhostBox__0'1: borrowed t_T'0 } + constant x : uint32 - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed t_T'0) = - [%#sinvariant4] inv'0 self.current /\ inv'0 self.final + constant y : uint32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint32) (y : uint32) : () - axiom inv_axiom'0 [@rewrite] : forall x : borrowed t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + use prelude.prelude.Int - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed t_T'0) = - resolve'2 _1 + use prelude.prelude.UInt32 - predicate invariant'3 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed5] inv'0 self + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'5 [@rewrite] : forall x : t_T'0 [inv'6 x] . inv'6 x = invariant'3 x + constant x : uint32 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'1) + constant y : uint32 - axiom inv_axiom'4 [@rewrite] : forall x : t_GhostBox'1 [inv'5 x] . inv'5 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'6 a_0 - end + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint32) (y : uint32) : () - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 33 4 33 30] (self : borrowed (t_GhostBox'1)) = - [%#sinvariant4] inv'5 self.current /\ inv'5 self.final + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed (t_GhostBox'1)) + use prelude.prelude.Int - axiom inv_axiom'1 [@rewrite] : forall x : borrowed (t_GhostBox'1) [inv'2 x] . inv'2 x = invariant'1 x + use prelude.prelude.UInt32 - predicate resolve'3 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed (t_GhostBox'1)) = - [%#sresolve3] self.final = self.current + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : borrowed (t_GhostBox'1)) = - resolve'3 _1 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Intrinsic + constant x : uint32 - predicate invariant'2 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : borrowed t_T'0) = - [%#sboxed5] inv'1 self + constant y : uint32 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : borrowed t_T'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint32) (y : uint32) : () - axiom inv_axiom'3 [@rewrite] : forall x : borrowed t_T'0 [inv'4 x] . inv'4 x = invariant'2 x + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.Int - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'1 = a_0} -> inv'4 a_0 - end + use prelude.prelude.UInt32 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec borrow_mut'0 (self:borrowed (t_GhostBox'1)) (return' (ret:t_GhostBox'0))= {[@expl:borrow_mut 'self' type invariant] [%#sghost0] inv'2 self} - (! bb0 - [ bb0 = s0 - [ s0 = {inv'0 (self.current).t_GhostBox__0'0} - Borrow.borrow_final {(self.current).t_GhostBox__0'0} {Borrow.inherit_id (Borrow.get_id self) 1} - (fun (_ret':borrowed t_T'0) -> - [ &_5 <- _ret' ] - -{inv'0 _ret'.final}- - [ &self <- { self with current = { t_GhostBox__0'0 = _ret'.final } } ] - s1) - | s1 = {inv'0 _5.current} - Borrow.borrow_final {_5.current} {Borrow.get_id _5} - (fun (_ret':borrowed t_T'0) -> - [ &_4 <- _ret' ] - -{inv'0 _ret'.final}- - [ &_5 <- { _5 with current = _ret'.final } ] - s2) - | s2 = bb1 ] - - | bb1 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'1 = _4 } ] s1 | s1 = bb2 ] - | bb2 = s0 - [ s0 = {[@expl:type invariant] inv'1 _5} s1 - | s1 = -{resolve'0 _5}- s2 - | s2 = {[@expl:type invariant] inv'2 self} s3 - | s3 = -{resolve'1 self}- s4 - | s4 = return' {_0} ] - ] - ) - [ & _0 : t_GhostBox'0 = any_l () - | & self : borrowed (t_GhostBox'1) = self - | & _4 : borrowed t_T'0 = any_l () - | & _5 : borrowed t_T'0 = any_l () ] - - [ return' (result:t_GhostBox'0)-> {[@expl:borrow_mut result type invariant] [%#sghost1] inv'3 result} - {[@expl:borrow_mut ensures] [%#sghost2] result.t_GhostBox__0'1 - = Borrow.borrow_logic (self.current).t_GhostBox__0'0 (self.final).t_GhostBox__0'0 (Borrow.inherit_id (Borrow.get_id self) 1)} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__conjure [#"../../../creusot-contracts/src/ghost.rs" 155 4 155 28] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 154 15 154 20 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 155 24 155 28 - let%span sboxed2 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - - type t_T'0 - - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant x : uint32 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed2] inv'2 self + constant y : uint32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint32) (y : uint32) : () - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'1 x] . inv'1 x = invariant'0 x + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use prelude.prelude.UInt32 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'1 a_0 - end + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - meta "compute_max_steps" 1000000 + use prelude.prelude.Int - let rec conjure'0 (_1:()) (return' (ret:t_GhostBox'0))= {[@expl:conjure requires] [%#sghost0] false} - (! bb0 [ bb0 = bb1 | bb1 = bb1 [ bb1 = (! bb2) [ bb2 = bb1 ] ] ] ) - [ return' (result:t_GhostBox'0)-> {[@expl:conjure result type invariant] [%#sghost1] inv'0 result} - (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 -end -module M_creusot_contracts__ghost__qyi2175792468772189056__new [#"../../../creusot-contracts/src/ghost.rs" 181 4 181 28] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 181 24 181 28 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 - let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_T'0 + constant x : uint32 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint32) : () + + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Intrinsic + use prelude.prelude.UInt32 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed3] inv'0 self + use prelude.prelude.Int - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + constant x : uint32 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + constant y : uint32 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + constant z : uint32 - meta "compute_max_steps" 1000000 + constant o : t_Ordering'0 - let rec new'0 (x:t_T'0) (return' (ret:t_GhostBox'0))= {[@expl:new 'x' type invariant] [%#sghost0] inv'0 x} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = s0 [ s0 = [ &_0 <- { t_GhostBox__0'0 = x } ] s1 | s1 = bb3 ] - | bb3 = bb4 - | bb4 = return' {_0} ] - ) [ & _0 : t_GhostBox'0 = any_l () | & x : t_T'0 = x ] - [ return' (result:t_GhostBox'0)-> {[@expl:new result type invariant] [%#sghost1] inv'1 result} - {[@expl:new ensures] [%#sghost2] result.t_GhostBox__0'0 = x} - (! return' {result}) ] + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint32) (y : uint32) (z : uint32) (o : t_Ordering'0) : () + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__ghost__qyi2175792468772189056__into_inner [#"../../../creusot-contracts/src/ghost.rs" 199 4 199 32] (* ghost::GhostBox *) - let%span sghost0 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 - let%span sghost1 = "../../../creusot-contracts/src/ghost.rs" 199 31 199 32 - let%span sghost2 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - type t_T'0 + use prelude.prelude.UInt32 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_T'0 } + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use prelude.prelude.Intrinsic + use prelude.prelude.Int - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed3] inv'1 self + constant x : uint32 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + constant y : uint32 - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint32) (y : uint32) : () - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'0 [@rewrite] : forall x : t_GhostBox'0 [inv'0 x] . inv'0 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + use prelude.prelude.UInt32 - meta "compute_max_steps" 1000000 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - let rec into_inner'0 (self:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:into_inner 'self' type invariant] [%#sghost0] inv'0 self} - (! bb0 [ bb0 = bb1 | bb1 = s0 [ s0 = [ &_0 <- self.t_GhostBox__0'0 ] s1 | s1 = bb2 ] | bb2 = return' {_0} ] ) - [ & _0 : t_T'0 = any_l () | & self : t_GhostBox'0 = self ] - - [ return' (result:t_T'0)-> {[@expl:into_inner result type invariant] [%#sghost1] inv'1 result} - {[@expl:into_inner ensures] [%#sghost2] result = self.t_GhostBox__0'0} - (! return' {result}) ] - -end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__subtract [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 195 15 195 33 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 196 14 196 36 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 197 14 197 46 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 198 14 202 5 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 180 14 184 5 - let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 204 8 204 33 - let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 154 12 154 89 - let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 146 19 146 71 - let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 163 15 163 35 - let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 164 14 170 5 - let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 171 14 171 54 - let%span sfmap11 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 - let%span sfmap12 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 - let%span sfmap13 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 - let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 - let%span sfmap16 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 - let%span sfmap17 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + use prelude.prelude.Int - type t_FMap'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_K'0 + constant x : uint32 - type t_V'0 + constant y : uint32 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint32) (y : uint32) : () - use map.Map + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) - + use prelude.prelude.UInt32 - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap17] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - use map.Map + use prelude.prelude.Int - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 = - [%#sfmap14] Map.get (view'0 self) k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool - - = - [%#sfmap15] get_unsized'0 self k <> C_None'0 + constant x : uint32 - function subset'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 152 4 152 44] (self : t_FMap'0) (other : t_FMap'0) : bool - - = - [%#sfmap6] forall k : t_K'0 . contains'0 self k -> get_unsized'0 other k = get_unsized'0 self k + constant y : uint32 - function disjoint'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 145 4 145 46] (self : t_FMap'0) (other : t_FMap'0) : bool - - = - [%#sfmap7] forall k : t_K'0 . not contains'0 self k \/ not contains'0 other k + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint32) (y : uint32) : () + + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int + use prelude.prelude.UInt64 - axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap16] len'0 self >= 0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function union'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 172 4 172 43] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom union'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap8] disjoint'0 self other) - -> ([%#sfmap9] forall k : t_K'0 . get_unsized'0 (union'0 self other) k - = (if contains'0 self k then - get_unsized'0 self k - else - if contains'0 other k then get_unsized'0 other k else C_None'0 - )) - && ([%#sfmap10] len'0 (union'0 self other) = len'0 self + len'0 other) + constant x : uint64 - function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool - - = - [%#sfmap13] view'0 self = view'0 other + constant y : uint64 - axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap11] ext_eq'0 self other -> self = other) - && ([%#sfmap12] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint64) (y : uint64) : () - function subtract_keys'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 185 4 185 51] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 - + goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom subtract_keys'0_spec : forall self : t_FMap'0, other : t_FMap'0 . [%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k) + use prelude.prelude.Int - constant self : t_FMap'0 + use prelude.prelude.UInt64 - constant other : t_FMap'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function subtract'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 203 4 203 46] (self : t_FMap'0) (other : t_FMap'0) : t_FMap'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - goal vc_subtract'0 : ([%#sfmap0] subset'0 other self) - -> ([%#sfmap4] forall k : t_K'0 . get_unsized'0 (subtract_keys'0 self other) k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k)) - -> (let result = subtract_keys'0 self other in ([%#sfmap1] disjoint'0 result other) - && ([%#sfmap2] ext_eq'0 (union'0 other result) self) - && ([%#sfmap3] forall k : t_K'0 . get_unsized'0 result k - = (if contains'0 other k then C_None'0 else get_unsized'0 self k))) + constant x : uint64 + + constant y : uint64 + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint64) (y : uint64) : () + + goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__ext_eq [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + + use prelude.prelude.Int + + use prelude.prelude.UInt64 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_K'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_FMap'0 + constant x : uint64 - type t_V'0 + constant y : uint64 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint64) (y : uint64) : () - use map.Map + goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'0) - + use prelude.prelude.Int - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + use prelude.prelude.UInt64 - use map.Map + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap4] Map.get (view'0 self) k + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant self : t_FMap'0 + constant x : uint64 - constant other : t_FMap'0 + constant y : uint64 - function ext_eq'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 216 4 216 44] (self : t_FMap'0) (other : t_FMap'0) : bool - + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint64) (y : uint64) : () - goal vc_ext_eq'0 : ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) - -> ([%#sfmap2] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 -> view'0 m1 <> view'0 m2) - -> (let result = view'0 self = view'0 other in ([%#sfmap0] result -> self = other) - && ([%#sfmap1] (forall k : t_K'0 . get_unsized'0 self k = get_unsized'0 other k) -> result)) + goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__fmap__qyi9892930999379617882__contains_ghost [#"../../../creusot-contracts/src/logic/fmap.rs" 285 4 285 49] (* logic::fmap::FMap *) - let%span sfmap0 = "../../../creusot-contracts/src/logic/fmap.rs" 285 27 285 31 - let%span sfmap1 = "../../../creusot-contracts/src/logic/fmap.rs" 285 33 285 36 - let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 284 14 284 43 - let%span sfmap3 = "../../../creusot-contracts/src/logic/fmap.rs" 314 22 314 26 - let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 314 28 314 31 - let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 314 40 314 50 - let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 306 4 313 11 - let%span soption7 = "../../../creusot-contracts/src/std/option.rs" 36 26 36 51 - let%span sfmap8 = "../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 - let%span sfmap9 = "../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 - let%span sfmap10 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 - let%span sutil11 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 - let%span sutil12 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 - let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sfmap14 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - let%span sfmap15 = "../../../creusot-contracts/src/logic/fmap.rs" 452 20 452 91 - let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 +module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Borrow + use prelude.prelude.UInt64 - type t_FMap'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - type t_K'0 + use prelude.prelude.Int - type t_V'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - type t_Option'1 = - | C_None'1 - | C_Some'1 t_V'0 + constant x : uint64 - use map.Map + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint64) : () - function view'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_K'0 (t_Option'1) - + goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom view'0_spec : forall self : t_FMap'0 . [%#sfmap14] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 - -> view'0 m1 <> view'0 m2 + use prelude.prelude.UInt64 - use map.Map + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_K'0) : t_Option'1 - - = - [%#sfmap10] Map.get (view'0 self) k + use prelude.prelude.Int - function contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 131 4 131 39] (self : t_FMap'0) (k : t_K'0) : bool + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 = - [%#sfmap8] get_unsized'0 self k <> C_None'1 - - predicate inv'6 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) - - function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'1) : t_V'0 + [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil11] op <> C_None'1) - -> ([%#sutil12] C_Some'1 (unwrap'0 op) = op) + constant x : uint64 - function lookup_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 123 4 123 50] (self : t_FMap'0) (k : t_K'0) : t_V'0 - - = - [%#sfmap9] unwrap'0 (get_unsized'0 self k) + constant y : uint64 - predicate inv'7 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + constant z : uint64 - predicate invariant'5 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_V'0) = - [%#sboxed16] inv'7 self + constant o : t_Ordering'0 - predicate inv'8 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint64) (y : uint64) (z : uint64) (o : t_Ordering'0) : () + - axiom inv_axiom'6 [@rewrite] : forall x : t_V'0 [inv'8 x] . inv'8 x = invariant'5 x + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate invariant'4 [#"../../../creusot-contracts/src/logic/fmap.rs" 451 4 451 30] (self : t_FMap'0) = - [%#sfmap15] forall k : t_K'0 . contains'0 self k -> inv'6 k /\ inv'8 (lookup_unsized'0 self k) + use prelude.prelude.UInt64 - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'5 [@rewrite] : forall x : t_FMap'0 [inv'5 x] . inv'5 x = invariant'4 x + use prelude.prelude.Int - predicate invariant'0 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_FMap'0) = - [%#sinvariant13] inv'5 self + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_FMap'0) + constant x : uint64 - axiom inv_axiom'0 [@rewrite] : forall x : t_FMap'0 [inv'0 x] . inv'0 x = invariant'0 x + constant y : uint64 - predicate invariant'1 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_K'0) = - [%#sinvariant13] inv'6 self + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint64) (y : uint64) : () - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_K'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - axiom inv_axiom'1 [@rewrite] : forall x : t_K'0 [inv'1 x] . inv'1 x = invariant'1 x + use prelude.prelude.UInt64 - type t_Option'0 = - | C_None'0 - | C_Some'0 t_V'0 + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - predicate invariant'3 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_V'0) = - [%#sinvariant13] inv'7 self + use prelude.prelude.Int - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_V'0) + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - axiom inv_axiom'4 [@rewrite] : forall x : t_V'0 [inv'4 x] . inv'4 x = invariant'3 x + constant x : uint64 - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + constant y : uint64 - axiom inv_axiom'2 [@rewrite] : forall x : t_Option'0 [inv'2 x] . inv'2 x - = match x with - | C_None'0 -> true - | C_Some'0 a_0 -> inv'4 a_0 - end + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint64) (y : uint64) : () - let rec get_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:t_Option'0))= {[@expl:get_ghost 'self' type invariant] [%#sfmap3] inv'0 self} - {[@expl:get_ghost 'key' type invariant] [%#sfmap4] inv'1 key} - any - [ return' (result:t_Option'0)-> {[%#sfmap5] inv'2 result} - {[%#sfmap6] if contains'0 self key then - match result with - | C_None'0 -> false - | C_Some'0 r -> lookup_unsized'0 self key = r - end - else - result = C_None'0 - } - (! return' {result}) ] - + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) +end +module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - predicate invariant'2 [#"../../../creusot-contracts/src/invariant.rs" 23 4 23 30] (self : t_Option'0) = - [%#sinvariant13] inv'2 self + use prelude.prelude.UInt64 - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_Option'0) + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 - axiom inv_axiom'3 [@rewrite] : forall x : t_Option'0 [inv'3 x] . inv'3 x = invariant'2 x + use prelude.prelude.Int - let rec is_some'0 (self:t_Option'0) (return' (ret:bool))= {[@expl:is_some 'self' type invariant] inv'3 self} - any [ return' (result:bool)-> {[%#soption7] result = (self <> C_None'0)} (! return' {result}) ] + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + + = + [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - use prelude.prelude.Intrinsic + constant x : uint64 - meta "compute_max_steps" 1000000 + constant y : uint64 - let rec contains_ghost'0 (self:t_FMap'0) (key:t_K'0) (return' (ret:bool))= {[@expl:contains_ghost 'self' type invariant] [%#sfmap0] inv'0 self} - {[@expl:contains_ghost 'key' type invariant] [%#sfmap1] inv'1 key} - (! bb0 - [ bb0 = s0 [ s0 = get_ghost'0 {self} {key} (fun (_ret':t_Option'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = is_some'0 {_5} (fun (_ret':bool) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] - | bb2 = return' {_0} ] - ) [ & _0 : bool = any_l () | & self : t_FMap'0 = self | & key : t_K'0 = key | & _5 : t_Option'0 = any_l () ] - [ return' (result:bool)-> {[@expl:contains_ghost ensures] [%#sfmap2] result = contains'0 self key} - (! return' {result}) ] - + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint64) (y : uint64) : () + + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int) (y : int) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint128) (y : uint128) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int) (y : int) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint128) (y : uint128) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int) (y : int) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint128) (y : uint128) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int + use prelude.prelude.UInt128 + type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int) (y : int) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint128) (y : uint128) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint128) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - constant z : int + constant z : uint128 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int) (y : int) (z : int) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint128) (y : uint128) (z : uint128) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int) (y : int) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint128) (y : uint128) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int) (y : int) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint128) (y : uint128) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8355372356285216375__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int + use prelude.prelude.UInt128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int) (o : int) : t_Ordering'0 + use prelude.prelude.Int + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int + constant x : uint128 - constant y : int + constant y : uint128 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int) (y : int) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint128) (y : uint128) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint8) (y : uint8) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : usize) (y : usize) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint8) (y : uint8) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : usize) (y : usize) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint8) (y : uint8) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : usize) (y : usize) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint8) (y : uint8) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : usize) (y : usize) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11086,25 +14448,25 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint8) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : usize) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11113,31 +14475,31 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - constant z : uint8 + constant z : usize constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint8) (y : uint8) (z : uint8) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : usize) (y : usize) (z : usize) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11146,26 +14508,26 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint8) (y : uint8) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : usize) (y : usize) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11174,25 +14536,25 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint8) (y : uint8) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : usize) (y : usize) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt8 + use prelude.prelude.UIntSize type t_Ordering'0 = | C_Less'0 @@ -11201,133 +14563,133 @@ module M_creusot_contracts__logic__ord__qyi15418235539824427604__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint8) (o : uint8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint8 + constant x : usize - constant y : uint8 + constant y : usize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint8) (y : uint8) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : usize) (y : usize) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint16) (y : uint16) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int8) (y : int8) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint16) (y : uint16) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int8) (y : int8) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint16) (y : uint16) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int8) (y : int8) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint16) (y : uint16) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int8) (y : int8) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11336,25 +14698,25 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint16) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int8) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11363,31 +14725,31 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - constant z : uint16 + constant z : int8 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint16) (y : uint16) (z : uint16) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int8) (y : int8) (z : int8) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11396,26 +14758,26 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint16) (y : uint16) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int8) (y : int8) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11424,25 +14786,25 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint16) (y : uint16) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int8) (y : int8) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt16 + use prelude.prelude.Int8 type t_Ordering'0 = | C_Less'0 @@ -11451,133 +14813,133 @@ module M_creusot_contracts__logic__ord__qyi7305497527599188430__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint16) (o : uint16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint16 + constant x : int8 - constant y : uint16 + constant y : int8 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint16) (y : uint16) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int8) (y : int8) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint32) (y : uint32) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int16) (y : int16) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint32) (y : uint32) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int16) (y : int16) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint32) (y : uint32) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int16) (y : int16) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint32) (y : uint32) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int16) (y : int16) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11586,25 +14948,25 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint32) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int16) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11613,31 +14975,31 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - constant z : uint32 + constant z : int16 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint32) (y : uint32) (z : uint32) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int16) (y : int16) (z : int16) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11646,26 +15008,26 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint32) (y : uint32) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int16) (y : int16) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11674,25 +15036,25 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint32) (y : uint32) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int16) (y : int16) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8040194823849327911__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt32 + use prelude.prelude.Int16 type t_Ordering'0 = | C_Less'0 @@ -11701,133 +15063,133 @@ module M_creusot_contracts__logic__ord__qyi4526525114627399862__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint32) (o : uint32) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint32 + constant x : int16 - constant y : uint32 + constant y : int16 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint32) (y : uint32) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int16) (y : int16) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint64) (y : uint64) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int32) (y : int32) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint64) (y : uint64) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int32) (y : int32) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint64) (y : uint64) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int32) (y : int32) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint64) (y : uint64) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int32) (y : int32) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11836,25 +15198,25 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint64) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int32) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11863,31 +15225,31 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - constant z : uint64 + constant z : int32 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint64) (y : uint64) (z : uint64) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int32) (y : int32) (z : int32) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11896,26 +15258,26 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint64) (y : uint64) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int32) (y : int32) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11924,25 +15286,25 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint64) (y : uint64) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int32) (y : int32) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi211457485035727011__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt64 + use prelude.prelude.Int32 type t_Ordering'0 = | C_Less'0 @@ -11951,133 +15313,133 @@ module M_creusot_contracts__logic__ord__qyi11489483489418918928__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint64) (o : uint64) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint64 + constant x : int32 - constant y : uint64 + constant y : int32 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint64) (y : uint64) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int32) (y : int32) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : uint128) (y : uint128) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int64) (y : int64) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : uint128) (y : uint128) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int64) (y : int64) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : uint128) (y : uint128) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int64) (y : int64) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : uint128) (y : uint128) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int64) (y : int64) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12086,25 +15448,25 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : uint128) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int64) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12113,31 +15475,31 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - constant z : uint128 + constant z : int64 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : uint128) (y : uint128) (z : uint128) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int64) (y : int64) (z : int64) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12146,26 +15508,26 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : uint128) (y : uint128) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int64) (y : int64) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12174,25 +15536,25 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : uint128) (y : uint128) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int64) (y : int64) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi2565746305859701215__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UInt128 + use prelude.prelude.Int64 type t_Ordering'0 = | C_Less'0 @@ -12201,133 +15563,133 @@ module M_creusot_contracts__logic__ord__qyi13757098721041279861__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : uint128) (o : uint128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : uint128 + constant x : int64 - constant y : uint128 + constant y : int64 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : uint128) (y : uint128) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int64) (y : int64) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : usize) (y : usize) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int128) (y : int128) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : usize) (y : usize) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int128) (y : int128) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : usize) (y : usize) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int128) (y : int128) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : usize) (y : usize) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int128) (y : int128) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12336,25 +15698,25 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__refl [#"../../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : usize) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int128) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12363,31 +15725,31 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__trans [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - constant z : usize + constant z : int128 constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : usize) (y : usize) (z : usize) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int128) (y : int128) (z : int128) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12396,26 +15758,26 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym1 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : usize) (y : usize) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int128) (y : int128) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12424,25 +15786,25 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__antisym2 [#"../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : usize) (y : usize) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int128) (y : int128) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi2364657485180829964__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.UIntSize + use prelude.prelude.Int128 type t_Ordering'0 = | C_Less'0 @@ -12451,133 +15813,133 @@ module M_creusot_contracts__logic__ord__qyi8186105652185060096__eq_cmp [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : usize) (o : usize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : usize + constant x : int128 - constant y : usize + constant y : int128 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : usize) (y : usize) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int128) (y : int128) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int8) (y : int8) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : isize) (y : isize) : () goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int8) (y : int8) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : isize) (y : isize) : () goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int8) (y : int8) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : isize) (y : isize) : () goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 use prelude.prelude.Int - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int8) (y : int8) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : isize) (y : isize) : () goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12586,25 +15948,25 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__refl [#"../../. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int8) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : isize) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12613,31 +15975,31 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__trans [#"../../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - constant z : int8 + constant z : isize constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int8) (y : int8) (z : int8) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : isize) (y : isize) (z : isize) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12646,26 +16008,26 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym1 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int8) (y : int8) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : isize) (y : isize) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12674,25 +16036,25 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__antisym2 [#"../ use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int8) (y : int8) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : isize) (y : isize) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi8047313880300482848__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - use prelude.prelude.Int8 + use prelude.prelude.IntSize type t_Ordering'0 = | C_Less'0 @@ -12701,1548 +16063,1363 @@ module M_creusot_contracts__logic__ord__qyi18413678402769648790__eq_cmp [#"../.. use prelude.prelude.Int - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int8) (o : int8) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 = [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int8 + constant x : isize - constant y : int8 + constant y : isize - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int8) (y : int8) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : isize) (y : isize) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o <> C_Greater'0 - constant y : int16 + constant x : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : bool) (y : bool) : () + + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o = C_Less'0 - constant y : int16 + constant x : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : bool) (y : bool) : () + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o <> C_Less'0 - constant y : int16 + constant x : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : bool) (y : bool) : () + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : bool) (o : bool) : bool = + [%#sord2] cmp_log'0 self o = C_Greater'0 - constant y : int16 + constant x : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int16) (y : int16) : () + constant y : bool - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : bool) (y : bool) : () + + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int16) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : bool) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord4] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - constant z : int16 + constant z : bool constant o : t_Ordering'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int16) (y : int16) (z : int16) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : bool) (y : bool) (z : bool) (o : t_Ordering'0) : () goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int16) (y : int16) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : bool) (y : bool) : () goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int16) (y : int16) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : bool) (y : bool) : () goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi8040194823849327911__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) +module M_creusot_contracts__logic__ord__qyi17836724837647357586__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 - - use prelude.prelude.Int16 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int16) (o : int16) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] match (self, o) with + | (False, False) -> C_Equal'0 + | (True, True) -> C_Equal'0 + | (False, True) -> C_Less'0 + | (True, False) -> C_Greater'0 + end - constant x : int16 + constant x : bool - constant y : int16 + constant y : bool - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int16) (y : int16) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : bool) (y : bool) : () goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* <(A, B) as logic::ord::OrdLogic> *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 276 20 276 68 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int32 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int32) (y : int32) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - use prelude.prelude.Int32 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int32 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int32) (y : int32) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int32 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int32 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int32 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int32) (y : int32) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int32 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 - constant y : int32 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int32) (y : int32) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int32 + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int32) : () + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int32 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + + function le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + axiom cmp_le_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'2 x y = (cmp_log'1 x y <> C_Greater'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 275 4 275 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int32 + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ le_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ lt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) - constant y : int32 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant z : int32 + constant x : (t_A'0, t_B'0) - constant o : t_Ordering'0 + constant y : (t_A'0, t_B'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int32) (y : int32) (z : int32) (o : t_Ordering'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) + goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 282 20 282 67 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int32 + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int32 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int32) (y : int32) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int32 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int32 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int32 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int32) (y : int32) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi211457485035727011__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int32 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int32) (o : int32) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int32 - - constant y : int32 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int32) (y : int32) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - use prelude.prelude.Int64 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int64 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int64) (y : int64) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : int64 + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant y : int64 + function lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int64) (y : int64) : () + function cmp_lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'2 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int64 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 281 4 281 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ lt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ lt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) - constant x : int64 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant y : int64 + constant x : (t_A'0, t_B'0) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int64) (y : int64) : () + constant y : (t_A'0, t_B'0) - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + + + goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 288 20 288 68 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int64 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 - - constant y : int64 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int64) (y : int64) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int64 + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int64) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - use prelude.prelude.Int64 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - constant x : int64 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant y : int64 + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant z : int64 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - constant o : t_Ordering'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int64) (y : int64) (z : int64) (o : t_Ordering'0) : () + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int64 + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int64 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : int64 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int64) (y : int64) : () + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int64 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - use prelude.prelude.Int + function ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant x : int64 + axiom cmp_ge_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'2 x y = (cmp_log'1 x y <> C_Less'0) - constant y : int64 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int64) (y : int64) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2565746305859701215__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.Int64 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int64) (o : int64) : t_Ordering'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 287 4 287 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ ge_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ gt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) - constant x : int64 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant y : int64 + constant x : (t_A'0, t_B'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int64) (y : int64) : () + constant y : (t_A'0, t_B'0) - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + + + goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 294 20 294 67 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int + type t_A'0 - use prelude.prelude.Int128 + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int128 - constant y : int128 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : int128) (y : int128) : () + axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - use prelude.prelude.Int128 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : int128 + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : int128) (y : int128) : () + axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int128 + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : int128 + axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) - constant y : int128 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : int128) (y : int128) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.Int + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int128 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 - - constant y : int128 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : int128) (y : int128) : () + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int128 + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : int128 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : int128) : () + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int128 + function gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_gt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'2 x y = (cmp_log'1 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 - - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - constant x : int128 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant y : int128 + axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) - constant z : int128 + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - constant o : t_Ordering'0 + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : int128) (y : int128) (z : int128) (o : t_Ordering'0) : () - + axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.Int128 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 293 4 293 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool + + = + [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) + /\ gt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) + \/ gt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : int128 + constant x : (t_A'0, t_B'0) - constant y : int128 + constant y : (t_A'0, t_B'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : int128) (y : int128) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) + goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.Int128 + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int128 - constant y : int128 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : int128) (y : int128) : () + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi2364657485180829964__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int128 + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : int128) (o : int128) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - - constant x : int128 - constant y : int128 + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : int128) (y : int128) : () + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom refl'1_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - use prelude.prelude.IntSize + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - constant x : isize + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - constant y : isize + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : isize) (y : isize) : () + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - goal vc_cmp_le_log'0 : [%#sord0] (x <= y) = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - use prelude.prelude.IntSize + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - constant x : isize + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - constant y : isize + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : isize) (y : isize) : () + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) - goal vc_cmp_lt_log'0 : [%#sord0] (x < y) = (cmp_log'0 x y = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) + -> ([%#sord14] cmp_log'2 y x = C_Less'0) - use prelude.prelude.IntSize + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) + -> ([%#sord12] cmp_log'2 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) + -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) - constant y : isize + function refl'2 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : isize) (y : isize) : () + axiom refl'2_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 - goal vc_cmp_ge_log'0 : [%#sord0] (x >= y) = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - use prelude.prelude.Int + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.IntSize + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : isize + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant y : isize + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : isize) (y : isize) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_cmp_gt_log'0 : [%#sord0] (x > y) = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - use prelude.prelude.IntSize + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : isize + constant x : (t_A'0, t_B'0) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : isize) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : (t_A'0, t_B'0)) : () goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) +module M_creusot_contracts__logic__ord__qyi1910662420989811789__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* <(A, B) as logic::ord::OrdLogic> *) let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - use prelude.prelude.IntSize + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - use prelude.prelude.Int - - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord4] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - constant y : isize + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant z : isize + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - constant o : t_Ordering'0 + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) + -> ([%#sord16] cmp_log'1 y x = C_Less'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : isize) (y : isize) (z : isize) (o : t_Ordering'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) + -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) + -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) - use prelude.prelude.IntSize + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 - use prelude.prelude.Int + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - constant x : isize + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - constant y : isize + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : isize) (y : isize) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - use prelude.prelude.IntSize + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - use prelude.prelude.Int + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 - - = - [%#sord3] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - constant x : isize + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - constant y : isize + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : isize) (y : isize) : () + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi8047313880300482848__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 186 16 192 17 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.IntSize + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord17] (x = y) = (cmp_log'2 x y = C_Equal'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - use prelude.prelude.Int + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord15] cmp_log'2 x y = C_Greater'0) + -> ([%#sord16] cmp_log'2 y x = C_Less'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 185 12 185 49] (self : isize) (o : isize) : t_Ordering'0 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Less'0) + -> ([%#sord14] cmp_log'2 y x = C_Greater'0) + + function trans'2 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord2] if self < o then C_Less'0 else if self = o then C_Equal'0 else C_Greater'0 - constant x : isize + axiom trans'2_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord10] cmp_log'2 x y = o) + -> ([%#sord11] cmp_log'2 y z = o) -> ([%#sord12] cmp_log'2 x z = o) - constant y : isize + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : isize) (y : isize) : () + axiom refl'1_spec : forall x : t_B'0 . [%#sord9] cmp_log'2 x x = C_Equal'0 - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 25 20 25 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord8] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o <> C_Greater'0 + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant x : bool + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - constant y : bool + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : bool) (y : bool) : () + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 36 20 36 53 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + [%#sord4] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o = C_Less'0 + constant x : (t_A'0, t_B'0) - constant x : bool + constant y : (t_A'0, t_B'0) - constant y : bool + constant z : (t_A'0, t_B'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : bool) (y : bool) : () + constant o : t_Ordering'0 - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) (z : (t_A'0, t_B'0)) (o : t_Ordering'0) : () + + + goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 47 20 47 53 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_A'0 + + type t_B'0 type t_Ordering'0 = | C_Less'0 | C_Equal'0 | C_Greater'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o <> C_Less'0 + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - constant x : bool + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - constant y : bool + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : bool) (y : bool) : () + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 58 20 58 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : bool) (o : bool) : bool = - [%#sord2] cmp_log'0 self o = C_Greater'0 - constant x : bool + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - constant y : bool + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : bool) (y : bool) : () + axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord2] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - constant x : bool + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : bool) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord4] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - constant x : bool + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - constant y : bool + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - constant z : bool + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - constant o : t_Ordering'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : bool) (y : bool) (z : bool) (o : t_Ordering'0) : () + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) + + function antisym1'2 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + + axiom antisym1'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end - constant x : bool + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - constant y : bool + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : bool) (y : bool) : () + axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 - - = - [%#sord3] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - constant x : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - constant y : bool + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : bool) (y : bool) : () + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi17836724837647357586__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 248 8 253 9 + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 247 4 247 41] (self : bool) (o : bool) : t_Ordering'0 + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 = - [%#sord2] match (self, o) with - | (False, False) -> C_Equal'0 - | (True, True) -> C_Equal'0 - | (False, True) -> C_Less'0 - | (True, False) -> C_Greater'0 - end + [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r + - constant x : bool + constant x : (t_A'0, t_B'0) - constant y : bool + constant y : (t_A'0, t_B'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : bool) (y : bool) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) + goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 129 39 129 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 127 8 127 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 276 20 276 68 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 @@ -14267,114 +17444,107 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#".. | C_Equal'0 | C_Greater'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) + -> ([%#sord15] cmp_log'1 y x = C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) + -> ([%#sord13] cmp_log'1 y x = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) + -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + function antisym2'2 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + axiom antisym2'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) + -> ([%#sord15] cmp_log'2 y x = C_Less'0) - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) + -> ([%#sord13] cmp_log'2 y x = C_Greater'0) - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) + -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - function le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function cmp_le_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - axiom cmp_le_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'2 x y = (cmp_log'1 x y <> C_Greater'0) + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 275 4 275 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ le_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ lt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 @@ -14389,1650 +17559,2429 @@ module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_le_log [#".. constant y : (t_A'0, t_B'0) - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 130 8 130 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - goal vc_cmp_le_log'0 : [%#sord0] le_log'0 x y = (cmp_log'0 x y <> C_Greater'0) + goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_lt_log [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 134 39 134 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 132 8 132 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 282 20 282 67 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__logic__ord__qyi1910662420989811789__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* <(A, B) as logic::ord::OrdLogic> *) + let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 + let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 + let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 + let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 + let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 + let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 + let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 + let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 + let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 + let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 + let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 + let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 + let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 + let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 + let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 + let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + + type t_A'0 + + type t_B'0 + + type t_Ordering'0 = + | C_Less'0 + | C_Equal'0 + | C_Greater'0 + + function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + + + function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + + axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + + function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) + -> ([%#sord14] cmp_log'1 y x = C_Less'0) + + function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + + axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) + -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + + function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + + + axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) + -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + + function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + + axiom refl'0_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + + function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + + function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + + function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + + function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + + axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) - type t_A'0 + function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool - type t_B'0 + function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function eq_cmp'2 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + axiom eq_cmp'2_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) + -> ([%#sord14] cmp_log'2 y x = C_Less'0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) + -> ([%#sord12] cmp_log'2 y x = C_Greater'0) - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) + -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom refl'1_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'0 x y = (cmp_log'2 x y = C_Greater'0) + axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + + = + [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then + cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) + else + r - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + constant x : (t_A'0, t_B'0) - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + constant y : (t_A'0, t_B'0) - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) +end +module M_creusot_contracts__logic__seq__qyi345269549310492227__concat_contains [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (* logic::seq::Seq *) + let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq1 = "../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use seq.Seq - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + use seq.Seq - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Int - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use seq.Seq - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq2] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + constant _1 : () - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'1 x y = (cmp_log'1 x y = C_Greater'0) + function concat_contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 384 4 386 17] (_1 : ()) : () - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + goal vc_concat_contains'0 : [%#sseq0] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'0 (Seq.(++) a b) x + = contains'0 a x + \/ contains'0 b x +end +module M_creusot_contracts__ptr_own__qyi17842610664047605351__new [#"../../../creusot-contracts/src/ptr_own.rs" 52 4 52 56] (* ptr_own::PtrOwn *) + let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 52 15 52 16 + let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 52 24 52 56 + let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 51 14 51 64 + let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 61 20 61 23 + let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 61 36 61 68 + let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 60 14 60 67 + let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 + let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + let%span sptr_own8 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 + let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - function lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed7] inv'0 self - function cmp_lt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom cmp_lt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'2 x y = (cmp_log'1 x y = C_Less'0) + axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Opaque - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_PtrOwn'0 - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + type t_GhostBox'0 = + { t_GhostBox__0'0: t_PtrOwn'0 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 281 4 281 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ lt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ lt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) + use prelude.prelude.Borrow - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr - constant x : (t_A'0, t_B'0) + use prelude.prelude.Int - constant y : (t_A'0, t_B'0) + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 135 8 135 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = + [%#sptr10] addr_logic'0 self = 0 + + axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr9] is_null_logic'0 self = (addr_logic'0 self = 0) + + function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + + predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = + [%#sptr_own8] not is_null_logic'0 (ptr'0 self) /\ inv'2 (val'0 self) + + predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + + axiom inv_axiom'4 [@rewrite] : forall x : t_PtrOwn'0 [inv'5 x] . inv'5 x = invariant'2 x + + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = + [%#sboxed7] inv'5 self + + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'1 x + + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 + end + + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (opaque_ptr, t_GhostBox'0)) + + axiom inv_axiom'0 [@rewrite] : forall x : (opaque_ptr, t_GhostBox'0) [inv'1 x] . inv'1 x + = (let (x0, x1) = x in inv'3 x1) + + function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = + [%#sghost6] self.t_GhostBox__0'0 + + let rec from_box'0 (val':t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:from_box 'val' type invariant] [%#sptr_own3] inv'2 val'} + any + [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[%#sptr_own4] inv'1 result} + {[%#sptr_own5] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) + /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = val'} + (! return' {result}) ] - goal vc_cmp_lt_log'0 : [%#sord0] lt_log'0 x y = (cmp_log'0 x y = C_Less'0) + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec new'0 (v:t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:new 'v' type invariant] [%#sptr_own0] inv'0 v} + (! bb0 + [ bb0 = bb1 + | bb1 = bb2 + | bb2 = s0 [ s0 = from_box'0 {v} (fun (_ret':(opaque_ptr, t_GhostBox'0)) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : (opaque_ptr, t_GhostBox'0) = any_l () | & v : t_T'0 = v ] + [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[@expl:new result type invariant] [%#sptr_own1] inv'1 result} + {[@expl:new ensures] [%#sptr_own2] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) + /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = v} + (! return' {result}) ] + end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_ge_log [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 139 39 139 86 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 137 8 137 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 288 20 288 68 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__ptr_own__qyi17842610664047605351__drop [#"../../../creusot-contracts/src/ptr_own.rs" 98 4 98 57] (* ptr_own::PtrOwn *) + let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 98 32 98 35 + let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 97 15 97 31 + let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 92 34 92 37 + let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 89 15 89 31 + let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 92 63 92 69 + let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 90 14 90 35 + let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 + let%span sresolve7 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 + let%span sboxed8 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 + let%span sptr_own9 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 + let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 + let%span sptr11 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 - type t_A'0 + type t_PtrOwn'0 - type t_B'0 + type t_GhostBox'0 = + { t_GhostBox__0'0: t_PtrOwn'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + use prelude.prelude.Borrow - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + use prelude.prelude.Opaque - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + use prelude.prelude.Int + + function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = + [%#sptr11] addr_logic'0 self = 0 - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr10] is_null_logic'0 self = (addr_logic'0 self = 0) - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + type t_T'0 - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = + [%#sboxed8] inv'3 self - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + axiom inv_axiom'0 [@rewrite] : forall x : t_T'0 [inv'0 x] . inv'0 x = invariant'0 x - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = + [%#sptr_own9] not is_null_logic'0 (ptr'0 self) /\ inv'0 (val'0 self) - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) - axiom cmp_gt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'2 x - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = + [%#sboxed8] inv'4 self - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + axiom inv_axiom'2 [@rewrite] : forall x : t_PtrOwn'0 [inv'2 x] . inv'2 x = invariant'1 x - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x + = match x with + | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 + end - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = + [%#sghost6] self.t_GhostBox__0'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + let rec to_box'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:to_box 'own' type invariant] [%#sptr_own2] inv'1 own} + {[@expl:to_box requires] [%#sptr_own3] ptr = ptr'0 (inner_logic'0 own)} + any + [ return' (result:t_T'0)-> {[%#sptr_own4] inv'0 result} + {[%#sptr_own5] result = val'0 (inner_logic'0 own)} + (! return' {result}) ] + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = + [%#sresolve7] resolve'2 self - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) = + resolve'1 _1 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Intrinsic - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + meta "compute_max_steps" 1000000 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + let rec drop'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:()))= {[@expl:drop 'own' type invariant] [%#sptr_own0] inv'1 own} + {[@expl:drop requires] [%#sptr_own1] ptr = ptr'0 (inner_logic'0 own)} + (! bb0 + [ bb0 = s0 [ s0 = to_box'0 {ptr} {own} (fun (_ret':t_T'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = {[@expl:type invariant] inv'0 _4} s1 | s1 = -{resolve'0 _4}- s2 | s2 = bb2 ] + | bb2 = bb3 + | bb3 = return' {_0} ] + ) [ & _0 : () = any_l () | & ptr : opaque_ptr = ptr | & own : t_GhostBox'0 = own | & _4 : t_T'0 = any_l () ] + [ return' (result:())-> (! return' {result}) ] + +end +module M_creusot_contracts__resolve__qyi4855891653524509355__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (* <(T1, T2) as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 45 15 45 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 46 14 46 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 43 4 43 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 40 8 40 44 - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use prelude.prelude.Borrow - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_T1'0 - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + type t_T2'0 - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T2'0) - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T1'0) - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : (t_T1'0, t_T2'0)) = + match _1 with + | (x0, x1) -> resolve'1 x1 /\ resolve'2 x0 + end - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 39 4 39 28] (self : (t_T1'0, t_T2'0)) = + [%#sresolve3] resolve'2 (let (a, _) = self in a) /\ resolve'1 (let (_, a) = self in a) - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + constant self : (t_T1'0, t_T2'0) - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (self : (t_T1'0, t_T2'0)) : () - axiom cmp_gt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi6740873903368268328__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (* <&mut T as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 59 15 59 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 60 14 60 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 57 4 57 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - function ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Borrow - function cmp_ge_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom cmp_ge_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'2 x y = (cmp_log'1 x y <> C_Less'0) + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : borrowed t_T'0) = + _1.final = _1.current - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = + [%#sresolve3] self.final = self.current - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + constant self : borrowed t_T'0 - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (self : borrowed t_T'0) : () - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__resolve__qyi10830812895881240411__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (* as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 73 15 73 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 74 14 74 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 71 4 71 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Borrow - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + type t_T'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 287 4 287 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ ge_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ gt_log'0 (let (a, _) = self in a) (let (a, _) = o in a) + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_T'0) = + resolve'1 _1 - constant x : (t_A'0, t_B'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = + [%#sresolve3] resolve'1 self - constant y : (t_A'0, t_B'0) + constant self : t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 140 8 140 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (self : t_T'0) : () - goal vc_cmp_ge_log'0 : [%#sord0] ge_log'0 x y = (cmp_log'0 x y <> C_Less'0) + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__cmp_gt_log [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 144 39 144 89 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 142 8 142 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 294 20 294 67 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 +module M_creusot_contracts__resolve__qyi12875730110607858017__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (* as resolve::Resolve> *) + let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 90 15 90 39 + let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 91 14 91 31 + let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 88 4 88 23 + let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - type t_A'0 + use prelude.prelude.Borrow - type t_B'0 + type t_T'0 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_Option'0) = + match _1 with + | C_None'0 -> true + | C_Some'0 x0 -> resolve'1 x0 + end - axiom eq_cmp'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = + [%#sresolve3] match self with + | C_Some'0 x -> resolve'1 x + | C_None'0 -> true + end - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + constant self : t_Option'0 - axiom antisym2'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (self : t_Option'0) : () - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) +end +module M_creusot_contracts__snapshot__qyi5567339964777190687__clone [#"../../../creusot-contracts/src/snapshot.rs" 59 4 59 27] (* as std::clone::Clone> *) + let%span ssnapshot0 = "../../../creusot-contracts/src/snapshot.rs" 58 14 58 29 - axiom antisym1'0_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + type t_T'0 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + use prelude.prelude.Snapshot - axiom trans'0_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + use prelude.prelude.Intrinsic - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + use prelude.prelude.Borrow - axiom refl'0_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + meta "compute_max_steps" 1000000 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + let rec clone'0 (self:Snapshot.snap_ty t_T'0) (return' (ret:Snapshot.snap_ty t_T'0))= (! bb0 + [ bb0 = s0 [ s0 = [ &_0 <- self ] s1 | s1 = return' {_0} ] ] + ) [ & _0 : Snapshot.snap_ty t_T'0 = any_l () | & self : Snapshot.snap_ty t_T'0 = self ] + [ return' (result:Snapshot.snap_ty t_T'0)-> {[@expl:clone ensures] [%#ssnapshot0] result = self} + (! return' {result}) ] + +end +module M_creusot_contracts__util__unwrap [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] + let%span sutil0 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil1 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 + let%span sutil2 = "../../../creusot-contracts/src/util.rs" 45 11 45 16 + let%span sutil3 = "../../../creusot-contracts/src/util.rs" 46 10 46 15 + let%span sutil4 = "../../../creusot-contracts/src/util.rs" 47 10 47 11 + let%span sutil5 = "../../../creusot-contracts/src/util.rs" 58 4 61 5 - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_T'0 - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + type t_Option'0 = + | C_None'0 + | C_Some'0 t_T'0 - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function unreachable'0 [#"../../../creusot-contracts/src/util.rs" 48 0 48 28] (_1 : ()) : t_T'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + axiom unreachable'0_spec : forall _1 : () . ([%#sutil2] false) -> ([%#sutil3] false) - axiom cmp_ge_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'0 x y = (cmp_log'2 x y <> C_Less'0) + constant op : t_Option'0 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'0) : t_T'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + goal vc_unwrap'0 : ([%#sutil0] op <> C_None'0) + -> match op with + | C_Some'0 t -> [%#sutil1] C_Some'0 t = op + | C_None'0 -> ([@expl:unreachable requires] [%#sutil2] false) + /\ (([%#sutil3] false) -> ([%#sutil1] C_Some'0 (unreachable'0 ()) = op)) + end +end +module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_refl__refines [#"../../../creusot-contracts/src/std/array.rs" 73 4 73 26] (* as std::iter::Iterator> *) + let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 73 4 73 26 + let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 - axiom cmp_lt_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'0 x y = (cmp_log'2 x y = C_Less'0) + use prelude.prelude.Slice - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_T'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_T'0 } - axiom cmp_le_log'0_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'0 x y = (cmp_log'2 x y <> C_Greater'0) + type t_MaybeUninit'0 = + { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use prelude.prelude.UIntSize - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_IndexRange'0 = + { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_IntoIter'0 = + { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use seq.Seq - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) - - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () - - axiom refl'1_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 - - function gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool - - function cmp_gt_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () - - axiom cmp_gt_log'2_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'2 x y = (cmp_log'1 x y = C_Greater'0) + goal refines : [%#sarray0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_trans__refines [#"../../../creusot-contracts/src/std/array.rs" 80 4 80 90] (* as std::iter::Iterator> *) + let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 80 4 80 90 + let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Slice - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom cmp_ge_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'1 x y = (cmp_log'1 x y <> C_Less'0) + type t_ManuallyDrop'0 = + { t_ManuallyDrop__value'0: t_T'0 } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_MaybeUninit'0 = + { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UIntSize - axiom cmp_lt_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'1 x y = (cmp_log'1 x y = C_Less'0) + type t_IndexRange'0 = + { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_IntoIter'0 = + { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'1 x y = (cmp_log'1 x y <> C_Greater'0) + function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 293 4 293 36] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : bool - - = - [%#sord2] (let (a, _) = self in a) = (let (a, _) = o in a) - /\ gt_log'1 (let (_, a) = self in a) (let (_, a) = o in a) - \/ gt_log'2 (let (a, _) = self in a) (let (a, _) = o in a) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - - - constant x : (t_A'0, t_B'0) - - constant y : (t_A'0, t_B'0) - - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 145 8 145 39] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) - goal vc_cmp_gt_log'0 : [%#sord0] gt_log'0 x y = (cmp_log'0 x y = C_Greater'0) + goal refines : [%#sarray0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__refl [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 149 39 149 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 147 8 147 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 - - type t_A'0 +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 79 4 79 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 79 4 79 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - type t_B'0 + use prelude.prelude.UInt16 - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Opaque - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UIntSize - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom refl'1_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + use seq.Seq - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + type t_K'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + type t_V'0 - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + type t_FMap'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_IntoIter'0) : t_FMap'0 + - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + use prelude.prelude.Int - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use seq.Seq - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_DeepModelTy'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + use map.Map - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) - -> ([%#sord14] cmp_log'2 y x = C_Less'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap6] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) - -> ([%#sord12] cmp_log'2 y x = C_Greater'0) + use map.Map - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap5] Map.get (view'1 self) k - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) - -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function refl'2 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + goal refines : [%#shash_map0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi8545377735181223672__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 86 4 86 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 86 4 86 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom refl'2_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 + use prelude.prelude.UInt16 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use prelude.prelude.Opaque - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.UIntSize - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + type t_K'0 - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + type t_V'0 - constant x : (t_A'0, t_B'0) + use seq.Seq - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 150 8 150 24] (x : (t_A'0, t_B'0)) : () + type t_FMap'0 - goal vc_refl'0 : [%#sord0] cmp_log'0 x x = C_Equal'0 -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__trans [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 154 40 154 57 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 155 40 155 57 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 156 39 156 56 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 152 8 152 35 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord17 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 45 4 45 33] (self : t_IntoIter'0) : t_FMap'0 + - type t_A'0 + use prelude.prelude.Int - type t_B'0 + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + use seq.Seq - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord17] (x = y) = (cmp_log'1 x y = C_Equal'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_DeepModelTy'0 - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord15] cmp_log'1 x y = C_Greater'0) - -> ([%#sord16] cmp_log'1 y x = C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Less'0) - -> ([%#sord14] cmp_log'1 y x = C_Greater'0) + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + use map.Map + + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) - axiom trans'1_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord10] cmp_log'1 x y = o) - -> ([%#sord11] cmp_log'1 y z = o) -> ([%#sord12] cmp_log'1 x z = o) + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap6] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use map.Map - axiom refl'0_spec : forall x : t_A'0 . [%#sord9] cmp_log'1 x x = C_Equal'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap5] Map.get (view'1 self) k - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 53 4 53 64] (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord8] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use seq.Seq - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + goal refines : [%#shash_map0] forall a : t_IntoIter'0 . forall ab : Seq.seq (t_K'0, t_V'0) . forall b : t_IntoIter'0 . forall bc : Seq.seq (t_K'0, t_V'0) . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 138 4 138 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 138 4 138 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UInt16 - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Opaque - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use prelude.prelude.UIntSize - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord17] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Borrow - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord15] cmp_log'2 x y = C_Greater'0) - -> ([%#sord16] cmp_log'2 y x = C_Less'0) + type t_K'0 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + type t_V'0 - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Less'0) - -> ([%#sord14] cmp_log'2 y x = C_Greater'0) + use seq.Seq - function trans'2 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + type t_FMap'0 + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 97 4 97 33] (self : t_Iter'0) : t_FMap'0 - axiom trans'2_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord10] cmp_log'2 x y = o) - -> ([%#sord11] cmp_log'2 y z = o) -> ([%#sord12] cmp_log'2 x z = o) + use prelude.prelude.Int - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom refl'1_spec : forall x : t_B'0 . [%#sord9] cmp_log'2 x x = C_Equal'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord8] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_DeepModelTy'0 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use map.Map - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use map.Map - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 = - [%#sord4] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r + [%#sfmap6] Map.get (view'1 self) k + + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - constant x : (t_A'0, t_B'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 105 4 105 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - constant y : (t_A'0, t_B'0) + use seq.Seq - constant z : (t_A'0, t_B'0) + goal refines : [%#shash_map0] forall a : t_Iter'0 . forall ab : Seq.seq (t_K'0, t_V'0) . forall b : t_Iter'0 . forall bc : Seq.seq (t_K'0, t_V'0) . forall c : t_Iter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi17813512624381000997__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 131 4 131 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 131 4 131 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap5 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - constant o : t_Ordering'0 + use prelude.prelude.UInt16 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 157 8 157 56] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) (z : (t_A'0, t_B'0)) (o : t_Ordering'0) : () - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - goal vc_trans'0 : ([%#sord1] cmp_log'0 y z = o) -> ([%#sord0] cmp_log'0 x y = o) -> ([%#sord2] cmp_log'0 x z = o) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym1 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 161 40 161 70 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 162 39 162 72 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 159 8 159 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - type t_A'0 + use prelude.prelude.Opaque - type t_B'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.UIntSize - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom antisym1'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.Borrow - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + type t_K'0 + + type t_V'0 + + use seq.Seq + + type t_FMap'0 + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 97 4 97 33] (self : t_Iter'0) : t_FMap'0 - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + use prelude.prelude.Int - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) + + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + type t_DeepModelTy'0 - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + use map.Map - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap6] Map.get (view'1 self) k - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + = + [%#sfmap5] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 105 4 105 64] (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + goal refines : [%#shash_map0] forall self : t_Iter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 190 4 190 90] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 190 4 190 90 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + use prelude.prelude.UInt16 - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function antisym1'2 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.Opaque - axiom antisym1'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + use prelude.prelude.UIntSize - axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use prelude.prelude.Borrow - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + type t_K'0 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + type t_V'0 - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + use seq.Seq - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + type t_FMap'0 - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 149 4 149 33] (self : t_IterMut'0) : t_FMap'0 + - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use prelude.prelude.Int - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use seq.Seq - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + use seq.Seq + + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - constant x : (t_A'0, t_B'0) + type t_DeepModelTy'0 - constant y : (t_A'0, t_B'0) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 163 8 163 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - goal vc_antisym1'0 : ([%#sord0] cmp_log'0 x y = C_Less'0) -> ([%#sord1] cmp_log'0 y x = C_Greater'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__antisym2 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 167 40 167 73 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 168 39 168 69 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 165 8 165 35 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord16 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_V'0) - type t_A'0 + use map.Map - type t_B'0 + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 + use map.Map + + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + = + [%#sfmap6] Map.get (view'1 self) k - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - axiom eq_cmp'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord16] (x = y) = (cmp_log'1 x y = C_Equal'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'0 self - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 157 4 157 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'1 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'1 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'1 (let (a, _) = Seq.get visited i1 in a) = deep_model'1 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) - axiom antisym2'1_spec : forall x : t_A'0, y : t_A'0 . ([%#sord14] cmp_log'1 x y = C_Greater'0) - -> ([%#sord15] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + goal refines : [%#shash_map0] forall a : t_IterMut'0 . forall ab : Seq.seq (t_K'0, borrowed t_V'0) . forall b : t_IterMut'0 . forall bc : Seq.seq (t_K'0, borrowed t_V'0) . forall c : t_IterMut'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_map__qyi16052569838167755124__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 183 4 183 26] (* as std::iter::Iterator> *) + let%span shash_map0 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 183 4 183 26 + let%span shash_map1 = "../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap2 = "../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sseq3 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap4 = "../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel5 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sfmap6 = "../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap7 = "../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord12] cmp_log'1 x y = C_Less'0) - -> ([%#sord13] cmp_log'1 y x = C_Greater'0) + use prelude.prelude.UInt16 - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () - + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord9] cmp_log'1 x y = o) - -> ([%#sord10] cmp_log'1 y z = o) -> ([%#sord11] cmp_log'1 x z = o) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use prelude.prelude.Opaque - axiom refl'0_spec : forall x : t_A'0 . [%#sord8] cmp_log'1 x x = C_Equal'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord7] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + use prelude.prelude.UIntSize - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use seq.Seq - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + use prelude.prelude.Borrow - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_K'0 - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + type t_V'0 - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_FMap'0 - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 149 4 149 33] (self : t_IterMut'0) : t_FMap'0 - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () - - axiom eq_cmp'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord16] (x = y) = (cmp_log'2 x y = C_Equal'0) + use prelude.prelude.Int - function antisym2'2 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + function len'0 [#"../../../creusot-contracts/src/logic/fmap.rs" 49 4 49 27] (self : t_FMap'0) : int - axiom antisym2'2_spec : forall x : t_B'0, y : t_B'0 . ([%#sord14] cmp_log'2 x y = C_Greater'0) - -> ([%#sord15] cmp_log'2 y x = C_Less'0) + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap2] len'0 self >= 0 - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord12] cmp_log'2 x y = C_Less'0) - -> ([%#sord13] cmp_log'2 y x = C_Greater'0) + use seq.Seq - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () + predicate contains'0 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) + = + [%#sseq3] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord9] cmp_log'2 x y = o) - -> ([%#sord10] cmp_log'2 y z = o) -> ([%#sord11] cmp_log'2 x z = o) + type t_DeepModelTy'0 - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_K'0) : t_DeepModelTy'0 - axiom refl'1_spec : forall x : t_B'0 . [%#sord8] cmp_log'2 x x = C_Equal'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + type t_Option'1 = + | C_None'1 + | C_Some'1 (borrowed t_V'0) - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + use map.Map - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord7] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + function view'1 [#"../../../creusot-contracts/src/logic/fmap.rs" 59 4 59 35] (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + axiom view'1_spec : forall self : t_FMap'0 . [%#sfmap7] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'1 m1 <> view'1 m2 - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use map.Map - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + function get_unsized'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 102 4 102 55] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 + + = + [%#sfmap6] Map.get (view'1 self) k - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + function get'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fmap.rs" 88 4 90 17] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 + + = + [%#sfmap4] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel5] deep_model'0 self + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_map.rs" 157 4 157 64] (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) + + = + [%#shash_map1] len'0 (view'0 self) = Seq.length visited + len'0 (view'0 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'0 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'0 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 o) k = C_Some'0 v + -> get'0 (view'0 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'1 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'1 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'0 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'1 (let (a, _) = Seq.get visited i1 in a) = deep_model'1 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + goal refines : [%#shash_map0] forall self : t_IterMut'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self + -> produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 102 4 102 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 102 4 102 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + use prelude.prelude.UInt16 - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + use prelude.prelude.Opaque - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 - - = - [%#sord3] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r - + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - constant x : (t_A'0, t_B'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - constant y : (t_A'0, t_B'0) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 169 8 169 37] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + use prelude.prelude.UIntSize - goal vc_antisym2'0 : ([%#sord0] cmp_log'0 x y = C_Greater'0) -> ([%#sord1] cmp_log'0 y x = C_Less'0) -end -module M_creusot_contracts__logic__ord__qyi1910662420989811789__eq_cmp [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (* <(A, B) as logic::ord::OrdLogic> *) - let%span sord0 = "../../../creusot-contracts/src/logic/ord.rs" 173 39 173 84 - let%span sord1 = "../../../creusot-contracts/src/logic/ord.rs" 171 8 171 35 - let%span sord2 = "../../../creusot-contracts/src/logic/ord.rs" 263 8 270 11 - let%span sord3 = "../../../creusot-contracts/src/logic/ord.rs" 29 14 29 64 - let%span sord4 = "../../../creusot-contracts/src/logic/ord.rs" 40 14 40 61 - let%span sord5 = "../../../creusot-contracts/src/logic/ord.rs" 51 14 51 61 - let%span sord6 = "../../../creusot-contracts/src/logic/ord.rs" 62 14 62 64 - let%span sord7 = "../../../creusot-contracts/src/logic/ord.rs" 67 14 67 45 - let%span sord8 = "../../../creusot-contracts/src/logic/ord.rs" 72 15 72 32 - let%span sord9 = "../../../creusot-contracts/src/logic/ord.rs" 73 15 73 32 - let%span sord10 = "../../../creusot-contracts/src/logic/ord.rs" 74 14 74 31 - let%span sord11 = "../../../creusot-contracts/src/logic/ord.rs" 81 15 81 45 - let%span sord12 = "../../../creusot-contracts/src/logic/ord.rs" 82 14 82 47 - let%span sord13 = "../../../creusot-contracts/src/logic/ord.rs" 89 15 89 48 - let%span sord14 = "../../../creusot-contracts/src/logic/ord.rs" 90 14 90 44 - let%span sord15 = "../../../creusot-contracts/src/logic/ord.rs" 95 14 95 59 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_A'0 + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_B'0 + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - type t_Ordering'0 = - | C_Less'0 - | C_Equal'0 - | C_Greater'0 + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - function cmp_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_A'0) (other : t_A'0) : t_Ordering'0 - + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - function eq_cmp'1 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_A'0) (y : t_A'0) : () + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom eq_cmp'1_spec : forall x : t_A'0, y : t_A'0 . [%#sord15] (x = y) = (cmp_log'1 x y = C_Equal'0) + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - function antisym2'0 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_A'0) (y : t_A'0) : () + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom antisym2'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord13] cmp_log'1 x y = C_Greater'0) - -> ([%#sord14] cmp_log'1 y x = C_Less'0) + use seq.Seq - function antisym1'0 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_A'0) (y : t_A'0) : () + type t_T'0 - axiom antisym1'0_spec : forall x : t_A'0, y : t_A'0 . ([%#sord11] cmp_log'1 x y = C_Less'0) - -> ([%#sord12] cmp_log'1 y x = C_Greater'0) + use seq.Seq - function trans'0 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_A'0) (y : t_A'0) (z : t_A'0) (o : t_Ordering'0) : () + type t_DeepModelTy'0 + + use set.Fset + + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 - axiom trans'0_spec : forall x : t_A'0, y : t_A'0, z : t_A'0, o : t_Ordering'0 . ([%#sord8] cmp_log'1 x y = o) - -> ([%#sord9] cmp_log'1 y z = o) -> ([%#sord10] cmp_log'1 x z = o) + use set.Fset + + use seq.Seq + + use prelude.prelude.Int - function refl'0 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_A'0) : () + use set.Fset - axiom refl'0_spec : forall x : t_A'0 . [%#sord7] cmp_log'1 x x = C_Equal'0 + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - function gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_A'0) (o : t_A'0) : bool + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function cmp_gt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_A'0) (y : t_A'0) : () + use seq.Seq - axiom cmp_gt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord6] gt_log'0 x y = (cmp_log'1 x y = C_Greater'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_A'0) (o : t_A'0) : bool + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) + + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - function cmp_ge_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_A'0) (y : t_A'0) : () + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 89 4 89 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + + = + [%#shash_set1] set_produces'0 self visited o - axiom cmp_ge_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord5] ge_log'0 x y = (cmp_log'1 x y <> C_Less'0) + goal refines : [%#shash_set0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi2602027177218488890__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 109 4 109 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 109 4 109 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq4 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.UInt16 - function cmp_lt_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_A'0) (y : t_A'0) : () + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - axiom cmp_lt_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord4] lt_log'0 x y = (cmp_log'1 x y = C_Less'0) + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - function le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_A'0) (o : t_A'0) : bool + use prelude.prelude.Opaque - function cmp_le_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_A'0) (y : t_A'0) : () + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - axiom cmp_le_log'0_spec : forall x : t_A'0, y : t_A'0 . [%#sord3] le_log'0 x y = (cmp_log'1 x y <> C_Greater'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - function cmp_log'2 [#"../../../creusot-contracts/src/logic/ord.rs" 19 4 19 46] (self : t_B'0) (other : t_B'0) : t_Ordering'0 - + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function eq_cmp'2 [#"../../../creusot-contracts/src/logic/ord.rs" 96 4 96 32] (x : t_B'0) (y : t_B'0) : () + use prelude.prelude.UIntSize - axiom eq_cmp'2_spec : forall x : t_B'0, y : t_B'0 . [%#sord15] (x = y) = (cmp_log'2 x y = C_Equal'0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - function antisym2'1 [#"../../../creusot-contracts/src/logic/ord.rs" 91 4 91 34] (x : t_B'0) (y : t_B'0) : () + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - axiom antisym2'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord13] cmp_log'2 x y = C_Greater'0) - -> ([%#sord14] cmp_log'2 y x = C_Less'0) + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } - function antisym1'1 [#"../../../creusot-contracts/src/logic/ord.rs" 83 4 83 34] (x : t_B'0) (y : t_B'0) : () + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) - axiom antisym1'1_spec : forall x : t_B'0, y : t_B'0 . ([%#sord11] cmp_log'2 x y = C_Less'0) - -> ([%#sord12] cmp_log'2 y x = C_Greater'0) + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } - function trans'1 [#"../../../creusot-contracts/src/logic/ord.rs" 75 4 75 53] (x : t_B'0) (y : t_B'0) (z : t_B'0) (o : t_Ordering'0) : () - + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } - axiom trans'1_spec : forall x : t_B'0, y : t_B'0, z : t_B'0, o : t_Ordering'0 . ([%#sord8] cmp_log'2 x y = o) - -> ([%#sord9] cmp_log'2 y z = o) -> ([%#sord10] cmp_log'2 x z = o) + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } - function refl'1 [#"../../../creusot-contracts/src/logic/ord.rs" 68 4 68 21] (x : t_B'0) : () + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } - axiom refl'1_spec : forall x : t_B'0 . [%#sord7] cmp_log'2 x x = C_Equal'0 + type t_T'0 - function gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 57 4 57 36] (self : t_B'0) (o : t_B'0) : bool + use seq.Seq - function cmp_gt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 63 4 63 36] (x : t_B'0) (y : t_B'0) : () + type t_DeepModelTy'0 - axiom cmp_gt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord6] gt_log'1 x y = (cmp_log'2 x y = C_Greater'0) + use set.Fset - function ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 46 4 46 36] (self : t_B'0) (o : t_B'0) : bool + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 46 4 46 33] (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 + - function cmp_ge_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 52 4 52 36] (x : t_B'0) (y : t_B'0) : () + use set.Fset - axiom cmp_ge_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord5] ge_log'1 x y = (cmp_log'2 x y <> C_Less'0) + use seq.Seq - function lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 35 4 35 36] (self : t_B'0) (o : t_B'0) : bool + use prelude.prelude.Int - function cmp_lt_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 41 4 41 36] (x : t_B'0) (y : t_B'0) : () + use set.Fset - axiom cmp_lt_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord4] lt_log'1 x y = (cmp_log'2 x y = C_Less'0) + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - function le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 24 4 24 36] (self : t_B'0) (o : t_B'0) : bool + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - function cmp_le_log'1 [#"../../../creusot-contracts/src/logic/ord.rs" 30 4 30 36] (x : t_B'0) (y : t_B'0) : () + use seq.Seq - axiom cmp_le_log'1_spec : forall x : t_B'0, y : t_B'0 . [%#sord3] le_log'1 x y = (cmp_log'2 x y <> C_Greater'0) + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq4] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function cmp_log'0 [#"../../../creusot-contracts/src/logic/ord.rs" 262 4 262 41] (self : (t_A'0, t_B'0)) (o : (t_A'0, t_B'0)) : t_Ordering'0 + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) = - [%#sord2] let r = cmp_log'1 (let (a, _) = self in a) (let (a, _) = o in a) in if r = C_Equal'0 then - cmp_log'2 (let (_, a) = self in a) (let (_, a) = o in a) - else - r + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) + + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 89 4 89 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + = + [%#shash_set1] set_produces'0 self visited o - constant x : (t_A'0, t_B'0) + use seq.Seq - constant y : (t_A'0, t_B'0) + goal refines : [%#shash_set0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) +end +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 148 4 148 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 148 4 148 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - function eq_cmp'0 [#"../../../creusot-contracts/src/logic/ord.rs" 174 8 174 35] (x : (t_A'0, t_B'0)) (y : (t_A'0, t_B'0)) : () - + use prelude.prelude.UInt16 - goal vc_eq_cmp'0 : [%#sord0] (x = y) = (cmp_log'0 x y = C_Equal'0) -end -module M_creusot_contracts__ptr_own__qyi17842610664047605351__new [#"../../../creusot-contracts/src/ptr_own.rs" 52 4 52 56] (* ptr_own::PtrOwn *) - let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 52 15 52 16 - let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 52 24 52 56 - let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 51 14 51 64 - let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 61 20 61 23 - let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 61 36 61 68 - let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 60 14 60 67 - let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 - let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sptr_own8 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 - let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_T'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use prelude.prelude.Opaque - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed7] inv'0 self + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - axiom inv_axiom'1 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'0 x + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - use prelude.prelude.Opaque + use prelude.prelude.UIntSize - type t_PtrOwn'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_GhostBox'0 = - { t_GhostBox__0'0: t_PtrOwn'0 } + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - use prelude.prelude.Borrow + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - use prelude.prelude.Int + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + use prelude.prelude.Borrow - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = - [%#sptr10] addr_logic'0 self = 0 + type t_T'0 - axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr9] is_null_logic'0 self = (addr_logic'0 self = 0) + use seq.Seq - function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + type t_DeepModelTy'0 - predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = - [%#sptr_own8] not is_null_logic'0 (ptr'0 self) /\ inv'2 (val'0 self) + use set.Fset - predicate inv'5 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 120 4 120 33] (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 + - axiom inv_axiom'4 [@rewrite] : forall x : t_PtrOwn'0 [inv'5 x] . inv'5 x = invariant'2 x + use set.Fset - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = - [%#sboxed7] inv'5 self + use seq.Seq - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + use prelude.prelude.Int - axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'1 x + use set.Fset - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - axiom inv_axiom'2 [@rewrite] : forall x : t_GhostBox'0 [inv'3 x] . inv'3 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'4 a_0 - end + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : (opaque_ptr, t_GhostBox'0)) + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - axiom inv_axiom'0 [@rewrite] : forall x : (opaque_ptr, t_GhostBox'0) [inv'1 x] . inv'1 x - = (let (x0, x1) = x in inv'3 x1) + use seq.Seq - function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = - [%#sghost6] self.t_GhostBox__0'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - let rec from_box'0 (val':t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:from_box 'val' type invariant] [%#sptr_own3] inv'2 val'} - any - [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[%#sptr_own4] inv'1 result} - {[%#sptr_own5] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) - /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = val'} - (! return' {result}) ] + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - use prelude.prelude.Intrinsic + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 128 4 128 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + + = + [%#shash_set1] set_produces'0 self visited o - meta "compute_max_steps" 1000000 + use seq.Seq - let rec new'0 (v:t_T'0) (return' (ret:(opaque_ptr, t_GhostBox'0)))= {[@expl:new 'v' type invariant] [%#sptr_own0] inv'0 v} - (! bb0 - [ bb0 = bb1 - | bb1 = bb2 - | bb2 = s0 [ s0 = from_box'0 {v} (fun (_ret':(opaque_ptr, t_GhostBox'0)) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] - | bb3 = bb4 - | bb4 = return' {_0} ] - ) [ & _0 : (opaque_ptr, t_GhostBox'0) = any_l () | & v : t_T'0 = v ] - [ return' (result:(opaque_ptr, t_GhostBox'0))-> {[@expl:new result type invariant] [%#sptr_own1] inv'1 result} - {[@expl:new ensures] [%#sptr_own2] ptr'0 (inner_logic'0 (let (_, a) = result in a)) = (let (a, _) = result in a) - /\ val'0 (inner_logic'0 (let (_, a) = result in a)) = v} - (! return' {result}) ] - + goal refines : [%#shash_set0] forall a : t_Iter'0 . forall ab : Seq.seq t_T'0 . forall b : t_Iter'0 . forall bc : Seq.seq t_T'0 . forall c : t_Iter'0 . produces'0 b bc c + /\ produces'0 a ab b + -> produces'0 b bc c + /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) end -module M_creusot_contracts__ptr_own__qyi17842610664047605351__drop [#"../../../creusot-contracts/src/ptr_own.rs" 98 4 98 57] (* ptr_own::PtrOwn *) - let%span sptr_own0 = "../../../creusot-contracts/src/ptr_own.rs" 98 32 98 35 - let%span sptr_own1 = "../../../creusot-contracts/src/ptr_own.rs" 97 15 97 31 - let%span sptr_own2 = "../../../creusot-contracts/src/ptr_own.rs" 92 34 92 37 - let%span sptr_own3 = "../../../creusot-contracts/src/ptr_own.rs" 89 15 89 31 - let%span sptr_own4 = "../../../creusot-contracts/src/ptr_own.rs" 92 63 92 69 - let%span sptr_own5 = "../../../creusot-contracts/src/ptr_own.rs" 90 14 90 35 - let%span sghost6 = "../../../creusot-contracts/src/ghost.rs" 217 9 217 15 - let%span sresolve7 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 - let%span sboxed8 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sptr_own9 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 - let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 - let%span sptr11 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi7331660899108484271__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 141 4 141 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 141 4 141 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_PtrOwn'0 + use prelude.prelude.UInt16 - type t_GhostBox'0 = - { t_GhostBox__0'0: t_PtrOwn'0 } + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - use prelude.prelude.Borrow + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } use prelude.prelude.Opaque - function ptr'0 [#"../../../creusot-contracts/src/ptr_own.rs" 26 4 26 34] (self : t_PtrOwn'0) : opaque_ptr + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - use prelude.prelude.Int + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'0 } - function addr_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 74 4 74 30] (self : opaque_ptr) : int + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - function is_null_logic'0 [#"../../../creusot-contracts/src/std/ptr.rs" 81 4 81 34] (self : opaque_ptr) : bool = - [%#sptr11] addr_logic'0 self = 0 + use prelude.prelude.UIntSize - axiom is_null_logic'0_spec : forall self : opaque_ptr . [%#sptr10] is_null_logic'0 self = (addr_logic'0 self = 0) + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - type t_T'0 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - function val'0 [#"../../../creusot-contracts/src/ptr_own.rs" 33 4 33 34] (self : t_PtrOwn'0) : t_T'0 + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - predicate inv'3 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - predicate invariant'0 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_T'0) = - [%#sboxed8] inv'3 self + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - predicate inv'0 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) + use seq.Seq - axiom inv_axiom'0 [@rewrite] : forall x : t_T'0 [inv'0 x] . inv'0 x = invariant'0 x + use prelude.prelude.Borrow - predicate invariant'2 [#"../../../creusot-contracts/src/ptr_own.rs" 43 4 43 30] (self : t_PtrOwn'0) = - [%#sptr_own9] not is_null_logic'0 (ptr'0 self) /\ inv'0 (val'0 self) + type t_T'0 - predicate inv'4 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + use seq.Seq - axiom inv_axiom'3 [@rewrite] : forall x : t_PtrOwn'0 [inv'4 x] . inv'4 x = invariant'2 x + type t_DeepModelTy'0 - predicate invariant'1 [#"../../../creusot-contracts/src/std/boxed.rs" 27 4 27 30] (self : t_PtrOwn'0) = - [%#sboxed8] inv'4 self + use set.Fset - predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_PtrOwn'0) + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 120 4 120 33] (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 + - axiom inv_axiom'2 [@rewrite] : forall x : t_PtrOwn'0 [inv'2 x] . inv'2 x = invariant'1 x + use set.Fset - predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_GhostBox'0) + use seq.Seq - axiom inv_axiom'1 [@rewrite] : forall x : t_GhostBox'0 [inv'1 x] . inv'1 x - = match x with - | {t_GhostBox__0'0 = a_0} -> inv'2 a_0 - end + use prelude.prelude.Int - function inner_logic'0 [#"../../../creusot-contracts/src/ghost.rs" 216 4 216 33] (self : t_GhostBox'0) : t_PtrOwn'0 = - [%#sghost6] self.t_GhostBox__0'0 + use set.Fset - let rec to_box'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:t_T'0))= {[@expl:to_box 'own' type invariant] [%#sptr_own2] inv'1 own} - {[@expl:to_box requires] [%#sptr_own3] ptr = ptr'0 (inner_logic'0 own)} - any - [ return' (result:t_T'0)-> {[%#sptr_own4] inv'0 result} - {[%#sptr_own5] result = val'0 (inner_logic'0 own)} - (! return' {result}) ] + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + = + [%#sfset3] Fset.mem e self - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = - [%#sresolve7] resolve'2 self + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) = - resolve'1 _1 + use seq.Seq - use prelude.prelude.Intrinsic + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - meta "compute_max_steps" 1000000 + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) + + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - let rec drop'0 (ptr:opaque_ptr) (own:t_GhostBox'0) (return' (ret:()))= {[@expl:drop 'own' type invariant] [%#sptr_own0] inv'1 own} - {[@expl:drop requires] [%#sptr_own1] ptr = ptr'0 (inner_logic'0 own)} - (! bb0 - [ bb0 = s0 [ s0 = to_box'0 {ptr} {own} (fun (_ret':t_T'0) -> [ &_4 <- _ret' ] s1) | s1 = bb1 ] - | bb1 = s0 [ s0 = {[@expl:type invariant] inv'0 _4} s1 | s1 = -{resolve'0 _4}- s2 | s2 = bb2 ] - | bb2 = bb3 - | bb3 = return' {_0} ] - ) [ & _0 : () = any_l () | & ptr : opaque_ptr = ptr | & own : t_GhostBox'0 = own | & _4 : t_T'0 = any_l () ] - [ return' (result:())-> (! return' {result}) ] + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 128 4 128 64] (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) + = + [%#shash_set1] set_produces'0 self visited o + + goal refines : [%#shash_set0] forall self : t_Iter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__resolve__qyi4855891653524509355__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (* <(T1, T2) as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 45 15 45 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 46 14 46 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 43 4 43 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 40 8 40 44 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_refl__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 26] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 216 4 216 26 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - use prelude.prelude.Borrow + use prelude.prelude.UInt16 - type t_T1'0 + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - type t_T2'0 + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T2'0) + use prelude.prelude.Opaque - predicate resolve'2 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T1'0) + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : (t_T1'0, t_T2'0)) = - match _1 with - | (x0, x1) -> resolve'1 x1 /\ resolve'2 x0 - end + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 39 4 39 28] (self : (t_T1'0, t_T2'0)) = - [%#sresolve3] resolve'2 (let (a, _) = self in a) /\ resolve'1 (let (_, a) = self in a) + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - constant self : (t_T1'0, t_T2'0) + use prelude.prelude.UIntSize - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 47 4 47 31] (self : (t_T1'0, t_T2'0)) : () + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi6740873903368268328__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (* <&mut T as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 59 15 59 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 60 14 60 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 57 4 57 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } use prelude.prelude.Borrow - type t_T'0 + type t_S'0 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : borrowed t_T'0) = - _1.final = _1.current + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 53 4 53 28] (self : borrowed t_T'0) = - [%#sresolve3] self.final = self.current + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - constant self : borrowed t_T'0 + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 61 4 61 31] (self : borrowed t_T'0) : () + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi10830812895881240411__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (* as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 73 15 73 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 74 14 74 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 71 4 71 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - use prelude.prelude.Borrow + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + use seq.Seq type t_T'0 - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + use seq.Seq - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_T'0) = - resolve'1 _1 + type t_DeepModelTy'0 - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 67 4 67 28] (self : t_T'0) = - [%#sresolve3] resolve'1 self + use set.Fset - constant self : t_T'0 + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 195 4 195 33] (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 + - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 75 4 75 31] (self : t_T'0) : () + use set.Fset - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) -end -module M_creusot_contracts__resolve__qyi12875730110607858017__resolve_coherence [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (* as resolve::Resolve> *) - let%span sresolve0 = "../../../creusot-contracts/src/resolve.rs" 90 15 90 39 - let%span sresolve1 = "../../../creusot-contracts/src/resolve.rs" 91 14 91 31 - let%span sresolve2 = "../../../creusot-contracts/src/resolve.rs" 88 4 88 23 - let%span sresolve3 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 + use seq.Seq - use prelude.prelude.Borrow + use prelude.prelude.Int - type t_T'0 + use set.Fset - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - predicate resolve'1 [#"../../../creusot-contracts/src/resolve.rs" 19 0 19 40] (_1 : t_T'0) + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 - predicate structural_resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 27 0 27 51] (_1 : t_Option'0) = - match _1 with - | C_None'0 -> true - | C_Some'0 x0 -> resolve'1 x0 - end + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self - predicate resolve'0 [#"../../../creusot-contracts/src/resolve.rs" 81 4 81 28] (self : t_Option'0) = - [%#sresolve3] match self with - | C_Some'0 x -> resolve'1 x - | C_None'0 -> true - end + use seq.Seq - constant self : t_Option'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - function resolve_coherence'0 [#"../../../creusot-contracts/src/resolve.rs" 92 4 92 31] (self : t_Option'0) : () + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) + + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - goal vc_resolve_coherence'0 : ([%#sresolve0] structural_resolve'0 self) -> ([%#sresolve1] resolve'0 self) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 203 4 203 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) + + = + [%#shash_set1] set_produces'0 self visited o + + goal refines : [%#shash_set0] forall self : t_Intersection'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self + -> produces'0 self (Seq.empty : Seq.seq t_T'0) self end -module M_creusot_contracts__snapshot__qyi5567339964777190687__clone [#"../../../creusot-contracts/src/snapshot.rs" 59 4 59 27] (* as std::clone::Clone> *) - let%span ssnapshot0 = "../../../creusot-contracts/src/snapshot.rs" 58 14 58 29 +module M_creusot_contracts__stdqy35z1__collections__hash_set__qyi3673804955138978513__produces_trans__refines [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 223 4 223 90] (* as std::iter::Iterator> *) + let%span shash_set0 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 223 4 223 90 + let%span shash_set1 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span shash_set2 = "../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel4 = "../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq5 = "../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 - type t_T'0 + use prelude.prelude.UInt16 - use prelude.prelude.Snapshot + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } - use prelude.prelude.Intrinsic + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } - use prelude.prelude.Borrow + use prelude.prelude.Opaque - meta "compute_max_steps" 1000000 + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } - let rec clone'0 (self:Snapshot.snap_ty t_T'0) (return' (ret:Snapshot.snap_ty t_T'0))= (! bb0 - [ bb0 = s0 [ s0 = [ &_0 <- self ] s1 | s1 = return' {_0} ] ] - ) [ & _0 : Snapshot.snap_ty t_T'0 = any_l () | & self : Snapshot.snap_ty t_T'0 = self ] - [ return' (result:Snapshot.snap_ty t_T'0)-> {[@expl:clone ensures] [%#ssnapshot0] result = self} - (! return' {result}) ] - -end -module M_creusot_contracts__util__unwrap [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] - let%span sutil0 = "../../../creusot-contracts/src/util.rs" 55 11 55 21 - let%span sutil1 = "../../../creusot-contracts/src/util.rs" 56 10 56 28 - let%span sutil2 = "../../../creusot-contracts/src/util.rs" 45 11 45 16 - let%span sutil3 = "../../../creusot-contracts/src/util.rs" 46 10 46 15 - let%span sutil4 = "../../../creusot-contracts/src/util.rs" 47 10 47 11 - let%span sutil5 = "../../../creusot-contracts/src/util.rs" 58 4 61 5 + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } - type t_T'0 + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } - type t_Option'0 = - | C_None'0 - | C_Some'0 t_T'0 + use prelude.prelude.UIntSize - function unreachable'0 [#"../../../creusot-contracts/src/util.rs" 48 0 48 28] (_1 : ()) : t_T'0 + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } - axiom unreachable'0_spec : forall _1 : () . ([%#sutil2] false) -> ([%#sutil3] false) + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } - constant op : t_Option'0 + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } - function unwrap'0 [#"../../../creusot-contracts/src/util.rs" 57 0 57 36] (op : t_Option'0) : t_T'0 + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } - goal vc_unwrap'0 : ([%#sutil0] op <> C_None'0) - -> match op with - | C_Some'0 t -> [%#sutil1] C_Some'0 t = op - | C_None'0 -> ([@expl:unreachable requires] [%#sutil2] false) - /\ (([%#sutil3] false) -> ([%#sutil1] C_Some'0 (unreachable'0 ()) = op)) - end -end -module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_refl__refines [#"../../../creusot-contracts/src/std/array.rs" 73 4 73 26] (* as std::iter::Iterator> *) - let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 73 4 73 26 - let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } - use prelude.prelude.Slice + use prelude.prelude.Borrow - type t_T'0 + type t_S'0 - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_T'0 } + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } - type t_MaybeUninit'0 = - { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } - use prelude.prelude.UIntSize + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } - type t_IndexRange'0 = - { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_S'0; t_HashMap__table'0: t_RawTable'0 } - type t_IntoIter'0 = - { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } - use seq.Seq + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } - use seq.Seq + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } - function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + type t_T'0 use seq.Seq - predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) - - = - [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) + type t_DeepModelTy'0 - goal refines : [%#sarray0] forall self : t_IntoIter'0 . forall result : () . produces'0 self (Seq.empty : Seq.seq t_T'0) self - -> produces'0 self (Seq.empty : Seq.seq t_T'0) self -end -module M_creusot_contracts__stdqy35z1__array__qyi15505960269205342033__produces_trans__refines [#"../../../creusot-contracts/src/std/array.rs" 80 4 80 90] (* as std::iter::Iterator> *) - let%span sarray0 = "../../../creusot-contracts/src/std/array.rs" 80 4 80 90 - let%span sarray1 = "../../../creusot-contracts/src/std/array.rs" 61 20 61 47 + use set.Fset - use prelude.prelude.Slice + function view'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 195 4 195 33] (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 + - type t_T'0 + use set.Fset - type t_ManuallyDrop'0 = - { t_ManuallyDrop__value'0: t_T'0 } + use seq.Seq - type t_MaybeUninit'0 = - { t_MaybeUninit__uninit'0: (); t_MaybeUninit__value'0: t_ManuallyDrop'0 } + use prelude.prelude.Int - use prelude.prelude.UIntSize + use set.Fset - type t_IndexRange'0 = - { t_IndexRange__start'0: usize; t_IndexRange__end'0: usize } + predicate contains'0 [@inline:trivial] [#"../../../creusot-contracts/src/logic/fset.rs" 45 4 45 39] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) + + = + [%#sfset3] Fset.mem e self - type t_IntoIter'0 = - { t_IntoIter__data'0: array (t_MaybeUninit'0); t_IntoIter__alive'0: t_IndexRange'0 } + function deep_model'1 [#"../../../creusot-contracts/src/model.rs" 29 4 29 45] (self : t_T'0) : t_DeepModelTy'0 + + function deep_model'0 [#"../../../creusot-contracts/src/model.rs" 82 4 82 44] (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel4] deep_model'1 self use seq.Seq - function view'0 [#"../../../creusot-contracts/src/std/array.rs" 52 4 52 33] (self : t_IntoIter'0) : Seq.seq t_T'0 + predicate contains'1 [#"../../../creusot-contracts/src/logic/seq.rs" 351 4 353 17] (self : Seq.seq t_T'0) (x : t_T'0) + = + [%#sseq5] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x - use seq.Seq + predicate set_produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 53 0 57 9] (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) + + = + [%#shash_set2] Fset.cardinal (view'0 start) = Seq.length visited + Fset.cardinal (view'0 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'0 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'0 start) (deep_model'0 x) /\ not contains'0 (view'0 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'0 end') x + -> contains'0 (view'0 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) - predicate produces'0 [#"../../../creusot-contracts/src/std/array.rs" 60 4 60 64] (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) + predicate produces'0 [#"../../../creusot-contracts/src/std/collections/hash_set.rs" 203 4 203 64] (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = - [%#sarray1] view'0 self = Seq.(++) visited (view'0 o) + [%#shash_set1] set_produces'0 self visited o - goal refines : [%#sarray0] forall a : t_IntoIter'0 . forall ab : Seq.seq t_T'0 . forall b : t_IntoIter'0 . forall bc : Seq.seq t_T'0 . forall c : t_IntoIter'0 . produces'0 b bc c + use seq.Seq + + goal refines : [%#shash_set0] forall a : t_Intersection'0 . forall ab : Seq.seq t_T'0 . forall b : t_Intersection'0 . forall bc : Seq.seq t_T'0 . forall c : t_Intersection'0 . produces'0 b bc c /\ produces'0 a ab b -> produces'0 b bc c /\ produces'0 a ab b /\ (forall result : () . produces'0 a (Seq.(++) ab bc) c -> produces'0 a (Seq.(++) ab bc) c) @@ -25674,7 +29623,7 @@ module M_creusot_contracts__stdqy35z1__vec__qyi6844585276173866460__resolve_cohe let%span sindex3 = "../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span sinvariant4 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span svec5 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed7 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -25738,7 +29687,7 @@ module M_creusot_contracts__stdqy35z1__vec__qyi6844585276173866460__resolve_cohe axiom inv_axiom'3 [@rewrite] : forall x : t_T'0 [inv'3 x] . inv'3 x = invariant'3 x - predicate invariant'2 [#"../../../creusot-contracts/src/logic/seq.rs" 622 4 622 30] (self : Seq.seq t_T'0) = + predicate invariant'2 [#"../../../creusot-contracts/src/logic/seq.rs" 632 4 632 30] (self : Seq.seq t_T'0) = [%#sseq6] forall i : int . 0 <= i /\ i < Seq.length self -> inv'3 (Seq.get self i) predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Seq.seq t_T'0) @@ -26718,10 +30667,10 @@ module M_creusot_contracts__logic__fmap__qyi4648834920430559677__clone__refines goal refines : [%#sfmap0] forall self : t_FMap'0 . inv'0 self -> inv'0 self /\ (forall result : t_FMap'0 . result = self /\ inv'1 result -> result = self /\ inv'1 result) end -module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines [#"../../../creusot-contracts/src/logic/fset.rs" 312 4 312 27] (* as std::clone::Clone> *) - let%span sfset0 = "../../../creusot-contracts/src/logic/fset.rs" 312 4 312 27 +module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines [#"../../../creusot-contracts/src/logic/fset.rs" 323 4 323 27] (* as std::clone::Clone> *) + let%span sfset0 = "../../../creusot-contracts/src/logic/fset.rs" 323 4 323 27 let%span sinvariant1 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 326 20 326 63 + let%span sfset2 = "../../../creusot-contracts/src/logic/fset.rs" 337 20 337 63 let%span sfset3 = "../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 use prelude.prelude.Borrow @@ -26739,7 +30688,7 @@ module M_creusot_contracts__logic__fset__qyi11096226875104347554__clone__refines predicate inv'2 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : t_T'0) - predicate invariant'1 [#"../../../creusot-contracts/src/logic/fset.rs" 325 4 325 30] (self : Fset.fset t_T'0) = + predicate invariant'1 [#"../../../creusot-contracts/src/logic/fset.rs" 336 4 336 30] (self : Fset.fset t_T'0) = [%#sfset2] forall x : t_T'0 . contains'0 self x -> inv'2 x predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Fset.fset t_T'0) @@ -26774,10 +30723,10 @@ module M_creusot_contracts__logic__int__qyi3540547019284611154__clone__refines [ goal refines : [%#sint0] forall self : int . inv'0 self -> (forall result : int . result = self -> result = self /\ inv'1 result) end -module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [#"../../../creusot-contracts/src/logic/seq.rs" 610 4 610 27] (* as std::clone::Clone> *) - let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 610 4 610 27 +module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [#"../../../creusot-contracts/src/logic/seq.rs" 620 4 620 27] (* as std::clone::Clone> *) + let%span sseq0 = "../../../creusot-contracts/src/logic/seq.rs" 620 4 620 27 let%span sinvariant1 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq2 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed3 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -26801,7 +30750,7 @@ module M_creusot_contracts__logic__seq__qyi8239750555979287100__clone__refines [ axiom inv_axiom'2 [@rewrite] : forall x : t_T'0 [inv'2 x] . inv'2 x = invariant'2 x - predicate invariant'1 [#"../../../creusot-contracts/src/logic/seq.rs" 622 4 622 30] (self : Seq.seq t_T'0) = + predicate invariant'1 [#"../../../creusot-contracts/src/logic/seq.rs" 632 4 632 30] (self : Seq.seq t_T'0) = [%#sseq2] forall i : int . 0 <= i /\ i < Seq.length self -> inv'2 (Seq.get self i) predicate inv'1 [#"../../../creusot-contracts/src/invariant.rs" 41 0 41 35] (_1 : Seq.seq t_T'0) diff --git a/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml b/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml index fe7b06734..7303c86f6 100644 --- a/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml +++ b/creusot/tests/creusot-contracts/creusot-contracts/why3session.xml @@ -36,6 +36,285 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2415,7 +2694,7 @@ - + @@ -2893,26 +3172,6 @@ - - - - - - - - - - - - - - - - - - - - @@ -2933,16 +3192,6 @@ - - - - - - - - - - diff --git a/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz b/creusot/tests/creusot-contracts/creusot-contracts/why3shapes.gz index 8d3a27c7647601061c852334b2cba290e5c5b136..928b3d061bd59b63a58490c2cfec069c417664ac 100644 GIT binary patch literal 28585 zcmV)PK()UgiwFP!00000|Lnb6lN>jeCiot|LT|O(vNFT{vL=-cSIeACGj-L&w1tiB z3k`6`n?mRmz7M}X z=D+`eg-`iy8@~OvD>r>OrQVh5iY(uujc>m_^RqmwhwaCAuV&BjP|Ti)b=~bUcl7@z zeGk-e{QnR`Z0f`2VNn2Y`#|#W zpKD7PNc|xn@RUYEgP4p>^^-K`!SHld8hq7fdv*`okLT=GcxYx%%)0J&nStG9TocC8 zgP)%MN&}z0YN+r}`DyYbq?|vz`T2dyZ%ZeCc=PA?@A4nmt7XZ!F8M#+|BRAn{Scb> z@1DZryTa}!{M+XbZ?m9Y6Q4KVxwEGhW+dI&yk0kZHe*ZnVb%ZH>$~;%&YX<}IRDFb zcR2n(Uv-F{ve&CN1C{kx-qinM-+e!UK$%}--{PmwN zbowmeYu4f}dHCDwE6x7pGTHF!9@X!P5b!ene97?oT9nsf{dy_CAUc!Hp(midC@JrR^I{!;c+> z+Lz)w-M)Py@AMs&SlB1-I{O3<^+3Md_g-aTkon3W!_O?rh_%sX#Wu6GZ7wfBV)=sm z^*sDjJl3l{_w3+})>QFy1F;42LnGBSW{ZmgcdvG_{l@(2{pr;YQ;nYJ^1%?{FjnRN z(XcB2YOKl+U{(H%SoH=V$p2#kLH^Z1kRJeo{277Z&6tG02qu|Ooe%UNs^Hg9#Riz* z2f+mYPXZ?Ri-8ILJD7NJFu@Oi3H~1wOdPj*w}1)$oM2*D+QZ=M4^fu(&D3(Z%Pq14H#MP#=?PUT+BxrtY$OnLX?a-3bYQeef{3uR$dw@0Eck3^3X4&tAR zoOit&x=-#+ZqIbrhFU!ANUOr0*=Tw)KR$-L@b**gWOBak(EsjgOw>x(AEu}kB>Hap z+SVVgyrz|En(tmqIVR`tAHxUIzkbPGR<;m6eSG(8`1lwwJNm4Cp+EoN(Es{lS^%oh z70~dp^~baTde{}fkGuL~T7aKzR{%fm>W^swd3Id^g;CTWryriiiR_+DVfNW~RRr{` z{+QAvm)@0-1j&bA1)J-c$_R3_#dM8I@Jm;$7y7=kdU%|d`k|f5+S~W<|MvOARNX|; zxQXqg%HOXV??tT}1y_B8&}8|l=O-5r!?TCs*>uL)g&AjebIz#B7*+YA=JTcNeCax0 z-HcOEMn=t1N2?>R`z6!q&@&#oxnV24>6oV1T**G9R2=4u;oFF3flMm>%DSx7)i%%eT|D zSU%!DwFp(u>lG^K^6Q6<$`KPi4NUkBRs_J_sJtk%*oZnWV;($m8{1Cy^(OJN-Rf}D zh3;n$m0zwARoLh^pYjf(v2{FLUij5>zd1wmU7gkZZOu?zt|riv^#XKRS=gMVP?iq1 zrfIotB)3?(1oQG?*_risY-z6&8oG&V4wjY;Zny;hm{>3`V z=B6T>g8O;J>vhE)Pb*&Mum4g@0{V(tQVbj(oleL zt$WnQw4p`VEhc-^Lcf|aqr^Pl&HlcdcFpdGeH4RCmtJbvCu|q?342Xz$K}l<)-@1! zx6I>jn~Merq&606!*8#*chNR!FZR!VJ7Ax8JGs5+bfK4>Y@N0QuYdXP^zz@YZBi`- zdH>zNmyM|MpM9%7^nAm%5AT*1ej$(xJHL4AcNS~*E%lBe^nm~S(zEd!5=bm z@IO;0w3Mk?^2OZ9aXUA1+@h;sYZIQ{OeUl2bRSL@rzOiG{KUK9>F8Ig-x6eEYe_Yf zWTUm8_$^V=IcV*uD?eE)?cUW|`gK`0+f1C;$(8u3Rq>h9oe=jvy}7a(wK2_pUw-_< z4z^p9n2u`tu!9HKRyUv_bRr!j$CXk@V{Y85ARL88KptoYJxqAecRT)R|~0@j_bS zG+tyiUSu_1Wb=5D*LacFc#+q5QBr&e#eG=(J;aNm#*6bXmep2SZI#Vi6}44STNU## zme(+r*D#j%VeGJmB5PDHYg8}GGVLOzaJC|>f1!l}Gpuz@UW$2HNs9ut=&&TBU-g|; zl_k1zpaXl&&mZ2reg9JzGDEFi|MEG!?Uq->SuTp`lJWRs{)D-En7yI(*dN~f_m4R| z<&S@0i+Z+f`VMdBRUyR#(M3JiEwRqa`>ltL9`i+Y(p)i)Y57)mD@8-MilKg*z3mo) z|2(g!yA`9Z$DMVby&6`JCv_Zkn7UBc0fXTTifc^Vjm`i zFG(${_~O;1_g5Ig4BQjqXO+pGQBT$Ad}Y{)UPKn`w*~CF#iKo7r{}P5Yw2hc*cpOxYYew|M9ZLliKSS# zO1y*Wc(*XLgX+cL$xYi-!93q8(H>Su*M@3HQg{TMr25 zj&W1+7YBPLIH0Tfm)iIj0KTIYhTcxJ>I+Bw@Wms3SdIAM))61CF!Xka&_+`;q?`GN ziTSC|78w7KHJeMrC9d8i4bKHE4@$!qjQD^Y-6Rb+jre$luakzsr10zJo$s1=e$l-1 zOXi*Ln|Ho8?|g0E`G$Gt7tK5WLi5hQz`XM>G4K4MdFRitBk=Hr8wq!d2E%XRAA9x6 zyFMBF2tW82@?+`lHpaEZdp}jR8>{peiY(c%t~2uBpdj%}`%0^>{d9O{FV@+c)^(-5 zIlZ7ye5Oy=#qOu0Gjy%i&LnMC+Z-^Q2garaBU8&A93o%wM4 z ze>WqO*}I*d?hJJGdb__H%`T;JTQjDs==Fr$^-?>MKNh103**vx|A}&ZR{+4np;8C@ z!gmK74NvdiJidE6v-;ye7uI!-b*L+iSN)HFOt~hm10t~th{Q!eBrX9Wu@8vE8W4#! zAQBsZNL&O&;tK(h_yRyAz61b>8vxPVG3{x{yjZumxr1!W`p7=ErQ|-jHU45t!5&4(6aKXC<0nOqIrvKz4)o)SYd;>a9Q1em3;f+~I^boy&A!BLi!ZR-d{>9I zB>Shs#`j{KYr;CIbkXcyD8Hj{6JGym&+IPCT#qsTv}b&0We(Zj%QcR4<)T(xmO3$$ zy6aB$r=zy>YUI9~kDVr0ueW%y z)9n1+_DDC^wI**i$GFqi#ml{sZgzF{ZfA^pELy(aHpBDPk*%ID)=xHMRQh?b@@Ts^ z%Th${hyEmss3%#5JEP9mj|$0psz=sSJ@Pckr%==63OZH!>FML==IQgt@b=BDRDWV- zufW}eXt^}zVY6U=EBz#&W0u^p*Z!ESyI0_Dbr*{$lT$A>+2qq$UrxIr_qs7&wXs*= z?)0>EifTNbH(W^71C(Fi{Oha#*}ItXPC$zu)0w?mRuTggnpL6$hj{!kw{Jd`+nXpm z`SD%Kzma4;Hrs4v%60>gbvP3vJY$yBs@8!eh)4OHqZ@;B0t>{vX z&Byaw@g=Pl&YtLX-R&~-j}V~S#8$pyE8m`rS&`6AP7sfL>|ZvYKYq+qy?;GzbZ0L4 z_FP_QlwWR?Pi5if&rki-(Hd=h|MBDdzjwkg7mP}z6q~;(ZTHXrnm;~1y?IRKLMaTV z`0MY^aw05~7JG4$3vrs1SV%ST>lk}x6FFtrjJ{mZm)oqNHRuDZp<-LC>7FlHqZW71 z&RZO=ft(*rttUWN=R~RBQwrlT_on!)@a=dHw0`~=whM$m(haub;nuT5 z@A2gB$E|A>w)-;uw8v&6yXSCw$3}+w>CF#sVY<^F*dKoW+rC%(158`-)#H6gvie89 zOJ;SV75dYYnH`25y2-cA6ki!1-Wi{HUDumFH@AGgf9xMNpWZD?(}8H#-~6@vW^OI} zbD^_moNv*%P_Va~lL2jhIEJr22g8TUv8EjB$EWARGyP-pu=(_ESsERvM_jg_->pB3 zGJE1SYVQ>47%-E~_a7cF%H~W0Hww=ra7y|0yU#!8kI?15{FyymllT1>DWioO5z)VzO}9-kiHzaz_6gV!_N)ii(m{#}#%*Q6q!-@VJ9 zx@$ba;o&bm`>Qi8!=JWXIX3+1I@WFU!BqvH*hV!34-&I?_xQFW1H;ZE%cDoH#?zAwk*K<1j>F0mCvgtkiStLufLSdwEnF3*-T=&zSM5YjdHKu9h& zKxjJRMDs(Ag?RUyK+Y&21yu=W@ZxU-OOC~#EY>swHdw1_CS5C zQ}BAl%f+9&v(Ox1`%K!y5ow=X%yvN9%aw1}qDg9>fWp7MGePM|NH)}@n4 zwB1wCvuT>x7QKSWYkLSfH2GWhkZ4=He6?q~I{7fO;noixZm>Um8aX$xi%+KV6CWAI zdm-pbOj*Vcion3L@>Rrsth~}#ekXA>4eT=4LZw7|&0C69sMA+>UQLbGqyf>HGd>?S zz2Q5I`}SMv`ApdQ>ryLQy5&Z)qUtex8~$5p!yjjcZ)}WSl4)F6#=COk>-Wz_Y(j`E z;)Ia7K*%gi>Ror$>@#(0dSfjybP$orCAIbMPrZgc7iVX8=}sDdo^d@Mk=a3v=5jmh z+$TQo7iBt3`lT=QOH;ol1@6e1KhB-{;_6hm_7lu({-y!)JpFmukppTN{y43&qma~r zS-E+qrrm*RE=bO;+x+F6S6?INB|dsJo7p9=)az4AC+Rz89kJ}&%vl=wmt@Wou!mEo zUG~SPe|+=Te|(^?ntXcvbc5_t$F}D9d1e6AuT8MnYXM5{it3 zni&Z-abU`vm7P$s7bwx4%+msQC1+^v5S2Tt36IqU9xLLp^7EdRMUU0DdJEbp*+@ON z725`!8;<)1NmrYaUR;Il)@~-|b~*q0^}|wuV;w7 ze4n5q@>f$VFKSZ*SutB5m_qG=e^gA(Ne|EESYpDz@@8xOpaW}Do4*-rx(l)90nw!O z;vLa6W$wy_>f0()X7u$;v^r59glZ+4!`koAgx{B)y43q!Ej-xBzM0`U8%s<@(|o;c zrLNu}n#GFvy#=U}wOX`cvc|m_v0|@h9O-6Y;6=S=zh|i8eXC;&e1F7EpELX2SX$1T z8DEG=nc0#Qy?dDX?m1J%PyxU9m}+lg>g~%*%MZjHS!5bNS#ou$X-WPC7Mx~Gy>Z#8 z*;tSt*Yg%;Vskg~_f^$ntEw0Hyj;D$$mh5=9`T6rxXo-FG8ivvDmIP8WPiKlYfb;U z+uyw}S&A24&Np@F#LJ8{TfAL2Jo%GP{^EpmhZDqMqkTC>9W11 z?`!_UtCGEJWGyTlOBo$ygn~kqi)VhnG+#-R7*ZinO9yYHzF)EuMAv;CaY1cJ3W&TM~JFDkjPZHf`f-u}o)?H6Ge7mFOZnNPRUu0hH z&Jf>XI3JVMmN{3w1a#k|8y1?&)3GP;PL-*r@nJK(-6=V3$xS{{>@HQhCiaW}u+`01t04}QepoSg_+Z&cc=EyAb?=8(4r|gS#aQU$VxGE8^O7s~ zsvNQ$Cv4|c`RdxwAKvDt?&H3*^wzObf78z4qTNA?nc?Hr@bRVL<8#B;_q9v;c$a^B zDj%SJ${#+}(M-D0Cxa|I(pBy%5s9r6QBQCFmA)+8XVLEEkJp9Unh48FhUMrhW_f#N zFN=1}iQOwO`jjhO+{#VwyEyx>@8N919cNcRiM5}_GC5Dtei{+kV7kJ7@#TYK*1dwCnvG{z0HX_~BHP3LLxcse3ZGo@EE#aBD{ zZNDST%NG7}uJ|}v==r#-vz{#8Oa}4&dOTydLFmwI(fvUkr^~Ndx9Y3%alk7RHm9={ ztF6n=lMSZd51jBHUWGU`YSDOz=Gy3ns*`WemW6oyISzEIR9&37IOq%HuZ@3N_3CoR zTwF$e{Bc?5f}RhxE(=gI<9kQ6e4J*p{j+cj*`JK7TVrvnX{>s%v$V2W_J1|&QhD_? zg3vE9)9nS@GT;_6;Eu|`gz^p3zh={H`rUu%>G%87?^jD~^XcEtD-NUy>zUuskJr~~ z|1K53OU0$yU*TBFbo%ZWtrm}r7~f1}#b1(@C9Nw$(iPudz9#AL3+bTo-yjw!{7MufH6}d z&uLwqbh$#5%SqR(Ntd@xy8QY{m!$n>Iq7nV^y-cfFJFq@o;I~PZL2Jvok`!Wz1l>( zvUT$uR)C=MOY8p#oG)trrO@K4&MzX1e}cBhO>GbHnx4l^J-@ntv@zN9<)nHLozC!W zKVL2gm!odu<=wll77N1tGSU3>4BMn~q2%(MO<68^c=zj@H^Yps9yPOEy*mOs`*-CPLSVAA); zIQIq1B=jYYa`8~V(1E|-<-cELS3pOp>}+L)`?|8iFItq%eP_9aQ(SdA)M^J1OFCitzQ+RRt4c9twI z3UjUY?B;eLT@IS?^*M$vB$^BTG`f7;3+{;221Gm^6wjvYR&7?_3t87>_q)9Y!dugJ zRA6Rf`!g|9E&-CJDjyyoIG$Cwgd9q;_@>ChV1T#CjMM~6hIFMdoC zp1sLUWAHeO)Nkrn`MBq*WAya4o>7g>WkxaUTlqB4v1P_*>(_CupSE6nr&wCq>OsYA z%azx``eiS0)Z^T^thwBgos566F}qsU>`oCqhuePj#lYd2_fh0T;L7dP@{p{dXgUA9 zE&g&L{_?2!e`RmJNa)v-J`;NRUqa~BzR)kW+*d-czFO#e`*%U!$>>}X^$nwReWmwz zG5=l6|MQFaGwpQIbzw89D_;vZCUvqT;7k{aMa}COh5uqE&~vnZSn9jRR?|HbcePq! z7hfjlMJHcUz)R0o*-2%L^R1*Jel<7g>t$J9m1TKFmbdn4zRI9?shv|P>b|;hNQ$^` z%4e2G#&*=^Qp_$&@iVl4T#8F$^QFk86tkribN7W(%-su1G4<>$_(Flg?pDz+Nip}ArI@d_=ciK4*W1^ZCwR@e1N)ONWV>nk_CJ)>-pycspp4%xLwNTt z;Nh-IRda|{%^_CPOkuyBDO^6Dd3Jl5!u8C_cxs82BPFwIM`wStCdVH7jjtTmdKmHo}qdaB1@R!-sH{CeLB=&O0XqWunGgTLhPQTO?g$!(^b@q{q zq4XxuQ{iM9?k*{r$U6DUs71k^_0!-vWq-@<+dL7UnE+5AE6%ak;~64i16w0 z-A`}x)BAVb;qPCD*Kf*ch3+dtbO3VWTNu(zK87K6&5xIQI1;0W^E2+%53{oY*H_!;ig`XWzAH&i=0c=;hhdnXlo4FT5X)r3**E3S+SKog_*eZwrJ+4N zJ(Sdcvjj5o^WPR+&}c*##BxPKXAP^NVfw5}ZC?Bn+F5X;qeEope0i3}x7BeCQHMHJ zKhf{2)ODGnPEd50A2`FA&(cgcFZR|7W^*DpdO~bnebDBj6kHtFmCh}Mp%KGzyzw;Q z1@bS$;)j|3D$?I_Jb3aQF)bEHET{U~S&XF{D_MReZSR+5uluhojn06Ll8vaNcCxzM zOCDt;GA2h&>JLrz8F^cA&@~z}7gGjRI!gaD;PK+gC*TCD^%!qv?kivk7-U z0dY6Y#c0<;(p@xOWB08BpPMU*FWt%1>dZpkC{bu!jP9w(ReM%i%DWrjZ4F-Ye)Y@C zPDdyVtorrw6ULV=C7_h@J1iZ~Dh{k`*N=uqHj3wq#ji2@a!kLR)cNJ4V~^*_JJX@8 zvyP^3A2&zTcYh}V=>j+Ze3jZxN46Hi<~p$+*KR`_2D_W3VY17Bn!!~+6KUKYGYqQVSPFufte=n`& zU6RYyZp>ISw=<7as>(?$VmL8Wz^| z1)1)b#?>f_d+Xze=pC8EBWt~fW^uZ$dtp9@Azss#?K1Qc&!bbadFAi#Q}QxXvT<2z zsrfO7ryRaLPp<9mzC|O>@-dXtgJ+4i`a>j*Tw|A5U|pS#artZ!ju zum3V_&@3CYXIC3^cuNgBG>G4`2K&vRo$(AO-$vH5OWhgDKQGzPon?M5TI+ji%eU`R z&L7_V{66KkG|x}rr})2x3*D|8KJK;` zJ~q5zzpN;u3Q-Pl*B4)JKYzG1#AR)*oP@}=pTPQbfGOp5NZ2p?vz%+|wtdHkG;uWkEQZ*PU5oCCxBqwg;j{UECXp994SqWvIm- z%KVbb`4-1$IP~4->c#vbJ~$aKQx;wu~cXo&Fq<^!I zp^uNpD=Y2m(^E}UW;IWFee^+W9ev;xc;Lq(vDuvEB(2%J`eEmT1Kj}Gd2+tvdjbyA z^BeW>lbxkrTD0&m|434gIUnX9biq7cYu!&ch}Ul$(f4zfY3~R@rdjVp zs{D{CzmNVY@yKWXK^|y>n`dk{fCi6H$moZekP68 zQ%bC!Qessk#E(^xMO9?{7|nsKVj@>!GMRKXOggWV&aY4U(}79vMSRZA#Z=TZ@X5m? z^N;!EKMpFlD+b~##9+4;j!wl=;D`))-o5>8%&N@C-J0Yr_5UW`?)1jYb zopo7fU9PlV&$WJsLDh9~evy^DcLft|uQMa}>^@)X{Zb(KMB&x&i?0=4&t$^XS?s?K zH!}m*1}d))RL$ph9O&wh^Qpx4~ZTRT|^$;aQX5pm?O=(+=u}pi4BN!7{M<6)0)zVV5h~_u4#!lCm59< zaXzbAEJ$*sc?5oL&GSL5DP9n3UH}=B;k_gpJq9eMU{jul3ls*hsj3dD4Y0|!z~&c5 z7@gLN<=OWc>ZFaS{Sc$q>vG&4C18ImjWyyMrDJHg)PLSMXT#rJ zlf6k7S6?U|JELwH?b5@1O;9wr5v00;9`Lc@~6WDllwPT{T|Ey(?>D+I0 z=*IOAesujq{1etcmeKG`3I^mmxyNHE8GI|=k=5nM^YX@kYSmP=YHH=h#Hd;DV!B@J zq3gvSdLe9l%xAH8)5qk``b3e*wI_V_weNnq+!os2Auy(wOka$$IiA9|8#e-!;7xBF z5-%^*-V3?+LWI@P^RsOxPE5{DqK_RG!|13+kMs|fomi%Mcl0w3V3T#v*}(27)H8MV z3+Pl0<-<|_!D*3j%pUIaUf$Np{o+Hja;q<5_VD|eB8(b2waKnpG54^oLjG=BX~hm| z7(QzLp=j^Vq{uV!Ny5ti?e(T@G;PUM&H z#SV>fH!#^v7I@e8WumFOf?+oFU0y0uVAV1RnYFb+Wcr$FZ(N44Z&v!iz}#()>wB`B z9lG3N@h~47GBn)bKyxL;<(cSn49e|j;|&aTCIr7S6D#y~gZ({bt9w@Tcz5%Dn__*s z4T26hZN1xpF7CKj>b}L^uTq$r8#KctH&UyME?-bdo!zj&Sxw~#`q^l+*uKr8%!-iG zM@o2mr0b!&M7=)q?cw6vF8yTszT}#AnRFYEOTt;d5!vNBu2Rny7oBazijx9jGwh$) zJUQH6H(Xvf+^5(j<-YqI-oE|E|MT&EO^(_^hc%yyt{8fF_w@duWVj8vRGV95Gsx*{ zww15hR{k`L?&h)H-q+-(OWM0d?&d7GG#<(&`|p2+QvBcVf9uDy74Y;w2n(L|h^y=0 zcN4tc|Jc4)Z?>B->*UrJRGlZe?&KD~pT^68=B0IA0@ZcNrhmfLMQci)y1<%QC$|v) zYzwUaF@&RKmuDpX<_-G;>k~mc-qp^P+W>n;U+C`^{d2v_snft^bAuJvt2dq5-MHTA ztQ)@D#bKU#4S9GCdHBH4{b{@!Ld}+Wz`praQ#)fj`|X>l_KLgPird?Yn{Af9$UJTM z!2jfI+Cvvhi83Q&(xC1))YwB8{(sM~x4_K*rmpO9#=YQBw`ouPrkX8+ZF@~VaZ5Ws zQ|*|2J~jJ$C`48(rK^?Fz1bhkn673_S2Lyu7i`yN(Ns5Lsv9viHG5gsZFq*#>*bxX zyhew-Mu*iho4IA?Q_DQt2%cGbT`j$?mR=7$+#k{`_B?3FDbf5E5p%F;YY}rtZLQm} zwQieejbj!g{^ySDfO#y_>c_F9x<0XM9ye<2248HiXPe>JZs}RR#!{{qyr^aU(W0X2 z#D*FThYsZ30c^Z+=4GI;CVh8mA6g{*s6AyLqNw@)Tvhuuo78aU?QrGo0Oo5l z>v_k_eII@eZ%c?uX*u7A4^JPvzs4=9vNp0`Y+SPYak!&$JuSSVSyA^YSUIM$8St*y z$S$x^RW_;}HqKHFs{l`k zG-Wi!9 zYf{p9W4%c#3)E!FcodSSV5Af|wZb{gyh`!% zlU-E2<0@D6!Kn(dx0P9 zp8I?5?zz3^=AP?&uI{E1p-|KJLLDF_941*A z-B=-nQV;;AF&?E_7j5oH*?VD*QS&xQOjoO;XPh(4q0k67?EzA z3tZX;a$sAplt@i9v9Ooj3xAB7ayDA9t%;ULrj!GX&^Vcc%WY1QsPV(pP(ujmgtJ*E zn;fL2)hr9B01GUUK1flzcZhFNiNJDhV=z_HiSk)9oiUu4pwBIQe(B^JdcXh8pTjFwr%7xVFch0bdI;KRl!6%C{hcqC3+-1 z6iT+F-CA>NgoI>sJ}Oe;K0_#lX&M3h16DObLn?UCIV71!MdF&na>+)?)(p*w$-j}1J5F;EN$>MD#c`zZc`-Hz~r?7ZNOMWST>)t^BxvN!cK5~ zgCcn_w+YTTC8Jgn)=eeY2W>rf7=gG=kr)gQ&rWLQLMy!qFx?JX3KI{>x8^oQGD+%2 zM%7~CE$22%qo7ZcJE=JH?Tv~Q6%4Ldf-493ouTjoX4!caAZez(O_7obDYhvD7MX_c z%E2TCkxR-1D`UD*ks78Xm(FpYnv|o;Ily;#m=IVd!M50n@L4gD-Sx52)_Ue) zbBVWh^hi-QK0qD?thnAGscN)+eXtDJKTB^Y@j9uwRr zlpsPlB-~!h;#858xmWsLsh&GZ-Yaph_*5or2FJM)CL3}jEJOUET|z@*bCiQ3T_=^m zY0(DdJvS~z#b9PV_smHzy!11Vbf9BRY~b@7ZY1W*z>y0Wq_)KrT9%`pD$;dom_Qa3 z{CCsZz=4#UQ?1M#n1ls5->D)Up=M)-wGSAm0ycrDG#2p8G^R78HUE@ZrFOfCfa(^@?<$Z$Wb7Iba}%#mLNOrEa6m=g*iMm@UnLX5SsX^oS>G-N2Xx!3w$t9vc)wYb;(1aM^pmmbz1F2=%Uz;VNJMGmmp zx+2$>3Pva+loUf1)wAl(bYbX;=ake8>&3YfMUN0dvxzI1CRbzv5vZ zV9DIQv-i&2JALoey@SaT_YO12?ybMKXtvPP0)Vy=khR=08{w=%n}A}H&C!5yQ!C>6 zA(EIdC`PhcH(+|suwaeW=rSG$-WEeE@4YxmkNmLq$$8U4#Q^p&UVyCB!mqkeOrqEK zUfnGv3~Na|_7~4+xX2vji8t2nKxy#*}Rffwm+Y z-rYzNu@F3yh8G2L#@J(u4e%wR2gG*8YtX3u4J0ABjfO$i7^Mx`B2MB?CHg)g%ZjHW zXzVtc4Mi~qAte00YXg2K1y>m&hfW}bC^X@c8GJH>U19Lb4AzA48yZ1G2V0PNfZv8k zf#-9;Q}`i+(zzfYcCz5Ufu89G3L)UT9sE6~TqjTp z+Lw5V4uNM|gE$oCDu6+pFs)9Ew~a~~I$1C>r+BP~# z)Cv(UB6#o*Fr>sor^aGLUK)mR$^#?tIESO=z!Ct%_=jo$JRBa8 z3xbglSV3hN8F!+{vdfTX315L|3)n#!4mV8u<)!w=!JRl0NUVy8(b1Phd==pstiOTEgXe|TMb%Acx?fl z15_^L)M0Ym>C6#YB3uwqqhM%Z1(-Ym@WJ!QLQWqh=P@o=i)>P>HG2?7X~5b08=p|oN;8iX0ej&MLE=pFun98eMmOhV9ue;@~>!~vCnpHB*rI!8Yu zjSXQbjDUa#>tl{(2CX_o3Q#Br1}SubH;5Ue2F6dYY+Aa&%CaLM@<@sX zX!Ry3ORJo13oXtFJ){o`|0fvuBvb@IFQn`tQV8=jv;q(waS`mQ1KxmZheoP^vBpBm z%}MPH5KtE$2JYE2+aTglEi?%}%^*mI6Y5C$L!@A`y$!Ugl7Y%+rI3@>A79ttUO zh!o6mS=W~kaR3;2VG~UwTmzRVd<}sN8jz=vj%9@JRw0&`w7Sf+!#v84lsZI; zLgb_y1}iKG5ClP+0?q?218B6xGB|yRltGUWUl`MB1BcYK8AMr&00w>JeXq>1UTNU; z2#3QlOaT`eGW-Uxlt&Ed+fYc^L!cE7~^DWgk6! zDhL4IwGCi!0|Sq6f|rHqqgJ%BkZ=dn2Xl@HtYML?Ds)99fWor&#GN}iV_OcG4dmrB zrq{!s83YQLbvTC-u5#y3O1bC|e;{&348@cKWD(M40& z0I51zD-d`0)PT9$)CgKjjzWj%B881Wy0GpDmy1Yvc9O8H0TvQ|80e6PjG)L!6=CoY zXLPFJ`AH>`iv+Q=Ui6##VMl3DkhM zSQO|{WRNn7zjA=b55RZ?abr)7@rY9&Cdb3M^X8SmPikfb)o9 z6s&D(M!qS88yQS6S;7UUB;bQFdx)x>5ii2GRw>M?YauAXndBRwWZ4*mRLKLavz{6N zdUCXM0cJ9l;gjLjn-*bsgDAJDbK2w#7zscQMwo~&0Io8%4Dtud?L_XWkyJ_#?9T~% z5adUI!UJy;#8P(t9n_fBqS2NX4r$8+$dzJ0V}Meb3S}WjAcjEXhJOzKEdCk%)A&a# z!V>=k{?SGPEe}J@5Q1|=_6YLv59)~c8Id*qiBr?s1epON6=GKbH|k8FjS)fHtBLno z{9Mfm7#{~j0n^99D&9I_4BEkT0SK!)kEE2qn6!jS##l%=vFsRa64SDR8Rg#@z>2bJ ztBg+4MYyzLin~1-R3pb;;7ca0r36#Z8IakD^wkp@FT^;8fdMo;(O;g($|x7D8joYzjhIwEf@$ z;$h)=NG)eEDC3xA98H&E60FcIFc|TH06I_surzCo^VvyJHfV@iBmtn@0)q}iX5dk5 zf*3Rn@uy8awTLi2Hwe-oupFi>K%hCe21Y_FL)WM}B_q7FEevu4If6Mh!DbFbDYJo% z_N5rY$s{4Fm`*a=rbXC*NJn|v42RrF-&0cv(l0+O}VF*rB5WoFme(|$Q2{= z2h$xiWCj+(>z49lFtjX$C{6gBy;GJsf!ct2 zrl)2ihvjt9(AJay$|2cKR@2bHdG;cFlg8%+_vL~D{$MKlOnVss%M?j;$qh78jFF_- z$3PA&GpAvw&`+n5Z%x}%qYu*y58R=YMnIXNSJoNT!hxE^MeSRg5nUi&aR@CiI>?bW z8c}20gzQz;m2Xih*OC>66AOXE8X=HISf8V{aLJ_@OfrW_=Jv8#rnR6eW*L48#yF>@ zA+MSY#J%yfBOtTpv20|M7C%>W;BHGuF183G;1C(1bq+f&;qenoJ+EM{n~bN9=cY|M z1;TK~bJ-%;;HL7bf%S|+2CIP*5H}&FX9!Vgc_t%bA{PevJOQM7pc*d|M45K|O!Uel zRBsjjg)UU*P+`WU0)hoRb_JBS77jWkoiV3_RCo!kKzE~s_)wk)ET@wSKq4nJ5~_?@ z4;n$Q+r-3lw(8` z2JR(*5hxvuY2qr87zntPe8Vb1o28+>1*d`25Y<5m8U$g$n*`FcxnY$cVhXjR{g_O! zBpRqK%3;po`ecFSLhuu`D)LrRxXvU3+DH>?;ca2G5H=JY7r+}4lkLGW=(cNtqKty_ z<QD z4!{|$G~`ENj~iP3VZ9a*wFo%r0QHQp5OC=nfEJ!J!82_Qh@M)6Ai_tG2q{{K$O0jW zL6`yKU=Wn`)F9W0m^`8(FeSjz0ofy_g{)GXVO>v6HeOg*p;kpOI?@+oDRC$VbYEpv z#8UQVnRdu&&z;f&cFeM%1O&<%pvCSjaBhHpf&GJ|U1T9?p%2g^GQa;u7eEat?rCfcA~-sXeb1LZ=Z9Nygz(Ahqzulq>>`r)7I9^bM=BO@yAq zmH?{*PXeGZDtLEW!~=VUcYcD>Vv|;BYh07|<0Ht!u2- z3}z28c}X52Y7+hkK-(oq77M@tj$#m-nb0s=Wv36ia}ohF7ae6cz&R%P8#o;1l@+uc z63V1Yb0TpOfOL&yULvs5N^&?-i?9k()TPXU8agEq&{1p$5tI;g;8j{9X@K=b7aV~a zI1gY6bH)%VqESan&@e%X(>)EP~{sqZ3|zZRj-5 z#O9@z5gjwI0<7m1^qf(i0q`e`9pXA$T&zTZ)q-&)Sd;!lks4e>3W@;>Lf9NIAuK%n zGA+|}Mh~#Ig$id$J056AL`uZ*N>YNk6OFDihK^__Lkp{6Shkc^;Sp-WqiaGqRmPZt z8-p)Zn0Epb9QK<7)@b-0+FP#j&!IS!y&((XrTNI!_pc=9uzHiKHY<{hy&UdF&3r?{sLGkVW85` zJ_=&do*IO}Wdf5PL1hCCLo5&bhA7>L#)nFc7X1L9O>Pmp$pG6EEJb1f+cX`OT0`rC zh|^k1cY(=_3`)XVrWisJ>qSou=teU{yBWBF0V-Mu5QNSG`DjR&=&4ya_Dq@Nz@9KV zEv0rqW1uUDO=CG2L)0`43LwM*-dGq6w3DLslrc^dp?hi(acLW)wiNth{vB-%AcV%W zTiNzopZ)|vhexHwY)W>>K(1{JZ~%aw4Xv!!z6HxPd@~f^Dvx;BkZhBM)Uda#pZAkZ zqGgG4uMlQZZjfmKIjxSQ8vt9CTH8R25)gO{2|gln8#x14XsI1tKa2 zzaYrc1APJnV^~eMa0F@+wg5r`FNbzG+=fB4EfioO?0J@LPmN0i1_;kN{Ey0v!-px( zpnI9}MoRJnQ8R%8S)G7=1!fG98RA}!SOyG_q1)O3H8N@*v1%+yYhJ-Va|B8p(*X$W zx}1N?lBK*`m|IH0Rg@o0`O7fNit=1xmesMXUfL4Nu)>s(TXOjw@F=B&Vdl}Q>b3Z} znp3cV2)Cft7)0PQwooBRDp`FX3tP2G5wvJ&{T;3xrWP~gEYLBSfOxZN6ZFggu0VP` zRGjnZMWBskM;M%iDir{T0Fgoag>mq;nYlGkXx7q+ge`x zrVxEMmh!5lL%i2QFt~$J(vC9ixp)yPq+$d6sc9RYa{l1g0v&3IOr=OM`!~n44y2?6 zX=eeLnl=F2U;q+RLGCm9K7rwwYzWGNZWK9H%DDC|01BfllEgRyv$C9}IkXZ1G@M05 z2td{jf1xpoD4Rej%w3BoU>d;T871PNXMrhB`IT}n^?5S}>&KlMd!baQo3e%*e zg(*r&#)6QE8ZCZ6R^X;7FOE}c23LuarVyFtP^md|Rm23b0AkHb_|}Fd1&C?Fd=^+j z)C>jOoQ|>y7`ea{!QZHXp&2>&wx^Z?1Tg^8WQDPLVbLY12}Y~XOm_kU)LQN_wU|DG zP6B=-+a>x4HKj}ffGMa6t+z^Go}L;atpM?(#c#?=3c_HT1SKgc1q-9= zoN5P42&1DAn_-?1Uuf@=)%2Os812jOEpSF#3RVud@pj4?Tu$r=ZIUU&1bXZOM2sxGD zHjBQF6ur$-!A>yEB?b0O(}W@>Mv&YGM_N3eSyqgew3Pw|mE;2)P=%&-Sw#4@9E>C_ zey-*?*M0Fnig>|PxPYoW%wXuOghDRs-;8c*3GJI)i zBC~3R7@}pVXkS*F%mIDiloO$0&_uNTB34Ky2x|)m#8aSCu^t#1(Kj7zfSc)(>kejl z1v(@XC=HcPbCJ%a47h0>!Zt)0w`6$*MQio|Z?qbR_#S>5Y61w!5Un`g={O~?22OjI zjH18bFhclEl9yJ(`Sh|OPs!MpqHHExgmh9tN8xON9TVu~{sbk8(f(JX@e+Y05HGg? zh6?;C@v+K1HF$o6vJh7RS59fFh@}v`!t}a^AWct=7USu>5c<}Tb5Ys`xLTr%sD`DU z8ay#qBx*WIyrCpL7DZApAGH6KdTK4u7|bYqKSDesMU0rs25~5GOjGT)Ji$_%00w#m zQ%i^r_yMSnWhE&#H9a+;fe;NVN8u2(wI13Ie6LC6VYyTtX@ay^1j0}=43?65wblwo zk3`S-o|+YiARM#=S_*Iv+YkF5;SUn@BX;N=)Mzy_dPZlR0IZr^&{`v%#vcs&UFQ_y z$6*^ZWzzxZAqW9#a^>U&JjcuMEeT2rHB9=}A$q|8VZq6#pgL_J_0))|idK6l849jc z8Ondi5xN$WY=)82CUPVM51>gW`5@*Pqb=LkrdxpowSZEJ{H~=Pi`FrtG+e1AryQNG z)HI?s;4@1ZBY-vu#xgs}gaZoH@a2V?dN#8RmzfmYJ>5?L$sm>lO4hdx%!285hn;-3 z=71GEY&sAbf;ua8j$pWgg`xy$L_j^S5QW$T<4)%pxTjkrxQCI~6x4g&R$gWD%B{sz zt4L=_;R+CbMU@4esO+*MH0{VFKz4X%Egc%7^&{Gcq6}5wr@?M084(eo88W%qlj}!Z z0Qh4Xof}oPDbUUtokO=VAz}-(xor^}&}uv?^PXB01qQ8PRx!T_GYq_mqJyNI2M26k ztpXfcKR8C4E zY!KE+%5_8xLJB2KpT~QO+0ia=pbG&Itu-zDVoNSY@)TK*X*DiKoEE)y|VCUh+K1PjcN&9 z^wb2PszX4hG3kmHWLQd2b8jJ;jp{N$Kn=mU1dgB+a|{w~U=*W(m$Gzw3SzLHno_!$ z#pGK6&}1C#cp~(%lGB!br3P7~)oln5>T1M2g7T_W&@BwVXb<`v^FjyIGgzdUM8JTM6xLTH3;V!F>}pBugZZFCRdVnf(m;^_5l7Cu_M&d2wD{HT08+w!UiY@M;_qm;n|~?Hp>W$nY&DNqNWmj#wq$bm1k#Q1o=IIKRKu4)b zge8HP*i)k;lN=!p#uy|bGY%X~3-*vk1@IhRgm0ukfG(kB!SV)L54)@sP&wxUz`pj4 z;vib%0hsf^{?1t-D=DGbI>_>vCN($Pjpvm|xUzVfYs%z9`!Vk<#7 zhwkiX3CFb&en3`vgGFYB&VJGv;ug(j4sQfB8Egy3&>>RyeBd0Bb3hkh`QfP(8IOie zn{X%stXkFL=V~rtiV;)MeFB!Yp*5tVb&-}#00DZB2^oVZ>fA!I;FKDM5DltFrv)IM zA$4afz^g>pR!D((4c67hO!-uF=2P1SAV*csBg*8I6b9HsWfA?hh{ho9lvvT~C92vQCnqN+~X&qcEQua8%Rce%UWX z>=Q`2TRO;4ipk*!eDD|na19KW2wouqqr0H!!W3GF=->{hQmllCF?7~QXObVpROm6} zKnk~@%9*4z(df9TmLW#2fDJWaK7H0tW z5ZYvbvbhI*q|^)q5P$%h7sqLa!jUJsHjKk~Y9T253ULFV0x-UduG}dx7KUMnv@#Er zO-Xv*M;IbZ6fg|{R<~X};Rv2tpfaj5TKrhZ$)6~JYC1sP}+xx z<-qsypis*^yU>{mXoC|Qc92%5t9tNWg89?f&^Ba}d5{QB8@P(35Ne=Dbm*+uD2iqr zm_$1qld2R6B8;XRh%hqK0tyDwmf!@f>J@C^)Miy01B1!)@Jrs)EiDphJTWY5~#ZO=3+# zOcJ3zbRq-xofgs&3imp+s04I{$ww1Pw;sTWbJ{jYK?DW4?v|MSx*B(YJm8~sbZJ7S zo2+QpsGJ|pu0(idRS6DVa)~xPNCyfw18gP5LYPzNP-%;*Vfs9z42X^ek3bI*1;PdR zD<~#y*;#l-*-L(3m`=T-lxRZ4G%@&?Ymx}4_P`rg5YXjFt(Pgg<9T;JB z{{|+~s%}|&?8uEX=-n61p!Z)egQ)Z+Gl*)p&mbz<2%At2wR4!%6lI310cLCIVpv&# z4m$z$X*$>h3}P8LOgAdf#+#Es$)Z3o38*Pb+E;E7^TpI+I-HbroEZK+mWWuLFwJyp zq-K^9$pJzwVqwZI^^{Fo1O^rr#>LYPn_*D=&_cXSqv7UhR}HaHDWppzVFew6AdCsS z(`G8?>9k7$9{6AU>u{B1jE;C9q{URU2n1T%yigi;%X4&9ck8HxuC-rWCSg(qk!913OWs7=yoA$i=!IH*f^>Jx=9Y!aC%Ox z@%Tq~1Oi2CFdpP=x$GxG1QFP3=pm)IRnYTKCBzX$z(ffo}q&1xO2!79cI?Zc>!v zD92HbTYyEyQot-BJXcz@hE793);Zk*l({RU`4^D}s(`W43YdaUbpYEpbVe&9f@ap( zuGhzSNtllLyFCYB4ZvL#Mrs zQIc+&!<`NGtkB7jxpdl82k33=2b4=|VQTFcDr< zw$^J4gO%Y1$~X#>+*dUuTSfQdaRJi{#LO`#K?^1fa2#bWl`-{AX;h`FM(O@iWxuM~ zKu4bdPL&e2akOxux+~0vS)9W zj=U0qq`ux`pO({3#g zQ)ke$e$g(_#ynl`>N6cb*WQW7K#wEEnOv4INz%1(>}8sVjcTCg+PCo3h^riMKP}*~ za_po;#8RU;tx@(@drECzq$|>}mebY-U5Z0@aEhFB^2u3REGnm=5yJM}d6_OKON&w- z@Y34*CF*pW;zazv_rX={q7{ zwj}L##(K^|(sjh15{AMTk0Wt=_;j(yW z5&P1WB`{SDd`6C;OBGM^$=N4?;x_ypIXW(t-rqzr zfWveJlSO<42~-MGN=b-xt7Y3||0~9BBAGJ4S3|o$PzW(1*k}2X!AY?#4q$AfkMKr zNGMvp=t)o_p+W$m1gD+qD1(kbxQKuoI@whQ2IHcNap~4$pkAlo=l}z39yL$bQE3+p zeUK(I%w@?yT&-J70%TYw{G-ndPzJZ43%xTXBA5&z;ILGo6(%rF2OieT4LgKrjooP4 zwnt1yYvQm1Nz+C5K(d(mt!R6PlxSn(bXi%G3?{|Um7$?+1F#64idE}qdxsF&e>!EQ zGmKtLE=1iViaN8VR9G^^iWV1+^a;@_L*TEuEK5q9X*#b+2OFWrtnH(1B{0GCSqEB| zfE!T))#-~MAgKyThkv%X6Gh*9K+}q=LtUWTWi+G1AMk2)e>c+^2!PX$9HsG;(Xbco z0)wnMI)@GkMF5)M9q3eJVh!AzEi0u;yet>!^HYj8>k_5)BR+$#Y%rrKd32>jhDw;1 z?SgdM#lr8bmfL{lUX^oh=Bb? zyPy-@BA|540$NFDMwOsUS8ieYL%}7A))%WWUM^2Iba+2i3TqN0(J*PBDiVP|JU1@rsr)VLHPf7iW~v^avZGpKf=7#lpIH~ zJu`}xJYgg|BmiRRt|rh`_ucY*QT0(9XvDrCpB{9eO}w1F%;vNOXmr}Cq%W(UkZuxl z5Zw{*O%crQ<*|DrKsny{LQ{!fRy}5-00hDsX_*MnoTKM_cH00!ql^8@>U#|hXII

O+x8S<1N8sE?BD>lal&#Z$nFk3>9O1VV}tl~2vgoBlr4x361x3Sj30-(}jF ze#F*5`l9&Bz)vD}{<5(zpftvM)*Pzy`u2jM26wj=d^ITmf*6m$twQh9HWqTr_PbDpUF5{ht%tDN9l8>#ShK@Ets6 zrSHYc6U1|f3n2W^W~JGIT)(sl^Xyez2YE;Uw-@~WR*2z}q#o_lL9$Pz&sW;7TNQ2; z9fZ;jV~YBea+2~i3PySxd3@5z(l2g?OT>zjX}~iji6%<)RYaV$jm5Iwnvrz4^^2Rb zD$!OgxW%=5$x0U22f{0jTesSLZ;Ha$f1x=}cyfr+?{>dLigJ`m*)XPQ_3`vf`1)S) zb;(H-qU-5(xTCk0{ZjbedM4DM5DK|>VuM3er!H|1X%pg!>` z5~&1=CxFH9Q6&5xLu=nB-;SaX>T+88 zj<@{kaidR6=qa%+Pp>_bF?{g;ggDk=j_i3D zcq_(HMCWQ;m8)=NuJm7vUko{uK*zms0ZWVmgd$FyP0BX0J_`NQ#S`kUIg+J&yKHPM z+Td3jVZPx}-}Ikvy{M){1|HIJMDADqS|X6UDj*A@q*hTRGGl_1vFk}{BMOzvz1ygB604{fUiMhjD~J(%9(ozorWkB&`j zOGd~(e7^OuNNy$5UcX0}L1!e=#4d_;U_Q3t^PMA~y)w98$tNe=RhLMti)@0vK3ePJ z=a*F(V{WF8q`10hwZttV(nQT5V}Q#zkL;5{`p;H_w@t2s(w)xIwP>WdSc8?xy z@mE?k@gG-nX9^V~Dk|N~8Z>_c@=UkvG%dUCcU05maJJMPbc8$fna|y=&KpJlTp#P2 z{&}bMd_vg653KAEq#1oLVjoct#%C%1hH6BMxB#g+W}_DZyK7$z&v$oCmR*tKyRZIr zQDOC@lplQ_T(hmHjc-tkHe1I7)c)6^reu+e4&d-Gz=aoIfY`Vt3^HsB$Gwyr<_LeM za`ei4_Mu8v2W_3&v}4vvD;X=gZe3B63GZznzn&MgRbdCzpwt z(|odNc;mQDjq_IQhhqTu_7l%Bx0CvxjC&pLCU8kUS<-GM ze#yiyx_wXabuObD^_r;0LcD$3F4b*cc;dI4Cx4~v3!=L_Zc`qW(RbzB#yk&vNdDXH zQ36tJxFSx+JS96Nse>t69`~ehly5id5cm-REm(WDGwTo&9f2DKk7Wk}-Rp*<0BWB+ zT>{tFJS;m$U!zOuZ^;E7Zzlyhsj%T--Az>~XwphQ+0JpLS61TXq0{vBV$QjWx`Ejl ziC~@#|MEH|iFHKs$kZqZR^24TKTHn2%O8Ku8=#LxYg+yGN)YWsQtwL}uQe~s{qB$B zN{m#(QYGF#NyHvYmE!A2Tj2($8M+-qz|1>QYc^c~?323nqX(Ov-;0TxR+o;V`~Xf; z`HBEjvzDpWw}F{_%K*}XSZf3&l8LSA+L z^uhnPPqTZS2BygtHbkso&`>GaLt2CP`P}ojKF$8=8ZqK)`IRtO6f-JURBJ#LM&2vH^8J?Lat>y76}efst&Gc#9ksnm6j%c3vCSkpos5lbumy=&eZ z>jCBg>o0{Z7tJtL0~Y#c8jc`RPwG>I%Q z+v>Ah_^SdWs|7BHkD;=Ii6eQsl^Bmg;aT-c!%GtRwe8g|5 zswO4k&vKT806jv6o97o7&SEBt<_f|)l>|h%0#B z4KgFlma5tvb_9aR8!$HPvCNgYK!81@s4v1ewj%N0OdsP2(-4)Teak6cm*e)%)wn8G zp@9UF5-JNxRNpvRDb%INikiyIut%xMr>BvG#)aTss^)+ai5P&hmqY zUAZcW(hxTlCMK$q3tcgT`{K_tU*bEFop#YvW8HP=JOok0#t#U#Wbx6bq_}O?=$JW2 z;RrLA`Lfps1S=(K&|huW0p<#ky&Yp00}?3N%?}7x6iS2FB)|k|fh8B6+G>+FWG$|K zfTV;KQ*1{ftK$_zyiIz0@}48JYOFu8nI-KZ=4aV^fX}T%3na_*nIblBjW-Q3)+@55 z#$W_MnzU$iICRAa8;Kh?(mP_z5*FpG zPJif6mkET$p34MJJ^Ktw(Rm_IL_8iIgYWw@ZmrJ*3ieIy)5jQ*?&fmBh%tQV&l%li zrh`s_UjcJbS-(rEskzbc{GmVhlwv87s2D z>JhFr85f@Q=Zbf@=42{CoYF~Qepd#Ir4gnbK~_%w&^T+$P%M997toFsfl=Tu9vu7v z;9U`7iF1rtPy zjrFaF<}n_ylx+}v-=E??bm2s%n}RssfaBt_7&Q}`TgLwP{kasd=5U$P@uVqrUt&rk zOyX65X*E+(Bt7jW0jyhM)*4X)9b+F=4j4)DjGtfoQNJSQN~I zk(Rx0xL`H7u!Nr9eS0YknS`!E5rwqOYMY|nqZgTkmZe+*7BFA|1J*C-bU1*26YAN% zY}FUbDlv#9o#lI;l}avyz^|=_5@#7P%}=6 zTZRWD*%V7AiC zqqv_=wll&-N@k$Q5^yzvp)64+)RbCk*-uJIW&lQ2sF>_Xc8PCe6!p6vmFR=aRtcIU zb{xzxSVk}0?|G=<3bV9mVym|JY%v*|8hv)8|F&1 z_5n;7KOV)Y6RCh^ei8VkBORXmnrh$qVEVtEcyzs1N;ISKRGK+=+v-7dlpqI9QI)WS6&P9}0MT3elwVHwE#rR{& zOPiCUovU4q%xb}d?m^X?u?KOi54SftLV)MM*D4PxffDChqTL3PTXa~A_lDluV3ia4 z0*}Nc{Sr?!G{S945VtQN<&BZ1MX3;B-|h2+^cIGcJQ@WmPuXU*=uGTZ#}vbGGJEyW zjsGgmr?Ub*E6(@^jFgE^6hSgDb(J#{?nsPSJ^32CwuPQ0CYly8Eiv+<#;a$r{DO`a zhdiT_uO*yevsSDwMa(GGW0ZhFMO40XwIjxaKy1ROS?W!x4}a5t0QVjqHU_-`0F-tp A`~Uy| literal 24628 zcmV)eK&HPRiwFP!00000|Lnb6kDR%YAo`xaqThUW1OtoDQ2)cxkyySqdC^{xRrgxBG>hw|^g zQ{l0^ui@3JuHN+H6na;ytFkORsqpI62~Kq4`|ZznZ)V?5aKhOaT({k>b0_~y#vWwg zuU>@^LrlZRbib$&;_zpj6h$eTw3jC+sS~3Gap<(+YH=t^%FtZuoKdQ+OS6DWBf`@-dh9zf&ik z{s|}j>z~5wlL`O&`AfN<*Ts2VI_Y1>s&{Yt9`u`juzcSSO5gYM;r;KF^o1w7n^(~%4nMv7V|jf1ow}cu@JWZC-u<`FB|MeS zzf+5L_GG4|^QPuxN1%&#?gZ)tFt6{oK05gfi{^kQ!1J7zrE~(G4(r$OI{f@JD{aVb zRGhTaCotoPTca{7>Ke`4*b}%}oA*z%qRo!{3Dt6d@5`*TZzo)Yd~Q2uB!oF9A>M_b z-u?HFzZ4-mzX`9yU3mXk#zD<_cHSILi1*UnjNsn@qoCo2+;e-t*x2&;hurJ(eRAvHbpdwJB+{7{X+1i$BqxKAZDKro{h;H8$1g!8_au| z53aENvq!(r_RmDBSbbf3uw4-bMG6iD5F;kg)kn&`qS4e%O}Nhl=7$NVyYKLv~;LYv;DRVyUuyEXV~ev*|+67+BEEpm~m?x z&aWIuC%?3%#?%V^80oA`^axQotK-Naq=r%iv+j#W2t8FiWj z{O!wIZxGHG#!b!#zh?(@E&pZc{3{H;TN{j{ok-PJ&iMYTXMDe!@%?jWe0zg&wBru# ztZIf|GJv!C8NMxS{F}7doEt7-^;z8TQikP?-0&4MzJZUP#SPDz@$C)1jT=Ul0@u|$ z?5cOTsNUg{dWU`W4r}!eYxNEr>K!hsclb*64qu_(;cL`8TvYGy0w)6ZUwM#lx9BkZ zHT-R_T`QATH{t`n5+BRuZew0sxc5_0duEgVOmm5bb(=E|Ze%35bgr}-+Rryr_F|ho zvaTEL(e#2m!Azd6v)#|PQs`Q%9U^Tu+niSe)_iBZ7FmsBTDb1*ujj(`ynC1L#@D+y z>*+R=d}dCoJrMhK?=~>&_m^N;M?w#X->ed`uU z4l;M_Thu4CCv=M@X7j6V1#St#pV03bx};77y9;wyx@B(>o`|;Xldfn3*Tg5%+m=&T zwAqn4k=>yy_N8045V;fWpK5ib8|Kih%~twjt#&5uq->+JTbe9Yb>C>f;g3xRU#oD% z9R0Cr-b+9>lChu(V_nF_G-{cAlOxlcm_PpwQ z%se#t!~RM?uX1gl@Q3|1ep2PO1^!Zl8^&>EX}^8La^rdjU$Nfph67&K+v;odHhzWP zhFuxj;_RPqR=yY8Tw~Trql;?yLj4_qo8bBndun%C=lUM=4|~dYR_7-Dd%49eL%Apw zm$?pSTz7p@{rOhic&*iSYE7D5(vX*1Y;>dccK)-XyQR3_VshdIlM}C)oOs#f#7ib8 zZkn99X>#JW$%z+DPW(!f6Tiab#II3Z_$|x7+vA8u;hLB5L`xo$==nEGK0VRG|FG3^ zyVlCRBcoz84+6QnES6ov|(o_hz~|)LGfi9QRPPEZ$bbbMMI3$QS;T4IU*wuhu?o zk7ij*!2Q&xy5NxN0^wi3e0pE-blMJ9okp|LkoH4E+7BHj@f17_u8^##$EVL<($kmE z;r+W=tv;n@ufp8~XiLYs->leYYE83puFe348Ne_Dn9g7x=Cn71bGYwbg}cK~PvNI` zfBN`A#yKE*jJm!)P8`OG!#Hs|PMVIB_QpxWIBBoK-Qj5~lj}!O@gIJE`g5N>c7nkM z`t996zxf~iD%Q&Iq{2f!sW;0;I9gk?Mn9J)`TV)mcaP=QJ^=dRLoR<6=6y)rm;3PJ z2?ucV>e5l_i1T{8#%vhSypWSbJL)qA>3;L;-Lm$pS0@%9;r;gKdF~&HJ973#uiI|d zndkn&2?VXMLMv?3Vpb*8hY#WXKs#I%rZ1mA7ir!XPdnYAC2Z63LZ@)KQ<(C?FJGQ| z(uo^5e*FCTw|yYEXPvSecZc+#5# zOk2Y1@LvVZ4`I7P`2ES9%sI{W zq2%AG-~IBJ{e|au7#^D8GAtS(qp&e#! zhnd?MO<}kbVL_G2_XQU~$A`UFcG+lBH0K5AS$qBwH=$gp*^9-*Dt!|^eSCaMA3x-W zr-zRpMDq>a_|(=RbASFz&;IIE%lM}~+3BCIL*2$0 z+#ui+-N@rkio(;oyNCCUydCKP=d^>-u7}aE2OJoqe)-Vs-;tMKV49IfVdNSxbA14| zQOXV3NYf&}_0e|eY;!1xJ(J+V&cVS##<{|qe18@dm-t;!akG#+DxUkW+kJ4erOewk zO~*g|{7=^+0LDLC665Rxb}YTo*}%plvChPv(rWy57`R2;heEYE&vY~y8;&v#_Atpd zl{Ah;!!BrPl94q2It;(Yr5(qME?WMt5OD#FPpIF{c^Ah`KhlC@ahxfdCC8#2%j|;J zoNz4q6N%GuzWA$+kLX%uwJ<2gts6}!){m^a*JbkiembS$s+ToYXU%^uPt8GUW?#kW z+4)_c;6(aF_C)55Y&7g(;v-c@9y+s5&wA!U&pA^kk{&r^4=rH}LH=$gp*{}S|ImF>dnvXtS>Kh!<9%8Q!Po&OJxi#c9NS>%fnCe_LQHi4YCUs^iQOaiO zx(D8rr5U=>n`jR*#(@NHSGZjKxl4s~1KMZY9&X|G5l1(1yRgtzZa;(k4&2_O{RVCi z6K=nP_ISvp+oS#P>2vwz;jtXH#3wwC(sStM6{?&S_d|OeCKYOro>qLGQ2XAd!%N|% zv7(q&y&DahcIkLBJPr`_j7$^VqE}|}S|37q6yk5`LxF8i*i4p9)z$HbnN2tK7TyN> z!{ZrqBf4Nh%11aO40Po<|~uqBj?6^RDmfrGQNUiMpHsG8X`ug}%M(X8uBhnj%oJEubH^e6fxGqbv1c z{QI$&$(KU+toMFILeYQg2k|nKez=9(M+Tg8{A`eqFdvr$j7-L*FN{mexF!|u#0+?t zn*#&F&ql%F>GPNJLkf?Q4YnA_4FVi~KW(xj$})giz4@S~!?_PXEo|{q2W8|LxPqr$3j+hsS5| zt_*C8#xFyG6VWvi+%MT#Mm1t+u&Bx zt?P{O#B}bAX}>cj@e$CpGlq=`Pk{4@CrW}ZCu82nb@2djQA43{We3q}oxizDbr*K2H?XF7ns->!G}_rWyCTyl`gX=z9V?GawPMZDYdm)0 z_jzY<68|_<9(82j&G=oNYfM?we7kOyp+18(n-=kVuB#UO+oWOQ9be3t)!P|HItq-q z=&Y#`p$vVm=N@2x#;FfI{_$L!=G~kNa8hUH%#yPE+1fovDvk|KjC)A6&qC_+9aD>0 z-{hVek$T-pwFLhiTvaoqKGR{9HeC5dQJbj+dubjk(d_>=f^>kI5Y#T7NzTsCx61^FIZGvlr6$f zcz*(XCH!O-DYOqpUyEYt;>4!qlT4OViw?gX$Ioecx8F6snM_Vy#=^I?pG1jCyx`Nj zyDyJJFw|yT{Oc|}ba?vY#KR9gT-!aCOrP_Z1QBe8;% zE8eCRzhWKJxTq zPJ41^JE^-`Zv=8Ct-o6U8VX#O4>)Pkb+KRlr>$YWSxs?-^wSEt!(b(P(B z+$>3#1Y;qO3p#Z%>MhFdP0Lk16KtpG?oCJ^fBE#jJW1^831)$@=SKa7MK@RNl0{~U z4+g~tOT`Cs#n+Fu3l{lM{`w^3d3-9L9*5aXhS7(SEC`Wsb_k(`7MpoqD`pXYW-tEs98J4d;k>3?8RAw{dq2c;M%8SHSK<(N7P}VCcrpHE zl8I3t&lcI_^Wtkqn&!TL48K1irE}^{_jNdurZeDX)-n6A9pY`&l53bc zOt)XNVGTtROk%DOYz}8@uePp#zZc*#O=NoYs$u9XMdu^mYqJ}h_HKsJ5s!8<(XCp8 zbK>HpFMz)`|7p{!?v6RTobmDdWt$6fKDN5dKxu~e4rqJhXS4qkx&`k~=GFOF+=`5Y z9PGGOR&M_{vmv#jZ()Sq#VnUVZ1aFy@PNCO2PTl8LH;$GX5@GOTa(}Kli#mgY;*E& zM!{GY)VC$!(n53R=&sW~Ia*cah_ZK-Uer@cd=^Qqg6^efreA^mpiHRIesbm~Jq zySVu2Y=@Ew(e-7b&tY99I;||qCDHYY==40I)3+0yMEcE==(M!-h7%z%0r!Z`n`B!> z@$3+NyY=c2?aI;3OK1TxoxivIpAF}Wl7DGyaaHCQJBz=Aw8u?p5Am9u$4xoEdVaJ) z?72H>NMVQhB@UDCONVevk~`mlzFV|#2={KHdESlMgmR(gGDD}iOYT4X_U_$C(bcCk zi*h~}Pr~X~ADi>y;ll^XdmhVrD7op4SFbLWM+u)@xj$gJv8ay?@jnXcmhKPnU0!j2 ztf#u^2-!f=>)SB*6>buF(4^hp)H^!BhY#i7uc9kFrgoA0%(DW1@T|Z^ZS(E@zPZR! ztF9W!78y{ff0Sh(P}qQdnKxS!!oCN;E`2^~%jeUS9jY^bjy@lC-RHBO z@V57716La?x`n{6@(sa^SK5c`%+m0d+7mtte-ey~B3$<;ePiF3ICaAt)sE(I9mR(5 zTvknoTU-_wnR#gT;_7w;-EtOSozKv1i4MEF%ZI(qoq*af5f3-AXKJTao6YyOtZT6Q z!(JQ0TV%VHVP=!QL5{-1oR!1F?VK#R9W%Z0(94h{7hD#hZ|nA1@)I8Jr;Id6&u#db zCK*U9&ScDsqFWcLMYDxvFfHnq&H2YGc>UhPea;d)Z@I|kIETa!3-7%2aFY*f&PC^p zqnlW%uYMaRym*(J%HUzPQ-9XD+8e2>fyvkBjZ9i>x*2gcw)Vo&ZEnUF8`tepKkdD( zow(Gp!wQPeb5~wB)-SIDx2`zPbZah8WGC}q9L%oVnq3yrODx-OzS?kj;d2z4FkHLj zn{MK@6JpDp-e!MVus_|({@*y7uVVT&(PvCg|0$TB_nCfi3U%UkC(-=xsH(9S6r zb&r?a#6{p!d#(D6*bds9i`7Lgeu4gP=i=7c+!eXxVzuOAa9_#A;Jz~#%g9a$3oe#9 z&K-6w=C82n`}hSl->l#5|~e0`a~Yt-FvKKY$=x43Wrx6<0X5zO}z z@!LfR@7^Lj-jd0`j)B(0k7=Z^-;NY+Z;+ncUZn7lb8^mFQZ1!qc46u4Z?(L@l;i^H z=?Crt;J0ox?Ze}{nDtp}0)8Y+?A-#u| zPf1{SeE9J5`||YhLzn#h>sb7*Wh-=#F-ZdC#)BYaCNF}J9^&Ikk0~*F%%5>@ewyV5 zv^SZ0Xp_+V;c|Vl(~n!$o0<$gm{msGV1bR>QCzlJKh1a%2(evMK@waWq+2;?ax;NF%AE3L) zd1Fl2z3@w2)cZpG+tr<$;(xyW^R+}w^y1%gL*C7md`nI4I0wSxhmYxkE+4{KHadJZ zl#6R!duXjADEd7hV~0&~yq>mQE-x+maw3__WnQ42MYO-HVy52Q>Yn3QuZHVK7EdMU zt&h}Q(zSr%#!H451%5J|cF)3EmklqLjfphOgRC>Hl{zmjKj%Jq6WTok=b!T@oY?$2 zgFx{D8-*_kiWO-C2|+y-WokQ*Zrw631QxyS_<=XGUp3uZ_- zrsJKn2`_;EJ}ADQ$uEoiw)Ei1V`>@~DV9@t?KH-68Ea8~Eo|@C<*56Yq|S?hI&=1` zSA&4$VadI;qMU)8gQF(x$FBN_ysdrEH5jucrcJ61RQ_+Y$J;_b3tF5&Z+X81z;0={ zHT>{mG~w>!5qHyAjJjr$?uznZ@4i*xOS%&H(q*O&i&-ceH5!bIyL+i}RiCw<%I*Pp z9X79Jzxidi(=8B2RQ>kw`0!Nnr2v#xe+Q-KT*VP}b^U4VWTSeySp6EZFYoD>M4eww zdLHpScxO75b=1+c^kH*G{qT1JkS<{JPgkMs3}nj@HkXO@ymmX|6D-f zg#)Nr%~`n1gnw=c&S+zpwz@4W9Piu>HtqU0f7r%|=ULT@zBb2v zE!+CLkN1)Qa zg?`ype%qS<=DDlVvxHF3e9qcIdqhU46_F6*T5xI-`UoSnnuNSagj#&uUGQI3S zuYj3L0=BraU_-#n3kg`Sv@gq*sKzVebV+;O5DN1TG5UuX{X>kdh|%Wab!i87_2gDA zTAi`8xaeK9L>}$ZcFSR87Lpc5+9RH^Z$5lqT=5t+b#|F1X zU+xzuo=SLinq1r6y+wm3dI&9h@I)sF?QV6s@8Se^f1KptbpR6d57?aa zseArneG994`!CZD&9Xy#azlsiWLk$V{3yR?9rlMoJM$Sc-_EF2mxeRH{q@DbhAx-+ zrC_b^scjGAsGz$uKvj*h3VOd=4LeF7F;br1xJQ zAAT$E-j^0WxHY~L^oW_A84gE=_nTkumbE1~rh6ZL^Yh{XV+jMBec^T6?K*dp>&d$i z(f|IJhs(Fz{`fkyThPPP$9E4Op2BbM{`t-S5FY(QUy#(~a@qw%7@{0ud+bv}-Ps+w zTNee+v3(!M=B4S~vPh*MstKHygB0}O@-oL~{yY)&)@Yc_9w+IeuGo1i*P@;hFO z;V{kL7?PjtEcDWz=hnUdyx5*@i$4yp{y86p%W9vSVrnj>63H~_PeHZDhrUv`2}bAlbLXafAiDiC6!J5+QF87-Rx?5I~kxE0@242G#hjWOlP5Xg9ccW zN2>Hh8Goq-+kt9t|GYj;Ql;G8n+YE4_V_xK-Ou0XIQP)t^;Db^Wj#bag@1nr(Z5x6 zH_u5^Lza>nvXs=o68OhKkZ}-XJi%EV(7-0NVv`Bc)kt(0hz{3@{&WM;dlsLgb3uwB z41DtO7W&f(;E$uo?Xm%W0~_p)f_CTCHJnar5bJMd8oq^TL@aJo6TGD+a8MI?!Ug@E zu*UhXH$QbRTRYGE}c#PK-y4kE#~GlgyRoCx+lJ-?8C{g&P@M*<(@N^~T$MDQSRH!P5;0RIwNvCw#P|NEbqAxC z+u~hVu4Lm=TVsl@8F*K(Q3mKhd|n*tZ@* zZ7ms>RQXj7vS;cxdkA}b=%VG(O&6B0V4h*l`36T52{%lnn=RPo`m~00wqVW5f}Ji+ zON(=2qrxqV&x(r8l03t_#r)i&^NqG9en(sLf{`(q-uJXdZ!;{W#wMM{3lv6UlLr~( z4P#Sn8Jl0Z!|0?Im$~mVt5Xi9_O}?lT(@-l&tJ-n8fR=a-~TRc?!x=Woj%qU-5U}uR=|4&v{!)Z)bo=~lSPbXnds*M<2XBM(OddA)tzXj`Ec|LPGA#t zFWJHFEck^6`xS5o357A0e_XVLIc6VsMo-Th|G0VU(9@tiXiy$B*GFbhSY}XI=63CJww@kp+jETXKEIjG;cQ{~ z&NAB3KV3$C+rHSbQ*a}a-NeDW)-MxD-DM23A@6jlN;9jLn~+&w8$hPT(t6`EjD5Az zZw$=c=Dc2u-t4T)EfkOR*x;e@4hNwX;$=$oF$V2+wDS!N10@iyP-11hJwyNArmK5Y z^!D!N{WeYebO!{T;j~q@W4gH8SEcSP_TEcjhS;E)P4Y}=gVW_J8u7`E4o)6#Hyd=8 zI_oU8ud^hwBINv80^S}{7xVS2pu3O2yHwhRpG?bJtZ5fXxAD0Job?BhU996O^lWj_ z+16e$Oz&&k+V;JzV zZ2B*1U3Cb_;|r*n4RXukpB;hqKgR87JLNfpe)mpw*8z@590u2J1MCrfVZ2-LPs3GC zodhns8@0Gzm2_%%<9er)POv+~kY(mp2ce{`Feqip{~ERDh@KSAx2};0o~nT8*k*ij1bnK@7kqn{e}mIA1GN$C+HG} z{?PVC(!FHdg#NGaW>$@5lr(NZ#X z9+uroYA5hE!0_?u&*ifeH<)iGQyGXeRG}{av-8W$unE-FX=Q(0&a-RQDy$HDq3#Lv z_DuBUndmdYAHT%M@-!5khks~iFPoI^`ryUK4s;jYKATMs=8q5kSz(_W*r!Fds{QY- z#YC+1@WV8*lI_&A*bYBjEAAdG82up-zI^!i&*4+Mgq>QA^TGLS8P&s5?}nw`&6j!} z)*cc}MO7N4n`E`0nn@x9K5|G9+p=Mdk^U;V-I$4~e5%>>CGKQ$R>FuG4G zZ{IoX^~0C<@6VqHt-IlC+cODAU)wy2V=xZai|H0(2ba%~@^IQQhF^!@!uw8x%NauW z^z^yc=VKs4^PulnJ0I-)alFZRy?Ddm^T6RmTeW1yO}FR@jp_m#c|arYpm7$EHrOQl zXk7c8R6qHF$A&*U|4@gDG0wu>Prr`*`o~p&b_}A}@({LoG&;4z3-RgE52B4r>b+`4 z-3=9ge{02my0v0{`0duJzkJMBt2QdiGiz|Jc6T^rA{B!*)p)YHD#Zmbxs-e~?6v&? zj_Qz=%ibBvQKg)9G;F=eTrdW!*!UmdNQYpEu;hx)Y2`T^wu)5LS|e7}`3E@Sp_-(e z0aL234r+89ePUZNR;*<84{+o|%G#R3Ar-60s+w%d0N|`+tOVr;IGTeetOdC$uM(Mn z27Ojm0~q5>Q0WIa>H|@V+6SF%E-FG$iI4~i_=?_ofdp^_b@WGfw1;SIDBkO!DRE5+ zy+QE7TjOgf*2om_h;T%81b+l~1bYN?1bqZP0v!R5_MnO@pqMPGtg=m>4P?$1x#)~- zWJp(`=m;_S3{?}Wz*g;b!lH68#&ZRqa#9JZC4u3t!0^>U3aOY}wN{jhP6?rq zGMXI*;bnG5wnsKc)<@sTAQ;rLKya!03;$p zMWn1xDu;+%HEUKn8my><%d|ggchvT%%~9*4=A)*g#-oO#RtGLsgGCc%^d?%T0fTim zk|WDSreM@10GLf6$CV7QNf8p26wqR%goTuFg`uOtqk(Mz(W`8YwFZ;*L_S5z&P8t^ z*^)qrY4{QV<*X_$c?_loL#~4M7z!|}qD&UGV~haM_Gt75fTDFungH3WN{(_ZS{1~q ztB)lL6^y+Ezy}JbfYAj=Oo?YJ3kso1<|{05+nbT7j@6Ysd!<98lSk zkYmuITdcYSAeE?r0U~6>K_y2q8_*Qw$&{j_0Dv=q^%N)uwAv{2%BBFwwL0)An51K> z&;Z~i0A2@gL##D=U$yocAgUm`G}lY6}U@Vxj_Jw^Cop1RP zfQXem)q+mz>}qn}6o|Q48;oF80O(5qitpAVaxPk>!I6n3p-aS!-U}mHa|wV=!Ml>k zsZtbMHpNg-$|&tX6Ey(#5&%dlWu26<4t0hYP!=xdgF#2WiZohx34keys!_&NZEQ5D z7Gs^NB_+icx)Jz`BhXxO%vymf36n3O*iw|rzEtOH_yLYiT>=mwSfrT1sO&h{oT>}5 zE?XV27=2YE)ue!Z^tLLW*g02I4LT`{MFC{Gs*#e_UOQ_ID{V_mDvE{z>pAD>t!N|% z2WM;rlUb?ii&5G$D-*RXiixO*+HrVbcG1JVMTYE(|5B~@+2b#x$AR8W<`){q^9;+!(X5fx;l z#>I{goQ2XEL$Zm*3~}B?l~qvIxJ0glWo-31XeMhYI&X`O9}t_LL8+B;iY2pA-Wx@Us#Z2b4jfAdtJ=uXKuj*6GP+_8Re9p9 zo!1mY4=V*KT&)LZ6;aL{ZBQn0vYM!J2P^rSlPWH#Xj!S`Y*l14s=^GA(}*w56iQUt z6ta|+8h$7pcq2Lz`>coS_6u;o}m-WuLh4u(dm@H8Hk0TIy8nb8;XS-_aqV-1Feyq z7d4557>iS~#Yp6vS>3U;Gd@sJoSBWzNZ46Aggn~7yRDFb8 z3uBwnL1|(z8k{oKnn<3Cb7E)8=7X9>b99JNlZwfEmoZXF3S*?gltQdox!Mg(R!9sY zG#a%cr8F4Op_pP>bLe^6rj(3Lm_RoR5q!Yx9QhD57S~VmCG`muXG)~%Rf3o^=)#;` zCW|IxsdUwfbB-J-iZxKsp}K6@=@decEtDaB)rw{)kX+C{pofqvs2JEdWfkZYS~YVZrE36`DT{H+rnu-;GR_xA7;_IT3YBH|X^e3x zS60Sm29uKDqUIi2OcqPhI#!2}d=20U3UhHHS)uFH9}_(W7_|l{!`P~_%AhGe0aip`ig#?4L!UVjn;x2pU}AC6Sg$;~ zl7x%1)iSkYn?ikgypi!G=gcm!)n0M*1&PUf7Q0)gVWv6C-q86NWbrA=X~)hh?>PHv zY7b3b+C=YaW!6qZi8)(mxO!rf0f({Gk`4I4uIQMf4&b%XiAqhOcrJRtTO@W>6sxx- z1c>A<6wkFpYl$0M0vZEhxXMYqfTTpyZTf70f0ko4f*Vsc488I%)lS__pXO z)>W)JJLN%%5e$I}IfGf{9vy+@hEFOEN~&4sAcmFkKs8wdW>IPe)v^z1Fh${1^CJ5fGlqkvceI1a9viPe(UIqOnl9_jAM z*-B1!#DSd)U@|&l8^m2veHggNdS7y}+JjDvP)iiOpA{o!(gWQoWaGRpsu-KKxR(MI zX=1aNu6t-Nt7l4##pjeT2TbS+ddR?8$d05`xw%}}fNoSVdgK4666eA3z% zbk!Iz>;sovL&)fR2OJ+fb6`>ZqR>4jSF0&5IB#`fB-KN6vE=Mj3QWm`>?xPxvXfOF zawrYgU=EyXDLz%70-;82(IW(#sd|m7TW`P~vbH)W2(F$*P7lFNZ zu|O8~4?6bHz?))xmhDsw#Z%15ne1ZC4xIwqLknc0a+*zc8ptvD8dS|5lBt%p8OG+s z7_HW3PK6<9u`X+cWK=3C3^UCL(Sl|`BhK7ZJr;^dS(T#2Qoak`AV;#1b;!w9GO{Y_ zL`i%gs^@rt7IUpmVKiuqVREjhfJh3V6i;o-Akbor)#f5B#IltyXlyku26SY6!XBCm zQJLg3s%mY>R&(&x7bs55e(QQ@lswwtbmd4UMtRT*1D6tF%v`v!CH6WO#aD_)K-f~c zApTWxu!39J(8g$Btpl+IL=rcaW{xU2Q)|`{5qSW)Nfql&6W zi^UpsauuT&r*kG_Wp~9+g<@=h0WA(<*0pA@fJ`x!6rva_!KUI(BN^%g6In81XcTYR zX6?Q3RJ7=AG`8t7d+^4Hu3_d%oLzD;Rc$e+po}p%P>hpRDkO%OO|{BFv>2EwC-w@9 z?T2O}`V@4|)r5+bb262nrjiXB*I6%M4wS1$cN-T2f&}6f|nX#)&B!8+Onhl9SUFc827@$LW|IS}@KA5XWd7 zpvj&kdtFLR2wq`z$!e`!tQu3YJv1s{jLt3xn^YiYoa_^9QK*ShZhV05fWbM6E);Lb zs2nn)_sX+HaW{lUVDtxJ4Yb6Gl&27#W&&2uk|R!RO%F|%f)3hND=0&{R*qhr5Q$B~ zZUck6UWt^Nonbh!_Y7U{6tj^FPCal$<$pz4pOU|a~jf=VJ z&d?IPq069iHkGm~888{b5K1V~kR$poc(aaD_8vSXD4BE3#8E{{g^FiedT0>>hU}^~ zxh4{)R&U<{nzAMJWoIkjZGyHdunHgRa_U zR>Mq<17$PUARcIrRlL?@$@@Twt#2xk;H-C*Is&OZz3X91?aHnKD(J`&eRj?}V)iL% zw9HX+C$Qht1=NzMh>un1P2zzt$rZ~c`f^4wU<^TrEL$;)U_7%YP0^=hO73Qh{y-@z zAgh=Yf^4#ETOo-`t+im=IT0RY+eDgkU{!L}IXf=0ja4Cv+e^239cp!s3W;|=`h<~? zf@iWNB!@{4yyQu1N1@h)MiuK&d0%4n)oZa&23}IElT*QQszpozU`l|c=xD4QO%8kx zH3#Lvp%Erk3b3LMRMM zc`g!J&`#0?mnG{fr1)J)jEcD4q)*hTFWCs6gOJ&tRn-UfvAk3+;kE! z9f9!(EWbtB`Xi7#0@)*wIRfb;(8cpgIVvi}atzhDP|3Rr1V!giBO2gNP`|Mgw!tZq zlQh&S0L4nKCa*<@69+qp42wlj#e+?{7VC5&XAM?mjAh-64Etb!Tqfm1&H&M4ki$_Y zRqM1Ei}}QC1Li$+01CHH02mCA6Uy z3zdxL98503CuVGllQo%K39-5y!Q~pX zGY~Z3cTh7NllEH6F>+0uJ?W5D<)}DE**jl77bjBQD`z2Ks)4h0IZ_6Y}+p$|dpwG7E?8v&B z!TC~@m|_m2t|oV$U*-cCSz(n*m6V)Avo=|i&C%yfv6-)y58`eBlBHF`oIt_^fU^YB z*a9UCz+6^F~!>XOA1ZaS(lA95gF z1C?61rr^=$Od*hGaSCG99k2@CdaN9c(~PLIcgc7(+8OjUxdB);6_F^&Nlp=aR0oxl z0jSm{*TpOxqGbs%)7}sThs6?A^pq=G@2n0zumnZ4u*>o!9T_>@QtYi3PbN799Wclk zs$y{*ON2{66Kg^Vcwr7T>VcZtK@BTKrK4iFaTql zoT9*>p&DIHNZQAmGZ6(9eLu}Wz7SUnN(0HpT4^CA=tPS94GZgUR<*3eKgQUoN@j;s2R!_ZDr#jhZI51%BTbhA@im7p;{NCjDq*# zeNwXH5WINIMO$Z`PbnpRJ<2Gsc)Xn|;^AUzaum)_XqC$7pc7gNP7EODcuF>3!Bra~ zIAM!Q0KQ`ZbI8V4*~}`c6g;t0$|hT4$yTWXx(Al!U?^#&ETtF$!KM^BV{AK8E*&sJ z3my|H%t~ScR0`D>t{hzw3#11oj_g#8QxKA@60B`NmjrAKshtj4a{%jsg`spNgeWm! zDq`l~ikuSV9$1B%Rt~5RAG{Rq3MA! z)DVqC@|mKNsh+$eNLpms#=!kFvk%5b!s;DnC6Sw2Yc{SinDIR@i^-BhDmH1YZ3bgv zjX);n1hF%z%|U#7(JM40zQ|OXWtGTjtCC6@25M3X0HC$Rb{S(+EkPTnO|UMY`5rjS zC;^2=k+04vIo^#n%HjY;g2VRg8?ufr(rYy}0yxU@GJsOe#u~1K%7pa!wj7T;xXtOhmXvo$H&fD%{$hz?801r;&4oVEK7YQ`ah#4u^+#I2=Klbp_E z<&rJkapC2d%_=^0pPgsU-dhz*G)U1({I7TInCME(W)yv7AW=?eL{C*>U4oIbf7|ai z-9gHg#1u+YTjH2VLhr20A|upos@)+LCx@XSAW1+|s+PFQT0xMb>TOMTAOtTPiHPhZ zrZE)lG#PfWs_IJafN6u-o2bcQils{OgNd$Mswo57VPu}<0HXQ?MMTDCmsn$|0oxxW z;MQ;zbD#r;x&{}3b^`wJ6HQ$*Er{$`Z(7^#IJV7hfSd-m%If3YH~3|?KC?F$w`E;D#~j+kRO12mB4C{QzWhB zWYgLTo=c3J&38~UDcdZkR$43elAn}P4Z##KQ^~X_u`3bqQI6w71gm0HsjZc@*g%j0 zL&MYM2zckg%JwOlBw9%&n~5d-*wqwcXhJIq6B#)$vk%295%3gI`pf#?bMwZGn?Q3eIFw2@((svbhg!;dJVtBZbHkIA??#(Ga7LrRJ*1yN;h) zT&MO4LvUibnq)%dV4O1=l~T580H+SYS;!6%y#o!gC=FaQg2J4$>OwNa7lv{)A&WPN zR1~ycv10Ps1_zMEii+N6h$dptouX?8C0Nnukd63MnoVi4wCilT(r~oj>Jd8{>CgMU-QTt5EIco!I>m{HaT&f)~WsuM$WyKJbbVJE3b681u zU;6=P$t&%3@x~#Fq2e6ZDmGV*mJ9WK77QpOsdboG)l8`XQPG%#t;v~YI%@c4(>WU( zu*O2cSj?gnlB6s^$O)Y91@#*{$w@222C0fA#a^>F)kX11fb!isC%mMb)upB+i%L>Z zw05$V3mb;qMd+(T#-M9de2KavS(zMi*`1M ze?2HF!5I>da~*&cZ?T96(=i8(M$QbhIC}~}ZAVTot!A7A`8u$yP(oHxPBE4cia2tN zx9tE!^AR*1LE}NPi<7R#YN{qVpp?9=65^XljEh!XA9QpWbWxg4YxPbj^stb5IT>9w~yC{eNemXe~yaB;tim;pif)!&#>oGXSAmKm|pz zuanI~sM?ZYg`ASDl1N7id#Iw?3loB2Rt&kMWP+rt zaS7;CnN?0~tQ<^w>lw4M#fX-&Exezx9S4HMxDC~nO2uNy#%Kc`T$Esh5XH@+p)HK( zQAfyLP6(Z|8c_m^s){*>=(39r%&amS2}o5g7$vc0-p7QHV}U}>bLWYjV8nU0xr)oe z8o8(wTRZ6Zzons`*;arG8l$n+|r>tM)gN9uCWycS!`TPT9(QjRW!zWEAh%HQS%;vr6b5e zsFmO9ph?c;EO=&ys%r^izH*Y&3GccD@_7R%`x#}Ut491L*=91)M@eqcT?pE|K?2NH z&Jrck4n+jbw~fJyItP*h$Del7T>2 zVv0s(4q(t|No{HqcXR|2Jjws`6W4i`a?w~~vh zlaH(|XPu3NY)WR9whnnv=}vb_%?WFX=0OdVRp#uK9LGhJYy$C{wO+kcm3s%=5u81O zGY8ZjAZ3*@W*@bdOaoE!;=uOV^m4Rlq@v9hy>hIp*AW23N1p=*1|K^2t^`mmnt{U{ zg3H!P_IgpZDmjyBDW}D?&6-&?ijfH@0(kHt$hI+<2(q(5Erw+4i;v*x2p$i{S*wD# z*@WV&fs%EONe;iP!bm;u_mw4SviOQAL{nISwb^l^Ty3b!*no3A3Fw_ia*Z@-F!-hKrMy2cAz?z~ZdeTd@WaAifKz7N?A(l~Sb*KR1Ua?il$yLR+kR5c}HCU9;eX%l)rdp() zmmG~|exQUAdf!=B-brGD&zLgSTIE#05bJ0p!N*nI`8rY25fvU$azJ}-@mb7ERvvamPN_+XEwM=e>s!prO<9Hp zJI%>e?Ph7ezDV~X$7L3oM`aYG0<0j%yOf{4^sCEu=g3XoV?&$+I7EeBtYEu6?*72P zx(L_;NCvPBRs==H;wp^7b_Z|;eH9Q=z*+&d1^=eTl#MAGQ*BIW)?RKYdJZrKr=CHf zYmw1TlzaWY^Z8F3D&5Z7SSt!P|1&3!ugLc5n0!mU8DNtiXsQpUUIKNVsK-Gp$$L>3 zl0Ba)F$Nt4cog==;K6__14a#KH-N)1y2{2S8kgF*c;jNPbfwkH*kvHBa~y^JJW2sw zWtYpS0ej^qnvSIu)3he?NT^AfP!{c_O4VJ@NarRZBD^?Az@k325jg>i0>|O}LvCMhqDG>nN+@v2%Z7kkc ztg&cgk;cM5)I3URxge85%U$Jk>%FKD6mxw&BmMd2C+IESUDqzjR@BGY2s<7ua*KXr zrN)x)4&vRxk2UTJJW%agW~t#tD{T~}SS2Nna>wpZ)Ac=e#h)}*Zmi{pyFv+rqt!me z4+2$8a%x)jJ~!L@bG$qI7ahsbo(r@Z!?wA&g9bqCb4^qL-Or>?HyVw#Hdeg;cb~6A z#pCR%TxTG?h2$|Ri=gm{eY=%k-t8(j_q5cZr!I&~@XYYhN0DRm`Lz7YyM-uIZ6gqg z2(2UcyPTwF@>%tEtNF{jCEud%Y&0l|5knb+2uiX!;#sLo8XGq@yry42gtbN~6?+A( zQfT<>xiq8HBTrQ>n|^c%i*&4<0i+kr)4lJtVuPPvIK?iVzR2`%uP#lABz4PyS@j(A05cXDS4DE^-MPe z=G{lNd)OfF`#1J@55zt@km|$9Rt&q?0i?qBW|@0RqR!_T2q1O&`N6E4f*7vHoq$i8 zqDUX}Tyvhk4#qz|7$JkAPM|psE))wz?Rs3cp>Fm!u6Sb5e=;-Fx0KK#vzCLr?m-Pq zMct%y(!2An`Kq#P@G`#X=;$c7DHr>=qLf>Y!$Gf6f{+$k1@#Pd^dgmJK~= zpTkF1J4g80#((3&Bw0Ot+KgI&W}|AVGS3|R7Nh(%Z1=4uMn{Thl)Tk)z4R=zI>cvj zZzw)5>35sxNu}gMiM}h!6e-uvlV=CY;pjF&e>Rc$i^f?Sr#DV(oZ2|0adP7P73-Lc{a_zI~L@H^m z5mjVlsaXkVxw+QUr2L~MT?TumcLYzQ_!1d9Q7y~DZ*x`Bf8w)#BX*s{6ErD;K1shjbgG$Z*ttoSQk40t9LKBOW6KX>$kx zgbdvSiDc3JIKY?1#w`o{I&Sgj0a=PQDcYpSi-Og5Zd4oiK75L1?T5WnfpFj(;f8NF zgfP1s((|qhQSoqFb{t6_I{SR{wEgX-_>5Hm#+u8ALJGL7pVKE-s6q7`r|oYyg!LbK zB-^FTv7!%~3#ZO)s71Xg0Qs?x$F!XWBaV4PN`(yiJqZ0~bvp0UwlMy@3E~uLO<0>S zII`S?OB1Fh=t6O4qsi^&$36|1C`OP`xNKEVvTaKW(sC%uxu1qVIs~%p0iE@56pk(u zgV1l$%)080lnQvc9~{C)Q8O}j3q|yKdXzG|@3k^$-;<$me0B&mVjBv5YEJxwx7(`X z!Ut4~yABI|bO>W@R?|FXp1nGhbj$OCm3`CI_X+1mhhPgTd9|@Q@dh39WBUP~gBx;PFgMK(cnx-20!wpqV_ zF=L`;*3H3VY&%&I#CP9O>$s@}M6~|q^1(=h76x8r#GxaQ+4wk)v#LMY;=j8%nRW)m zjkc(7qcSK10;)RdzB>@{{M*YbA20_f2QncY!WZp*4s0XmqsS7CCR&@QH^D7eZKCq$ ztygY>+YOSmWE0@7v2y)>`{g^MpKhJv9O@_`t~^m;e2Ba8kt+ug|6KQxD+cuw5Ka#W z9+2bmwVC7ad-CeXx~Ih(PZVt97e2i7kvrBv0(R>8edYO3_ksl45-l~8QMm>RWcmm~ z4)B7K#r~i6h;`Xub7o|H-o?WM+o@$JqW_!iTN|!?V z$?mgqkXVhAT0oEz1d0G1@qX&X_=x7mx*t&Pdts@C6M!6?5g|V20*2b{-sp2bJRD%h zvwg?X&I^!;)zxu+x|<)d^0|BOD#dJ%YFw!x_7b()K%{7<9fvd|Z*Nyz7AFM~5)>noenB!=@vBSuPwgNPSd)LI*cQ`b23z_p6}psD?s@ zQ3auttx#9EXjvCHE(i*Kco?KpU|KR?o8#WlyGTs174pU%B(S>dLKDg zxrWr7s4p=1oJrZf99Gy3^iDRtr@;fK#CDDKDz zD-*}}Nb~nF{)-t2299fIXFb5y=75@~17n_KW&bgh|K4ki0fPdZ7t*6p~OuI|AkXa zHpys`wMlxDv?i%dQko<;$?palR;rB=XM1XTjJ6C1+<;csT!9Zt)flI zn$q7N^q@wwQIIp~y>Ka;rO&NmYwWsjd6U4~rZg?ol(H#BQ>snL|7Y`)oyQcEd!2nI zMEggSKrw=<v4H$! zGYr&#UUsYrh(6xY+t2^3y!Wvr4lI)r{3*~ozzW1S=n~PiVD9~H>3_DH5=W_yH3_wJ zAr}B^qZsPzpJIJ2`2PR=M6K+x%oE(^8Qp~lx~qi;{OGqNRvCXk|0^yDY+S%NPk`r2 zgN51#eRD+Ay9P1;t1d!|f#k=M&?>1T1IuaUii zk(4&-oPc^gpTz!kH)kkU&JI+p?K1E4M!o3qrQ-_eenmHl2hM`S0BX27hwZbXjw2u$ z*JpM0e?Mtyn|bxpi3W z2_H`$$_*2=P__A(OHNwVu(z~*8FGN3mtKSOh|1#|NnLH;wAF+q?t}l?dbRD)6F7`1AdDnoDHZOK5cb@++n;ZT-Bo7gIu3EHdB9tb z02pD+OE*!-B;Ri*^Lh+g{slL&f#{J-m{#3c6a-0;QFsp23t**k4Bj`MAH$3!W zW_Cb+VQ;2fd+HJR7!06@ay_=4q(K{{-$XEd;5C4pF`nCWJbId!R9V;g@YFgg)!??@Qe60gkH%7?}?VOXTnJj&w;26(W3SXH&ZL$?$f4+*Og$4z%>=+7JL=4w)OD)7JYr; z1aEZln)SM5opZRBjm*|&n|1u{h5vL;jbA(BsNG|O$b!)#Bb(IWP1C zoOk^EoV$)Q1cFhVlZAW6efr8bFEkmD4hmPAeNPQ7JHZPsRO`9S->>HMeJN?TI(5MQ zWs`v$76BC^O2l;P*HiQRU<G4V`D)N9}fRR>SCj>!e9o%?1*mN zm{$EIT~&n=f5=81P+uG)t6b7Dh*o;fS5sjGOKEOL!wP%WX0r-8~q=Jz)BWXt54Dq$lR|i>loHflNAjJjK z7bOr?xAy4wvf7Ni8NwCGDu@WHi^J;GhVSB4I}nODmSaVl6;L4Xnwn8Iqj;GdC0J*% zf__~(!zE3nM;TCN+)Hb-;?E$9HA4lKzZMnX`p?W|iswHUf^~T*J9}IKIK8IOfX=`f zc1XK|bvg@>FAgi7o8fxxaXC>beFM$_@y98r4p5!7mwQHg#d4vJq+Er^CChRyO2wfq zB){wJOQ{Sy=?;`=g5x|4?o68*kX89&1M3DhyDE-tqY8OF8>bPgVJT~Vv4Mr1aIaqD z5N-FN=T@-;W>jGn|HTFtFr@AW1iun13-ApiYQT!HI@K?Bq#kpCTm*((rOI*wmT!1? zc00rGd{&*Vs{@#f<$hZ|wd40;SoyB4vAnDYtlaAXHz~3Qi%;09pf+^Mvo!)`R)z^U zSJ;Y@*RJariFrQWGX5GsYj5d&_}Y-!!HZaYV8MsG@E7w*wz>dB>*Z)#G470VqLRJ# zhh^~B`ILp9ry9=^7$0IW;MbaO?jrofd=8ZXECG8ehyO#5~*)81Dn#?dOzmpciGcu;dr>2`nM;mQpIta3x0V;92x)EA2}5 z|2m%&=T+m={m9kf*jluC`=x|F)Zi?DsBU1>2Z<5709P${CGBhFpQ zUI#l(8Sq608Dq@8DO^g=gyGA6jzg*wAchUIZmW=XgWpw2a-PSm(O>w<_$aco7C>P$ zuF70MdD?bMgiYw~?Txb;yk}fcpax~>6+c0d>?L}|Nl|Y_wuwIXNTiu?GbyhE_i}&^ zb)G^JY?;;fsylQqya(`+;SqmOyO@;o9TO;`iv92 zS19k`&O*m3YP#Gh4F$LWp})>h`Sf|xikaZ z>YDCSGdQmsdg{(apdy_Gz`zx=jHKBEBJ zWQ;*5Ctvf>>_cky95U#QxUrhez>?fx9KcgtPdU>Dz*x3+?4Q_y08MN-dRWw;7XwWRnS>^ zKRqWm19-yu1y2P){HNQwL+k6-vrQm7<#L(~=nvpCaFx6`Dm>Ou@qGv`-~_n7!GmDz zd0njyK#wTFM8^BAq`XP+ zJVW?0r9&{4!-4vEf4sbJt$;n}IMesgS{DFgsikrv!B!sQZhF8~<3Lr8+B{QY6lt>! vfs7q~9oOoXo*96spTe^o2dsF^*kDiaa;@``I6DL@&aeLi8r7Rh0Ez(s!jECe diff --git a/creusot/tests/should_fail/bug/603.stderr b/creusot/tests/should_fail/bug/603.stderr index 89282f0f5..c3b84c8db 100644 --- a/creusot/tests/should_fail/bug/603.stderr +++ b/creusot/tests/should_fail/bug/603.stderr @@ -13,7 +13,7 @@ error[E0277]: the trait bound `VecMap: creusot_contracts::Default` is not (A, B, C, D) (A, B, C, D, E) (A, B, C, D, E, F) - and 22 others + and 23 others error: error above diff --git a/creusot/tests/should_fail/bug/878.coma b/creusot/tests/should_fail/bug/878.coma index eba933955..b29878e50 100644 --- a/creusot/tests/should_fail/bug/878.coma +++ b/creusot/tests/should_fail/bug/878.coma @@ -112,7 +112,7 @@ module M_878__test2 [#"878.rs" 19 0 19 14] let%span sboxed7 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 let%span svec8 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sslice9 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq10 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq10 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span s87811 = "878.rs" 15 8 15 22 use prelude.prelude.UInt32 @@ -254,7 +254,7 @@ module M_878__test3 [#"878.rs" 25 0 25 14] let%span sboxed7 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 let%span svec8 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sslice9 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq10 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq10 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span s87811 = "878.rs" 15 8 15 22 use prelude.prelude.UInt32 diff --git a/creusot/tests/should_fail/bug/specialize.coma b/creusot/tests/should_fail/bug/specialize.coma index d6c798deb..b6a48e240 100644 --- a/creusot/tests/should_fail/bug/specialize.coma +++ b/creusot/tests/should_fail/bug/specialize.coma @@ -43,7 +43,7 @@ module M_specialize__g [#"specialize.rs" 27 0 27 18] let%span sspecialize2 = "specialize.rs" 6 9 6 13 let%span svec3 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span svec4 = "../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 - let%span sseq5 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq5 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed6 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Opaque @@ -169,7 +169,7 @@ module M_specialize__qyi2463200954251793265__x__refines [#"specialize.rs" 12 4 1 let%span sspecialize0 = "specialize.rs" 12 4 12 22 let%span svec1 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span svec2 = "../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 - let%span sseq3 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq3 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed4 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Opaque diff --git a/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr b/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr index 7c2f27fcf..351eeaf14 100644 --- a/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr +++ b/creusot/tests/should_fail/diagnostics/view_unimplemented.stderr @@ -40,7 +40,7 @@ error[E0277]: Cannot take the model of `S` [T] creusot_contracts::GhostBox creusot_contracts::Snapshot - and 32 others + and 40 others error[E0277]: Cannot take the model of `S` --> view_unimplemented.rs:14:25 @@ -58,7 +58,7 @@ error[E0277]: Cannot take the model of `S` [T] creusot_contracts::GhostBox creusot_contracts::Snapshot - and 32 others + and 40 others error: aborting due to 3 previous errors diff --git a/creusot/tests/should_succeed/bug/final_borrows.coma b/creusot/tests/should_succeed/bug/final_borrows.coma index 2bb331f3e..f24432591 100644 --- a/creusot/tests/should_succeed/bug/final_borrows.coma +++ b/creusot/tests/should_succeed/bug/final_borrows.coma @@ -1943,7 +1943,7 @@ module M_final_borrows__index_mut_slice [#"final_borrows.rs" 208 0 208 48] let%span sslice10 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sinvariant11 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice12 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed14 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize @@ -2104,7 +2104,7 @@ module M_final_borrows__index_mut_array [#"final_borrows.rs" 214 0 214 52] let%span sresolve8 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant9 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sarray10 = "../../../../creusot-contracts/src/std/array.rs" 14 20 14 30 - let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed12 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize diff --git a/creusot/tests/should_succeed/cc/collections.coma b/creusot/tests/should_succeed/cc/collections.coma new file mode 100644 index 000000000..f8345c7cc --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections.coma @@ -0,0 +1,1925 @@ +module M_collections__roundtrip_hashmap_into_iter [#"collections.rs" 15 0 17 18] + let%span scollections0 = "collections.rs" 19 14 19 30 + let%span scollections1 = "collections.rs" 22 8 25 80 + let%span scollections2 = "collections.rs" 27 20 27 79 + let%span scollections3 = "collections.rs" 14 10 14 24 + let%span siter4 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter5 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map6 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 73 20 73 54 + let%span shash_map7 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 56 12 66 29 + let%span sfmap8 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span sseq9 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span sfmap10 = "../../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span shash_map11 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 199 20 199 24 + let%span shash_map12 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 205 20 205 33 + let%span shash_map13 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 245 20 247 86 + let%span shash_map14 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 78 14 78 45 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 76 4 76 10 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 83 15 83 32 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 84 15 84 32 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 85 14 85 42 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 87 8 87 104 + let%span sresolve20 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel21 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap22 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap23 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap24 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap25 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'1 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'1 } + + predicate inv'0 (_1 : t_HashMap'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashMap'0 [inv'0 x] . inv'0 x = true + + predicate into_iter_pre'0 (self : t_HashMap'0) = + [%#shash_map11] true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'2 = + | C_None'2 + | C_Some'2 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'2; t_RawIntoIter__marker'0: () } + + type t_IntoIter'1 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_FMap'0 + + function view'0 (self : t_HashMap'0) : t_FMap'0 + + function view'2 (self : t_IntoIter'0) : t_FMap'0 + + predicate into_iter_post'0 (self : t_HashMap'0) (res : t_IntoIter'0) = + [%#shash_map12] view'0 self = view'2 res + + let rec into_iter'0 (self:t_HashMap'0) (return' (ret:t_IntoIter'0))= {[@expl:into_iter 'self' type invariant] inv'0 self} + {[@expl:into_iter requires] [%#siter4] into_iter_pre'0 self} + any [ return' (result:t_IntoIter'0)-> {[%#siter4] into_iter_post'0 self result} (! return' {result}) ] + + use prelude.prelude.Snapshot + + predicate inv'1 (_1 : t_IntoIter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IntoIter'0 [inv'1 x] . inv'1 x = true + + use prelude.prelude.Borrow + + type t_K'0 + + type t_V'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_IntoIter'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap23] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_DeepModelTy'0 + + function deep_model'0 (self : t_K'0) : t_DeepModelTy'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'1 t_V'0 + + use map.Map + + function view'3 (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + + axiom view'3_spec : forall self : t_FMap'0 . [%#sfmap30] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'3 m1 <> view'3 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 = + [%#sfmap24] Map.get (view'3 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 = + [%#sfmap8] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'1 x -> C_Some'0 x + end + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_IntoIter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_IntoIter'0) = + [%#shash_map7] len'0 (view'2 self) = Seq.length visited + len'0 (view'2 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'0 (view'2 self) (deep_model'0 k) = C_Some'0 v /\ get'0 (view'2 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'2 o) k = C_Some'0 v + -> get'0 (view'2 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'2 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'2 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + function produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_IntoIter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_IntoIter'0) : () + + = + [%#shash_map19] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq (t_K'0, t_V'0), b : t_IntoIter'0, bc : Seq.seq (t_K'0, t_V'0), c : t_IntoIter'0 . ([%#shash_map16] produces'0 a ab b) + -> ([%#shash_map17] produces'0 b bc c) -> ([%#shash_map18] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IntoIter'0) : () = + [%#shash_map15] () + + axiom produces_refl'0_spec : forall self : t_IntoIter'0 . [%#shash_map14] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + + predicate resolve'1 (self : borrowed (t_IntoIter'0)) = + [%#sresolve20] self.final = self.current + + function view'1 (self : borrowed (t_IntoIter'0)) : t_FMap'0 = + [%#smodel21] view'2 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'0 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap25] len'0 (empty'0 _1) = 0) + && ([%#sfmap26] view'3 (empty'0 _1) = Const.const (C_None'1)) + + function ext_eq'0 (self : t_FMap'0) (other : t_FMap'0) : bool = + [%#sfmap29] view'3 self = view'3 other + + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap27] ext_eq'0 self other -> self = other) + && ([%#sfmap28] (forall k : t_DeepModelTy'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'0) : bool = + [%#sfmap22] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_IntoIter'0)) = + [%#shash_map6] resolve'1 self /\ is_empty'0 (view'1 self) + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, t_V'0)) (res : t_HashMap'0) = + [%#shash_map13] forall k : t_DeepModelTy'0, v : t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int, k1 : t_K'0 . 0 <= i + /\ i < Seq.length prod + /\ deep_model'0 k1 = k + /\ Seq.get prod i = (k1, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> deep_model'0 (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_IntoIter'0) (return' (ret:t_HashMap'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'0)-> {inv'0 result} + {[%#siter5] exists done' : borrowed (t_IntoIter'0), prod : Seq.seq (t_K'0, t_V'0) . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Snapshot + + function contains'1 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : bool = + [%#sfmap10] get_unsized'0 self k <> C_None'1 + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_into_iter'0 (xs:t_HashMap'0) (return' (ret:t_HashMap'0))= (! bb0 + [ bb0 = bb1 + | bb1 = s0 [ s0 = into_iter'0 {xs} (fun (_ret':t_IntoIter'0) -> [ &it <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = [ &it0 <- [%#scollections0] Snapshot.new it ] s1 | s1 = bb3 ] + | bb3 = s0 [ s0 = collect'0 {it} (fun (_ret':t_HashMap'0) -> [ &r <- _ret' ] s1) | s1 = bb4 ] + | bb4 = s0 + [ s0 = {[@expl:assertion] [%#scollections1] exists prod : Seq.seq (t_K'0, t_V'0), it1 : borrowed (t_IntoIter'0) . completed'0 it1 + /\ produces'0 (Snapshot.inner it0) prod it1.current + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 prod (k1, v)))} + s1 + | s1 = bb5 ] + + | bb5 = s0 + [ s0 = {[@expl:assertion] [%#scollections2] forall k : t_DeepModelTy'0 . contains'1 (view'0 r) k + = contains'1 (view'0 xs) k} + s1 + | s1 = bb6 ] + + | bb6 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb7 ] + | bb7 = bb8 + | bb8 = bb9 + | bb9 = return' {_0} ] + ) + [ & _0 : t_HashMap'0 = any_l () + | & xs : t_HashMap'0 = xs + | & it : t_IntoIter'0 = any_l () + | & it0 : Snapshot.snap_ty (t_IntoIter'0) = any_l () + | & r : t_HashMap'0 = any_l () ] + + [ return' (result:t_HashMap'0)-> {[@expl:roundtrip_hashmap_into_iter ensures] [%#scollections3] view'0 result + = view'0 xs} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashmap_iter [#"collections.rs" 32 0 32 97] + let%span scollections0 = "collections.rs" 34 14 34 30 + let%span scollections1 = "collections.rs" 38 4 41 77 + let%span scollections2 = "collections.rs" 31 10 31 98 + let%span shash_map3 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 23 0 37 1 + let%span siter4 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map5 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 125 20 125 54 + let%span shash_map6 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 108 12 118 29 + let%span sfmap7 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel8 = "../../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq9 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel10 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span shash_map11 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 245 20 247 86 + let%span shash_map12 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 130 14 130 45 + let%span shash_map13 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 128 4 128 10 + let%span shash_map14 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 135 15 135 32 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 136 15 136 32 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 137 14 137 42 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 139 8 139 104 + let%span sresolve18 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel19 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap20 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap21 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap22 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap23 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap24 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap25 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'3 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashMap'1 = + { t_HashMap__base'1: t_HashMap'3 } + + predicate inv'0 (_1 : t_HashMap'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashMap'1 [inv'0 x] . inv'0 x = true + + type t_FMap'1 + + function view'4 (self : t_HashMap'1) : t_FMap'1 + + function view'1 (self : t_HashMap'1) : t_FMap'1 = + [%#smodel10] view'4 self + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'1 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + function view'2 (self : t_Iter'0) : t_FMap'1 + + let rec iter'0 (self:t_HashMap'1) (return' (ret:t_Iter'0))= {[@expl:iter 'self' type invariant] inv'0 self} + any [ return' (result:t_Iter'0)-> {[%#shash_map3] view'1 self = view'2 result} (! return' {result}) ] + + use prelude.prelude.Snapshot + + predicate inv'1 (_1 : t_Iter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Iter'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'2 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'2 } + + predicate inv'2 (_1 : t_HashMap'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashMap'0 [inv'2 x] . inv'2 x = true + + type t_K'0 + + type t_V'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_Iter'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'1) : int + + axiom len'0_spec : forall self : t_FMap'1 . [%#sfmap21] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, t_V'0)) (x : (t_K'0, t_V'0)) = + [%#sseq9] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + type t_DeepModelTy'0 + + function deep_model'1 (self : t_K'0) : t_DeepModelTy'0 + + function deep_model'0 (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel8] deep_model'1 self + + type t_Option'2 = + | C_None'0 + | C_Some'1 t_V'0 + + type t_Option'3 = + | C_None'3 + | C_Some'3 t_V'0 + + use map.Map + + function view'6 (self : t_FMap'1) : Map.map t_DeepModelTy'0 (t_Option'3) + + axiom view'6_spec : forall self : t_FMap'1 . [%#sfmap28] forall m1 : t_FMap'1, m2 : t_FMap'1 . m1 <> m2 + -> view'6 m1 <> view'6 m2 + + use map.Map + + function get_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_Option'3 = + [%#sfmap22] Map.get (view'6 self) k + + function get'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_Option'2 = + [%#sfmap7] match get_unsized'1 self k with + | C_None'3 -> C_None'0 + | C_Some'3 x -> C_Some'1 x + end + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_Iter'0) (visited : Seq.seq (t_K'0, t_V'0)) (o : t_Iter'0) = + [%#shash_map6] len'0 (view'2 self) = Seq.length visited + len'0 (view'2 o) + /\ (forall k : t_K'0, v : t_V'0 . contains'0 visited (k, v) + -> get'1 (view'2 self) (deep_model'0 k) = C_Some'1 v /\ get'1 (view'2 o) (deep_model'0 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'1 (view'2 o) k = C_Some'1 v + -> get'1 (view'2 self) k = C_Some'1 v + /\ not (exists k2 : t_K'0, v2 : t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'1 (view'2 self) k = C_Some'1 v + -> (exists k2 : t_K'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v)) \/ get'1 (view'2 o) k = C_Some'1 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + function produces_trans'0 (a : t_Iter'0) (ab : Seq.seq (t_K'0, t_V'0)) (b : t_Iter'0) (bc : Seq.seq (t_K'0, t_V'0)) (c : t_Iter'0) : () + + = + [%#shash_map17] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq (t_K'0, t_V'0), b : t_Iter'0, bc : Seq.seq (t_K'0, t_V'0), c : t_Iter'0 . ([%#shash_map14] produces'0 a ab b) + -> ([%#shash_map15] produces'0 b bc c) -> ([%#shash_map16] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Iter'0) : () = + [%#shash_map13] () + + axiom produces_refl'0_spec : forall self : t_Iter'0 . [%#shash_map12] produces'0 self (Seq.empty : Seq.seq (t_K'0, t_V'0)) self + + predicate resolve'1 (self : borrowed (t_Iter'0)) = + [%#sresolve18] self.final = self.current + + function view'3 (self : borrowed (t_Iter'0)) : t_FMap'1 = + [%#smodel19] view'2 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'1 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap23] len'0 (empty'0 _1) = 0) + && ([%#sfmap24] view'6 (empty'0 _1) = Const.const (C_None'3)) + + function ext_eq'0 (self : t_FMap'1) (other : t_FMap'1) : bool = + [%#sfmap27] view'6 self = view'6 other + + axiom ext_eq'0_spec : forall self : t_FMap'1, other : t_FMap'1 . ([%#sfmap25] ext_eq'0 self other -> self = other) + && ([%#sfmap26] (forall k : t_DeepModelTy'0 . get_unsized'1 self k = get_unsized'1 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'1) : bool = + [%#sfmap20] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_Iter'0)) = + [%#shash_map5] resolve'1 self /\ is_empty'0 (view'3 self) + + type t_FMap'0 + + function view'0 (self : t_HashMap'0) : t_FMap'0 + + type t_Option'0 = + | C_None'2 + | C_Some'0 t_V'0 + + type t_Option'1 = + | C_None'1 + | C_Some'2 t_V'0 + + use map.Map + + function view'5 (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + + axiom view'5_spec : forall self : t_FMap'0 . [%#sfmap28] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'5 m1 <> view'5 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 = + [%#sfmap22] Map.get (view'5 self) k + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 = + [%#sfmap7] match get_unsized'0 self k with + | C_None'1 -> C_None'2 + | C_Some'2 x -> C_Some'0 x + end + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, t_V'0)) (res : t_HashMap'0) = + [%#shash_map11] forall k : t_DeepModelTy'0, v : t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int, k1 : t_K'0 . 0 <= i + /\ i < Seq.length prod + /\ deep_model'0 k1 = k + /\ Seq.get prod i = (k1, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> deep_model'0 (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_Iter'0) (return' (ret:t_HashMap'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'0)-> {inv'2 result} + {[%#siter4] exists done' : borrowed (t_Iter'0), prod : Seq.seq (t_K'0, t_V'0) . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Snapshot + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_iter'0 (xs:t_HashMap'1) (return' (ret:t_HashMap'0))= (! bb0 + [ bb0 = s0 [ s0 = iter'0 {xs} (fun (_ret':t_Iter'0) -> [ &it <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = [ &it0 <- [%#scollections0] Snapshot.new it ] s1 | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {it} (fun (_ret':t_HashMap'0) -> [ &r <- _ret' ] s1) | s1 = bb3 ] + | bb3 = s0 + [ s0 = {[@expl:assertion] [%#scollections1] exists prod : Seq.seq (t_K'0, t_V'0), it1 : borrowed (t_Iter'0) . completed'0 it1 + /\ produces'0 (Snapshot.inner it0) prod it1.current + /\ (forall k : t_DeepModelTy'0, v : t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 prod (k1, v)))} + s1 + | s1 = bb4 ] + + | bb4 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb5 ] + | bb5 = return' {_0} ] + ) + [ & _0 : t_HashMap'0 = any_l () + | & xs : t_HashMap'1 = xs + | & it : t_Iter'0 = any_l () + | & it0 : Snapshot.snap_ty (t_Iter'0) = any_l () + | & r : t_HashMap'0 = any_l () ] + + [ return' (result:t_HashMap'0)-> {[@expl:roundtrip_hashmap_iter ensures] [%#scollections2] forall k : t_DeepModelTy'0, v : t_V'0 . (get'0 (view'0 result) k + = C_Some'0 v) + = (get'1 (view'1 xs) k = C_Some'1 v)} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashmap_iter_mut [#"collections.rs" 48 0 50 24] + let%span scollections0 = "collections.rs" 52 14 52 30 + let%span scollections1 = "collections.rs" 55 8 58 81 + let%span scollections2 = "collections.rs" 45 10 45 128 + let%span scollections3 = "collections.rs" 46 10 46 107 + let%span scollections4 = "collections.rs" 47 10 47 110 + let%span shash_map5 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 23 0 37 1 + let%span siter6 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_map7 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 177 20 177 54 + let%span shash_map8 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 160 12 170 29 + let%span sfmap9 = "../../../../creusot-contracts/src/logic/fmap.rs" 92 8 95 9 + let%span smodel10 = "../../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq11 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span smodel12 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span sfmap13 = "../../../../creusot-contracts/src/logic/fmap.rs" 132 8 132 35 + let%span sfmap14 = "../../../../creusot-contracts/src/logic/fmap.rs" 228 8 228 24 + let%span shash_map15 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 233 20 235 112 + let%span shash_map16 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 245 20 247 86 + let%span shash_map17 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 182 14 182 45 + let%span shash_map18 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 180 4 180 10 + let%span shash_map19 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 187 15 187 32 + let%span shash_map20 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 188 15 188 32 + let%span shash_map21 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 189 14 189 42 + let%span shash_map22 = "../../../../creusot-contracts/src/std/collections/hash_map.rs" 191 8 191 104 + let%span sresolve23 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span sfmap24 = "../../../../creusot-contracts/src/logic/fmap.rs" 139 8 139 34 + let%span sfmap25 = "../../../../creusot-contracts/src/logic/fmap.rs" 48 14 48 25 + let%span sfmap26 = "../../../../creusot-contracts/src/logic/fmap.rs" 103 8 103 26 + let%span sfmap27 = "../../../../creusot-contracts/src/logic/fmap.rs" 116 9 116 31 + let%span sfmap28 = "../../../../creusot-contracts/src/logic/fmap.rs" 39 14 39 31 + let%span sfmap29 = "../../../../creusot-contracts/src/logic/fmap.rs" 40 14 40 49 + let%span sfmap30 = "../../../../creusot-contracts/src/logic/fmap.rs" 214 14 214 38 + let%span sfmap31 = "../../../../creusot-contracts/src/logic/fmap.rs" 215 14 215 83 + let%span sfmap32 = "../../../../creusot-contracts/src/logic/fmap.rs" 217 8 217 35 + let%span sfmap33 = "../../../../creusot-contracts/src/logic/fmap.rs" 58 14 58 86 + let%span sfmap34 = "../../../../creusot-contracts/src/logic/fmap.rs" 124 8 124 35 + let%span sutil35 = "../../../../creusot-contracts/src/util.rs" 55 11 55 21 + let%span sutil36 = "../../../../creusot-contracts/src/util.rs" 56 10 56 28 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'2 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashMap'0 = + { t_HashMap__base'0: t_HashMap'2 } + + predicate inv'0 (_1 : borrowed (t_HashMap'0)) + + axiom inv_axiom'0 [@rewrite] : forall x : borrowed (t_HashMap'0) [inv'0 x] . inv'0 x = true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_IterMut'1 = + { t_IterMut__inner'0: t_RawIter'0; t_IterMut__marker'0: () } + + type t_IterMut'0 = + { t_IterMut__base'0: t_IterMut'1 } + + type t_DeepModelTy'0 + + type t_FMap'1 + + function view'2 (self : t_HashMap'0) : t_FMap'1 + + type t_V'0 + + type t_Option'3 = + | C_None'2 + | C_Some'3 t_V'0 + + use map.Map + + function view'6 (self : t_FMap'1) : Map.map t_DeepModelTy'0 (t_Option'3) + + axiom view'6_spec : forall self : t_FMap'1 . [%#sfmap33] forall m1 : t_FMap'1, m2 : t_FMap'1 . m1 <> m2 + -> view'6 m1 <> view'6 m2 + + use map.Map + + function get_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_Option'3 = + [%#sfmap26] Map.get (view'6 self) k + + function contains'2 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : bool = + [%#sfmap13] get_unsized'1 self k <> C_None'2 + + type t_FMap'0 + + function view'4 (self : t_IterMut'0) : t_FMap'0 + + type t_Option'1 = + | C_None'1 + | C_Some'2 (borrowed t_V'0) + + use map.Map + + function view'5 (self : t_FMap'0) : Map.map t_DeepModelTy'0 (t_Option'1) + + axiom view'5_spec : forall self : t_FMap'0 . [%#sfmap33] forall m1 : t_FMap'0, m2 : t_FMap'0 . m1 <> m2 + -> view'5 m1 <> view'5 m2 + + use map.Map + + function get_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'1 = + [%#sfmap26] Map.get (view'5 self) k + + function contains'1 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : bool = + [%#sfmap13] get_unsized'0 self k <> C_None'1 + + function unwrap'1 (op : t_Option'3) : t_V'0 + + axiom unwrap'1_spec : forall op : t_Option'3 . ([%#sutil35] op <> C_None'2) + -> ([%#sutil36] C_Some'3 (unwrap'1 op) = op) + + function lookup_unsized'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_V'0 = + [%#sfmap34] unwrap'1 (get_unsized'1 self k) + + function lookup'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_V'0 = + [%#sfmap27] lookup_unsized'1 self k + + function index_logic'1 [@inline:trivial] (self : t_FMap'1) (key : t_DeepModelTy'0) : t_V'0 = + [%#sfmap14] lookup'1 self key + + function unwrap'0 (op : t_Option'1) : borrowed t_V'0 + + axiom unwrap'0_spec : forall op : t_Option'1 . ([%#sutil35] op <> C_None'1) + -> ([%#sutil36] C_Some'2 (unwrap'0 op) = op) + + function lookup_unsized'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : borrowed t_V'0 = + [%#sfmap34] unwrap'0 (get_unsized'0 self k) + + function lookup'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : borrowed t_V'0 = + [%#sfmap27] lookup_unsized'0 self k + + function index_logic'0 [@inline:trivial] (self : t_FMap'0) (key : t_DeepModelTy'0) : borrowed t_V'0 = + [%#sfmap14] lookup'0 self key + + predicate into_iter_post'0 (self : borrowed (t_HashMap'0)) (res : t_IterMut'0) = + [%#shash_map15] forall k : t_DeepModelTy'0 . contains'2 (view'2 self.current) k = contains'2 (view'2 self.final) k + /\ (forall k : t_DeepModelTy'0 . contains'2 (view'2 self.current) k = contains'1 (view'4 res) k) + /\ (forall k : t_DeepModelTy'0 . contains'2 (view'2 self.current) k + -> index_logic'1 (view'2 self.current) k = (index_logic'0 (view'4 res) k).current + /\ index_logic'1 (view'2 self.final) k = (index_logic'0 (view'4 res) k).final) + + let rec iter_mut'0 (self:borrowed (t_HashMap'0)) (return' (ret:t_IterMut'0))= {[@expl:iter_mut 'self' type invariant] inv'0 self} + any [ return' (result:t_IterMut'0)-> {[%#shash_map5] into_iter_post'0 self result} (! return' {result}) ] + + use prelude.prelude.Snapshot + + predicate inv'1 (_1 : t_IterMut'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IterMut'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'3 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashMap'1 = + { t_HashMap__base'1: t_HashMap'3 } + + predicate inv'2 (_1 : t_HashMap'1) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashMap'1 [inv'2 x] . inv'2 x = true + + type t_K'0 + + use seq.Seq + + predicate resolve'1 (_1 : t_IterMut'0) = + true + + use prelude.prelude.Int + + function len'0 (self : t_FMap'0) : int + + axiom len'0_spec : forall self : t_FMap'0 . [%#sfmap25] len'0 self >= 0 + + use seq.Seq + + use seq.Seq + + predicate contains'0 (self : Seq.seq (t_K'0, borrowed t_V'0)) (x : (t_K'0, borrowed t_V'0)) = + [%#sseq11] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + function deep_model'1 (self : t_K'0) : t_DeepModelTy'0 + + type t_Option'0 = + | C_None'0 + | C_Some'0 (borrowed t_V'0) + + function get'0 [@inline:trivial] (self : t_FMap'0) (k : t_DeepModelTy'0) : t_Option'0 = + [%#sfmap9] match get_unsized'0 self k with + | C_None'1 -> C_None'0 + | C_Some'2 x -> C_Some'0 x + end + + function deep_model'0 (self : t_K'0) : t_DeepModelTy'0 = + [%#smodel10] deep_model'1 self + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_IterMut'0) (visited : Seq.seq (t_K'0, borrowed t_V'0)) (o : t_IterMut'0) = + [%#shash_map8] len'0 (view'4 self) = Seq.length visited + len'0 (view'4 o) + /\ (forall k : t_K'0, v : borrowed t_V'0 . contains'0 visited (k, v) + -> get'0 (view'4 self) (deep_model'1 k) = C_Some'0 v /\ get'0 (view'4 o) (deep_model'1 k) = C_None'0) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'4 o) k = C_Some'0 v + -> get'0 (view'4 self) k = C_Some'0 v + /\ not (exists k2 : t_K'0, v2 : borrowed t_V'0 . deep_model'0 k2 = k /\ contains'0 visited (k2, v2))) + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'4 self) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 visited (k1, v)) \/ get'0 (view'4 o) k = C_Some'0 v) + /\ (forall i1 : int, i2 : int . 0 <= i1 + /\ i1 < Seq.length visited + /\ 0 <= i2 + /\ i2 < Seq.length visited + /\ deep_model'0 (let (a, _) = Seq.get visited i1 in a) = deep_model'0 (let (a, _) = Seq.get visited i2 in a) + -> i1 = i2) + + function produces_trans'0 (a : t_IterMut'0) (ab : Seq.seq (t_K'0, borrowed t_V'0)) (b : t_IterMut'0) (bc : Seq.seq (t_K'0, borrowed t_V'0)) (c : t_IterMut'0) : () + + = + [%#shash_map22] let _ = () in () + + axiom produces_trans'0_spec : forall a : t_IterMut'0, ab : Seq.seq (t_K'0, borrowed t_V'0), b : t_IterMut'0, bc : Seq.seq (t_K'0, borrowed t_V'0), c : t_IterMut'0 . ([%#shash_map19] produces'0 a ab b) + -> ([%#shash_map20] produces'0 b bc c) -> ([%#shash_map21] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IterMut'0) : () = + [%#shash_map18] () + + axiom produces_refl'0_spec : forall self : t_IterMut'0 . [%#shash_map17] produces'0 self (Seq.empty : Seq.seq (t_K'0, borrowed t_V'0)) self + + predicate resolve'2 (self : borrowed (t_IterMut'0)) = + [%#sresolve23] self.final = self.current + + function view'3 (self : borrowed (t_IterMut'0)) : t_FMap'0 = + [%#smodel12] view'4 self.current + + use map.Const + + function empty'0 (_1 : ()) : t_FMap'0 + + axiom empty'0_spec : forall _1 : () . ([%#sfmap28] len'0 (empty'0 _1) = 0) + && ([%#sfmap29] view'5 (empty'0 _1) = Const.const (C_None'1)) + + function ext_eq'0 (self : t_FMap'0) (other : t_FMap'0) : bool = + [%#sfmap32] view'5 self = view'5 other + + axiom ext_eq'0_spec : forall self : t_FMap'0, other : t_FMap'0 . ([%#sfmap30] ext_eq'0 self other -> self = other) + && ([%#sfmap31] (forall k : t_DeepModelTy'0 . get_unsized'0 self k = get_unsized'0 other k) -> ext_eq'0 self other) + + function is_empty'0 (self : t_FMap'0) : bool = + [%#sfmap24] ext_eq'0 self (empty'0 ()) + + predicate completed'0 (self : borrowed (t_IterMut'0)) = + [%#shash_map7] resolve'2 self /\ is_empty'0 (view'3 self) + + function view'0 (self : t_HashMap'1) : t_FMap'0 + + predicate from_iter_post'0 (prod : Seq.seq (t_K'0, borrowed t_V'0)) (res : t_HashMap'1) = + [%#shash_map16] forall k : t_DeepModelTy'0, v : borrowed t_V'0 . (get'0 (view'0 res) k = C_Some'0 v) + = (exists i : int, k1 : t_K'0 . 0 <= i + /\ i < Seq.length prod + /\ deep_model'0 k1 = k + /\ Seq.get prod i = (k1, v) + /\ (forall j : int . i < j /\ j < Seq.length prod -> deep_model'0 (let (a, _) = Seq.get prod j in a) <> k)) + + let rec collect'0 (self:t_IterMut'0) (return' (ret:t_HashMap'1))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashMap'1)-> {inv'2 result} + {[%#siter6] exists done' : borrowed (t_IterMut'0), prod : Seq.seq (t_K'0, borrowed t_V'0) . resolve'1 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Snapshot + + predicate resolve'3 (self : borrowed (t_HashMap'0)) = + [%#sresolve23] self.final = self.current + + predicate resolve'0 (_1 : borrowed (t_HashMap'0)) = + resolve'3 _1 + + use prelude.prelude.Intrinsic + + use prelude.prelude.Snapshot + + function view'1 (self : borrowed (t_HashMap'0)) : t_FMap'1 = + [%#smodel12] view'2 self.current + + type t_Option'2 = + | C_None'3 + | C_Some'1 t_V'0 + + function get'1 [@inline:trivial] (self : t_FMap'1) (k : t_DeepModelTy'0) : t_Option'2 = + [%#sfmap9] match get_unsized'1 self k with + | C_None'2 -> C_None'3 + | C_Some'3 x -> C_Some'1 x + end + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashmap_iter_mut'0 (xs:borrowed (t_HashMap'0)) (return' (ret:t_HashMap'1))= (! bb0 + [ bb0 = s0 + [ s0 = Borrow.borrow_final {xs.current} {Borrow.get_id xs} + (fun (_ret':borrowed (t_HashMap'0)) -> [ &_6 <- _ret' ] [ &xs <- { xs with current = _ret'.final } ] s1) + | s1 = iter_mut'0 {_6} (fun (_ret':t_IterMut'0) -> [ &it <- _ret' ] s2) + | s2 = bb1 ] + + | bb1 = s0 [ s0 = [ &it0 <- [%#scollections0] Snapshot.new it ] s1 | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {it} (fun (_ret':t_HashMap'1) -> [ &r <- _ret' ] s1) | s1 = bb3 ] + | bb3 = s0 + [ s0 = {[@expl:assertion] [%#scollections1] exists prod : Seq.seq (t_K'0, borrowed t_V'0), it1 : borrowed (t_IterMut'0) . completed'0 it1 + /\ produces'0 (Snapshot.inner it0) prod it1.current + /\ (forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 r) k = C_Some'0 v + -> (exists k1 : t_K'0 . deep_model'0 k1 = k /\ contains'0 prod (k1, v)))} + s1 + | s1 = bb4 ] + + | bb4 = s0 [ s0 = [ &_0 <- r ] s1 | s1 = bb5 ] + | bb5 = s0 [ s0 = -{resolve'0 xs}- s1 | s1 = return' {_0} ] ] + ) + [ & _0 : t_HashMap'1 = any_l () + | & xs : borrowed (t_HashMap'0) = xs + | & it : t_IterMut'0 = any_l () + | & _6 : borrowed (t_HashMap'0) = any_l () + | & it0 : Snapshot.snap_ty (t_IterMut'0) = any_l () + | & r : t_HashMap'1 = any_l () ] + + [ return' (result:t_HashMap'1)-> {[@expl:roundtrip_hashmap_iter_mut ensures #0] [%#scollections2] forall k : t_DeepModelTy'0, v : borrowed t_V'0 . get'0 (view'0 result) k + = C_Some'0 v -> get'1 (view'1 xs) k = C_Some'1 (v.current) /\ get'1 (view'2 xs.final) k = C_Some'1 (v.final)} + {[@expl:roundtrip_hashmap_iter_mut ensures #1] [%#scollections3] forall k : t_DeepModelTy'0, v : t_V'0 . get'1 (view'1 xs) k + = C_Some'1 v -> contains'1 (view'0 result) k /\ (index_logic'0 (view'0 result) k).current = v} + {[@expl:roundtrip_hashmap_iter_mut ensures #2] [%#scollections4] forall k : t_DeepModelTy'0, v : t_V'0 . get'1 (view'2 xs.final) k + = C_Some'1 v -> contains'1 (view'0 result) k /\ (index_logic'0 (view'0 result) k).final = v} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashset_into_iter [#"collections.rs" 64 0 64 90] + let%span scollections0 = "collections.rs" 63 10 63 24 + let%span siter1 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span shash_set3 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 157 20 157 24 + let%span shash_set4 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 163 20 163 33 + let%span shash_set5 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 96 20 96 38 + let%span shash_set6 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 90 8 90 38 + let%span shash_set7 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 185 20 185 121 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 101 14 101 45 + let%span shash_set9 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 99 4 99 10 + let%span shash_set10 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 106 15 106 32 + let%span shash_set11 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 107 15 107 32 + let%span shash_set12 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 108 14 108 42 + let%span shash_set13 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 110 8 110 43 + let%span smodel14 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span shash_set15 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset16 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_set18 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set19 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set20 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set21 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span sseq22 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq23 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + predicate inv'0 (_1 : t_HashSet'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'0 [inv'0 x] . inv'0 x = true + + predicate into_iter_pre'0 (self : t_HashSet'0) = + [%#shash_set3] true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_AlignmentEnum'0 = + | C_qy95zAlign1Shl0'0 + | C_qy95zAlign1Shl1'0 + | C_qy95zAlign1Shl2'0 + | C_qy95zAlign1Shl3'0 + | C_qy95zAlign1Shl4'0 + | C_qy95zAlign1Shl5'0 + | C_qy95zAlign1Shl6'0 + | C_qy95zAlign1Shl7'0 + | C_qy95zAlign1Shl8'0 + | C_qy95zAlign1Shl9'0 + | C_qy95zAlign1Shl10'0 + | C_qy95zAlign1Shl11'0 + | C_qy95zAlign1Shl12'0 + | C_qy95zAlign1Shl13'0 + | C_qy95zAlign1Shl14'0 + | C_qy95zAlign1Shl15'0 + | C_qy95zAlign1Shl16'0 + | C_qy95zAlign1Shl17'0 + | C_qy95zAlign1Shl18'0 + | C_qy95zAlign1Shl19'0 + | C_qy95zAlign1Shl20'0 + | C_qy95zAlign1Shl21'0 + | C_qy95zAlign1Shl22'0 + | C_qy95zAlign1Shl23'0 + | C_qy95zAlign1Shl24'0 + | C_qy95zAlign1Shl25'0 + | C_qy95zAlign1Shl26'0 + | C_qy95zAlign1Shl27'0 + | C_qy95zAlign1Shl28'0 + | C_qy95zAlign1Shl29'0 + | C_qy95zAlign1Shl30'0 + | C_qy95zAlign1Shl31'0 + | C_qy95zAlign1Shl32'0 + | C_qy95zAlign1Shl33'0 + | C_qy95zAlign1Shl34'0 + | C_qy95zAlign1Shl35'0 + | C_qy95zAlign1Shl36'0 + | C_qy95zAlign1Shl37'0 + | C_qy95zAlign1Shl38'0 + | C_qy95zAlign1Shl39'0 + | C_qy95zAlign1Shl40'0 + | C_qy95zAlign1Shl41'0 + | C_qy95zAlign1Shl42'0 + | C_qy95zAlign1Shl43'0 + | C_qy95zAlign1Shl44'0 + | C_qy95zAlign1Shl45'0 + | C_qy95zAlign1Shl46'0 + | C_qy95zAlign1Shl47'0 + | C_qy95zAlign1Shl48'0 + | C_qy95zAlign1Shl49'0 + | C_qy95zAlign1Shl50'0 + | C_qy95zAlign1Shl51'0 + | C_qy95zAlign1Shl52'0 + | C_qy95zAlign1Shl53'0 + | C_qy95zAlign1Shl54'0 + | C_qy95zAlign1Shl55'0 + | C_qy95zAlign1Shl56'0 + | C_qy95zAlign1Shl57'0 + | C_qy95zAlign1Shl58'0 + | C_qy95zAlign1Shl59'0 + | C_qy95zAlign1Shl60'0 + | C_qy95zAlign1Shl61'0 + | C_qy95zAlign1Shl62'0 + | C_qy95zAlign1Shl63'0 + + type t_Alignment'0 = + { t_Alignment__0'0: t_AlignmentEnum'0 } + + type t_Layout'0 = + { t_Layout__size'0: usize; t_Layout__align'0: t_Alignment'0 } + + type t_Option'0 = + | C_None'0 + | C_Some'0 (t_NonNull'0, t_Layout'0, ()) + + type t_RawIntoIter'0 = + { t_RawIntoIter__iter'0: t_RawIter'0; t_RawIntoIter__allocation'0: t_Option'0; t_RawIntoIter__marker'0: () } + + type t_IntoIter'2 = + { t_IntoIter__inner'0: t_RawIntoIter'0 } + + type t_IntoIter'1 = + { t_IntoIter__iter'0: t_IntoIter'2 } + + type t_IntoIter'0 = + { t_IntoIter__base'0: t_IntoIter'1 } + + type t_DeepModelTy'0 + + use set.Fset + + function view'0 (self : t_HashSet'0) : Fset.fset t_DeepModelTy'0 + + function view'1 (self : t_IntoIter'0) : Fset.fset t_DeepModelTy'0 + + predicate into_iter_post'0 (self : t_HashSet'0) (res : t_IntoIter'0) = + [%#shash_set4] view'0 self = view'1 res + + let rec into_iter'0 (self:t_HashSet'0) (return' (ret:t_IntoIter'0))= {[@expl:into_iter 'self' type invariant] inv'0 self} + {[@expl:into_iter requires] [%#siter1] into_iter_pre'0 self} + any [ return' (result:t_IntoIter'0)-> {[%#siter1] into_iter_post'0 self result} (! return' {result}) ] + + predicate inv'1 (_1 : t_IntoIter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_IntoIter'0 [inv'1 x] . inv'1 x = true + + use prelude.prelude.Borrow + + type t_T'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_IntoIter'0) = + true + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) = + [%#sfset16] Fset.mem e self + + function deep_model'0 (self : t_T'0) : t_DeepModelTy'0 + + use seq.Seq + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 (start : t_IntoIter'0) (visited : Seq.seq t_T'0) (end' : t_IntoIter'0) = + [%#shash_set15] Fset.cardinal (view'1 start) = Seq.length visited + Fset.cardinal (view'1 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'1 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'1 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'1 start) (deep_model'0 x) /\ not contains'0 (view'1 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'1 end') x + -> contains'0 (view'1 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) + + use seq.Seq + + function concat_contains'0 (_1 : ()) : () = + [%#sseq23] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq22] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x + + function set_produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + = + [%#shash_set21] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom set_produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq t_T'0, b : t_IntoIter'0, bc : Seq.seq t_T'0, c : t_IntoIter'0 . ([%#shash_set18] set_produces'0 a ab b) + -> ([%#shash_set19] set_produces'0 b bc c) -> ([%#shash_set20] set_produces'0 a (Seq.(++) ab bc) c) + + use seq.Seq + + predicate produces'0 (self : t_IntoIter'0) (visited : Seq.seq t_T'0) (o : t_IntoIter'0) = + [%#shash_set6] set_produces'0 self visited o + + function produces_trans'0 (a : t_IntoIter'0) (ab : Seq.seq t_T'0) (b : t_IntoIter'0) (bc : Seq.seq t_T'0) (c : t_IntoIter'0) : () + + = + [%#shash_set13] let _ = set_produces_trans'0 a ab b bc c in () + + axiom produces_trans'0_spec : forall a : t_IntoIter'0, ab : Seq.seq t_T'0, b : t_IntoIter'0, bc : Seq.seq t_T'0, c : t_IntoIter'0 . ([%#shash_set10] produces'0 a ab b) + -> ([%#shash_set11] produces'0 b bc c) -> ([%#shash_set12] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_IntoIter'0) : () = + [%#shash_set9] () + + axiom produces_refl'0_spec : forall self : t_IntoIter'0 . [%#shash_set8] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + function view'2 (self : borrowed (t_IntoIter'0)) : Fset.fset t_DeepModelTy'0 = + [%#smodel14] view'1 self.current + + use set.Fset + + predicate completed'0 (self : borrowed (t_IntoIter'0)) = + [%#shash_set5] Fset.is_empty (view'2 self) + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set7] forall x : t_DeepModelTy'0 . contains'0 (view'0 res) x + = (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 prod x1) + + let rec collect'0 (self:t_IntoIter'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashSet'0)-> {inv'0 result} + {[%#siter2] exists done' : borrowed (t_IntoIter'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashset_into_iter'0 (xs:t_HashSet'0) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = bb1 + | bb1 = s0 [ s0 = into_iter'0 {xs} (fun (_ret':t_IntoIter'0) -> [ &_3 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {_3} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = bb4 + | bb4 = return' {_0} ] + ) [ & _0 : t_HashSet'0 = any_l () | & xs : t_HashSet'0 = xs | & _3 : t_IntoIter'0 = any_l () ] + [ return' (result:t_HashSet'0)-> {[@expl:roundtrip_hashset_into_iter ensures] [%#scollections0] view'0 result + = view'0 xs} + (! return' {result}) ] + +end +module M_collections__roundtrip_hashset_iter [#"collections.rs" 69 0 69 87] + let%span scollections0 = "collections.rs" 68 10 68 24 + let%span shash_set1 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 19 0 38 1 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span smodel3 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span shash_set4 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 135 20 135 38 + let%span shash_set5 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 129 8 129 38 + let%span shash_set6 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 185 20 185 121 + let%span shash_set7 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 140 14 140 45 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 138 4 138 10 + let%span shash_set9 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 145 15 145 32 + let%span shash_set10 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 146 15 146 32 + let%span shash_set11 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 147 14 147 42 + let%span shash_set12 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 149 8 149 43 + let%span smodel13 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span shash_set14 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span sfset15 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span smodel16 = "../../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_set18 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set19 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set20 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set21 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span sseq22 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq23 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'1 = + { t_RawTable__table'1: t_RawTableInner'0; t_RawTable__alloc'1: (); t_RawTable__marker'1: () } + + type t_HashMap'1 = + { t_HashMap__hash_builder'1: t_RandomState'0; t_HashMap__table'1: t_RawTable'1 } + + type t_HashSet'3 = + { t_HashSet__map'1: t_HashMap'1 } + + type t_HashSet'1 = + { t_HashSet__base'1: t_HashSet'3 } + + predicate inv'0 (_1 : t_HashSet'1) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'1 [inv'0 x] . inv'0 x = true + + type t_DeepModelTy'0 + + use set.Fset + + function view'3 (self : t_HashSet'1) : Fset.fset t_DeepModelTy'0 + + function view'1 (self : t_HashSet'1) : Fset.fset t_DeepModelTy'0 = + [%#smodel3] view'3 self + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + function view'2 (self : t_Iter'0) : Fset.fset t_DeepModelTy'0 + + let rec iter'0 (self:t_HashSet'1) (return' (ret:t_Iter'0))= {[@expl:iter 'self' type invariant] inv'0 self} + any [ return' (result:t_Iter'0)-> {[%#shash_set1] view'1 self = view'2 result} (! return' {result}) ] + + predicate inv'1 (_1 : t_Iter'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Iter'0 [inv'1 x] . inv'1 x = true + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'2 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'2 } + + predicate inv'2 (_1 : t_HashSet'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_HashSet'0 [inv'2 x] . inv'2 x = true + + type t_T'0 + + use seq.Seq + + predicate resolve'0 (_1 : t_Iter'0) = + true + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) = + [%#sfset15] Fset.mem e self + + function deep_model'1 (self : t_T'0) : t_DeepModelTy'0 + + function deep_model'0 (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel16] deep_model'1 self + + use seq.Seq + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 (start : t_Iter'0) (visited : Seq.seq t_T'0) (end' : t_Iter'0) = + [%#shash_set14] Fset.cardinal (view'2 start) = Seq.length visited + Fset.cardinal (view'2 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'2 start) x + -> (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1) \/ contains'0 (view'2 end') x) + /\ (forall x : t_T'0 . contains'1 visited x + -> contains'0 (view'2 start) (deep_model'0 x) /\ not contains'0 (view'2 end') (deep_model'0 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'2 end') x + -> contains'0 (view'2 start) x /\ not (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'0 (Seq.get visited i) = deep_model'0 (Seq.get visited j) + -> i = j) + + use seq.Seq + + function concat_contains'0 (_1 : ()) : () = + [%#sseq23] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq22] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'1 (Seq.(++) a b) x + = contains'1 a x + \/ contains'1 b x + + function set_produces_trans'0 (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + + = + [%#shash_set21] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom set_produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq t_T'0, b : t_Iter'0, bc : Seq.seq t_T'0, c : t_Iter'0 . ([%#shash_set18] set_produces'0 a ab b) + -> ([%#shash_set19] set_produces'0 b bc c) -> ([%#shash_set20] set_produces'0 a (Seq.(++) ab bc) c) + + use seq.Seq + + predicate produces'0 (self : t_Iter'0) (visited : Seq.seq t_T'0) (o : t_Iter'0) = + [%#shash_set5] set_produces'0 self visited o + + function produces_trans'0 (a : t_Iter'0) (ab : Seq.seq t_T'0) (b : t_Iter'0) (bc : Seq.seq t_T'0) (c : t_Iter'0) : () + = + [%#shash_set12] let _ = set_produces_trans'0 a ab b bc c in () + + axiom produces_trans'0_spec : forall a : t_Iter'0, ab : Seq.seq t_T'0, b : t_Iter'0, bc : Seq.seq t_T'0, c : t_Iter'0 . ([%#shash_set9] produces'0 a ab b) + -> ([%#shash_set10] produces'0 b bc c) -> ([%#shash_set11] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Iter'0) : () = + [%#shash_set8] () + + axiom produces_refl'0_spec : forall self : t_Iter'0 . [%#shash_set7] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + function view'4 (self : borrowed (t_Iter'0)) : Fset.fset t_DeepModelTy'0 = + [%#smodel13] view'2 self.current + + use set.Fset + + predicate completed'0 (self : borrowed (t_Iter'0)) = + [%#shash_set4] Fset.is_empty (view'4 self) + + function view'0 (self : t_HashSet'0) : Fset.fset t_DeepModelTy'0 + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set6] forall x : t_DeepModelTy'0 . contains'0 (view'0 res) x + = (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 prod x1) + + let rec collect'0 (self:t_Iter'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'1 self} + any + [ return' (result:t_HashSet'0)-> {inv'2 result} + {[%#siter2] exists done' : borrowed (t_Iter'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec roundtrip_hashset_iter'0 (xs:t_HashSet'1) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = s0 [ s0 = iter'0 {xs} (fun (_ret':t_Iter'0) -> [ &_3 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = collect'0 {_3} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = return' {_0} ] + ) [ & _0 : t_HashSet'0 = any_l () | & xs : t_HashSet'1 = xs | & _3 : t_Iter'0 = any_l () ] + [ return' (result:t_HashSet'0)-> {[@expl:roundtrip_hashset_iter ensures] [%#scollections0] view'0 result + = view'1 xs} + (! return' {result}) ] + +end +module M_collections__hashset_intersection [#"collections.rs" 74 0 77 15] + let%span scollections0 = "collections.rs" 73 10 73 42 + let%span shash_set1 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 32 30 32 67 + let%span siter2 = "../../../../creusot-contracts/src/std/iter.rs" 97 0 205 1 + let%span siter3 = "../../../../creusot-contracts/src/std/iter.rs" 166 26 167 120 + let%span smodel4 = "../../../../creusot-contracts/src/model.rs" 92 8 92 22 + let%span scopied5 = "../../../../creusot-contracts/src/std/iter/copied.rs" 11 14 11 39 + let%span scopied6 = "../../../../creusot-contracts/src/std/iter/copied.rs" 40 12 40 105 + let%span scopied7 = "../../../../creusot-contracts/src/std/iter/copied.rs" 48 12 51 79 + let%span shash_set8 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 185 20 185 121 + let%span scopied9 = "../../../../creusot-contracts/src/std/iter/copied.rs" 21 8 21 29 + let%span scopied10 = "../../../../creusot-contracts/src/std/iter/copied.rs" 57 14 57 45 + let%span scopied11 = "../../../../creusot-contracts/src/std/iter/copied.rs" 62 15 62 32 + let%span scopied12 = "../../../../creusot-contracts/src/std/iter/copied.rs" 63 15 63 32 + let%span scopied13 = "../../../../creusot-contracts/src/std/iter/copied.rs" 64 14 64 42 + let%span shash_set14 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 210 20 210 56 + let%span shash_set15 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 204 8 204 38 + let%span sfset16 = "../../../../creusot-contracts/src/logic/fset.rs" 46 8 46 26 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 355 20 355 77 + let%span shash_set18 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 215 14 215 45 + let%span shash_set19 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 213 4 213 10 + let%span shash_set20 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 220 15 220 32 + let%span shash_set21 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 221 15 221 32 + let%span shash_set22 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 222 14 222 42 + let%span shash_set23 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 224 8 224 43 + let%span sresolve24 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 + let%span smodel25 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 + let%span shash_set26 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 58 16 65 23 + let%span shash_set27 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 71 11 71 33 + let%span shash_set28 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 72 11 72 33 + let%span shash_set29 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 73 10 73 43 + let%span shash_set30 = "../../../../creusot-contracts/src/std/collections/hash_set.rs" 81 4 81 31 + let%span smodel31 = "../../../../creusot-contracts/src/model.rs" 83 8 83 28 + let%span sseq32 = "../../../../creusot-contracts/src/logic/seq.rs" 382 14 383 65 + let%span sseq33 = "../../../../creusot-contracts/src/logic/seq.rs" 381 4 381 12 + + use prelude.prelude.Borrow + + use prelude.prelude.UInt64 + + type t_RandomState'0 = + { t_RandomState__k0'0: uint64; t_RandomState__k1'0: uint64 } + + use prelude.prelude.UIntSize + + use prelude.prelude.Opaque + + type t_NonNull'0 = + { t_NonNull__pointer'0: opaque_ptr } + + type t_RawTableInner'0 = + { t_RawTableInner__bucket_mask'0: usize; + t_RawTableInner__ctrl'0: t_NonNull'0; + t_RawTableInner__growth_left'0: usize; + t_RawTableInner__items'0: usize } + + type t_RawTable'0 = + { t_RawTable__table'0: t_RawTableInner'0; t_RawTable__alloc'0: (); t_RawTable__marker'0: () } + + type t_HashMap'0 = + { t_HashMap__hash_builder'0: t_RandomState'0; t_HashMap__table'0: t_RawTable'0 } + + type t_HashSet'1 = + { t_HashSet__map'0: t_HashMap'0 } + + type t_HashSet'0 = + { t_HashSet__base'0: t_HashSet'1 } + + predicate inv'0 (_1 : t_HashSet'0) + + axiom inv_axiom'0 [@rewrite] : forall x : t_HashSet'0 [inv'0 x] . inv'0 x = true + + use prelude.prelude.UInt16 + + type t_BitMask'0 = + { t_BitMask__0'0: uint16 } + + type t_BitMaskIter'0 = + { t_BitMaskIter__0'0: t_BitMask'0 } + + type t_NonNull'1 = + { t_NonNull__pointer'1: opaque_ptr } + + type t_Bucket'0 = + { t_Bucket__ptr'0: t_NonNull'1 } + + type t_RawIterRange'0 = + { t_RawIterRange__current_group'0: t_BitMaskIter'0; + t_RawIterRange__data'0: t_Bucket'0; + t_RawIterRange__next_ctrl'0: opaque_ptr; + t_RawIterRange__end'0: opaque_ptr } + + type t_RawIter'0 = + { t_RawIter__iter'0: t_RawIterRange'0; t_RawIter__items'0: usize } + + type t_Iter'2 = + { t_Iter__inner'0: t_RawIter'0; t_Iter__marker'0: () } + + type t_Keys'0 = + { t_Keys__inner'0: t_Iter'2 } + + type t_Iter'1 = + { t_Iter__iter'0: t_Keys'0 } + + type t_Iter'0 = + { t_Iter__base'0: t_Iter'1 } + + type t_Intersection'0 = + { t_Intersection__iter'0: t_Iter'0; t_Intersection__other'0: t_HashSet'0 } + + predicate inv'1 (_1 : t_Intersection'0) + + axiom inv_axiom'1 [@rewrite] : forall x : t_Intersection'0 [inv'1 x] . inv'1 x = true + + type t_DeepModelTy'0 + + use set.Fset + + function view'2 (self : t_Intersection'0) : Fset.fset t_DeepModelTy'0 + + function view'0 (self : t_HashSet'0) : Fset.fset t_DeepModelTy'0 + + function view'1 (self : t_HashSet'0) : Fset.fset t_DeepModelTy'0 = + [%#smodel4] view'0 self + + use set.Fset + + let rec intersection'0 (self:t_HashSet'0) (other:t_HashSet'0) (return' (ret:t_Intersection'0))= {[@expl:intersection 'self' type invariant] inv'0 self} + {[@expl:intersection 'other' type invariant] inv'0 other} + any + [ return' (result:t_Intersection'0)-> {inv'1 result} + {[%#shash_set1] view'2 result = Fset.inter (view'1 self) (view'1 other)} + (! return' {result}) ] + + + type t_Copied'0 = + { t_Copied__it'0: t_Intersection'0 } + + predicate inv'2 (_1 : t_Copied'0) + + axiom inv_axiom'2 [@rewrite] : forall x : t_Copied'0 [inv'2 x] . inv'2 x = true + + function iter'0 (self : t_Copied'0) : t_Intersection'0 + + axiom iter'0_spec : forall self : t_Copied'0 . [%#scopied5] inv'2 self -> inv'1 (iter'0 self) + + let rec copied'0 (self:t_Intersection'0) (return' (ret:t_Copied'0))= {[@expl:copied 'self' type invariant] inv'1 self} + any [ return' (result:t_Copied'0)-> {inv'2 result} {[%#siter2] iter'0 result = self} (! return' {result}) ] + + predicate inv'3 (_1 : t_HashSet'0) + + axiom inv_axiom'3 [@rewrite] : forall x : t_HashSet'0 [inv'3 x] . inv'3 x = true + + type t_T'0 + + use seq.Seq + + predicate resolve'2 (_1 : t_Intersection'0) = + true + + predicate resolve'1 (self : t_Copied'0) = + [%#scopied9] resolve'2 (iter'0 self) + + predicate resolve'0 (_1 : t_Copied'0) = + resolve'1 _1 + + use seq.Seq + + use seq.Seq + + use set.Fset + + use seq.Seq + + use prelude.prelude.Int + + use set.Fset + + predicate contains'0 [@inline:trivial] (self : Fset.fset t_DeepModelTy'0) (e : t_DeepModelTy'0) = + [%#sfset16] Fset.mem e self + + function deep_model'0 (self : t_T'0) : t_DeepModelTy'0 + + function deep_model'1 (self : t_T'0) : t_DeepModelTy'0 = + [%#smodel31] deep_model'0 self + + use seq.Seq + + predicate contains'2 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate set_produces'0 (start : t_Intersection'0) (visited : Seq.seq t_T'0) (end' : t_Intersection'0) = + [%#shash_set26] Fset.cardinal (view'2 start) = Seq.length visited + Fset.cardinal (view'2 end') + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'2 start) x + -> (exists x1 : t_T'0 . deep_model'1 x1 = x /\ contains'2 visited x1) \/ contains'0 (view'2 end') x) + /\ (forall x : t_T'0 . contains'2 visited x + -> contains'0 (view'2 start) (deep_model'1 x) /\ not contains'0 (view'2 end') (deep_model'1 x)) + /\ (forall x : t_DeepModelTy'0 . contains'0 (view'2 end') x + -> contains'0 (view'2 start) x /\ not (exists x1 : t_T'0 . deep_model'1 x1 = x /\ contains'2 visited x1)) + /\ (forall i : int, j : int . 0 <= i + /\ i < Seq.length visited + /\ 0 <= j /\ j < Seq.length visited /\ deep_model'1 (Seq.get visited i) = deep_model'1 (Seq.get visited j) + -> i = j) + + function concat_contains'0 (_1 : ()) : () = + [%#sseq33] () + + axiom concat_contains'0_spec : forall _1 : () . [%#sseq32] forall a : Seq.seq t_T'0, b : Seq.seq t_T'0, x : t_T'0 . contains'2 (Seq.(++) a b) x + = contains'2 a x + \/ contains'2 b x + + function set_produces_trans'0 (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () + + = + [%#shash_set30] let _ = concat_contains'0 () in let _ = let _ = () in () in let _ = let _ = () in () in () + + axiom set_produces_trans'0_spec : forall a : t_Intersection'0, ab : Seq.seq t_T'0, b : t_Intersection'0, bc : Seq.seq t_T'0, c : t_Intersection'0 . ([%#shash_set27] set_produces'0 a ab b) + -> ([%#shash_set28] set_produces'0 b bc c) -> ([%#shash_set29] set_produces'0 a (Seq.(++) ab bc) c) + + use seq.Seq + + predicate produces'1 (self : t_Intersection'0) (visited : Seq.seq t_T'0) (o : t_Intersection'0) = + [%#shash_set15] set_produces'0 self visited o + + function produces_trans'1 (a : t_Intersection'0) (ab : Seq.seq t_T'0) (b : t_Intersection'0) (bc : Seq.seq t_T'0) (c : t_Intersection'0) : () + + = + [%#shash_set23] let _ = set_produces_trans'0 a ab b bc c in () + + axiom produces_trans'1_spec : forall a : t_Intersection'0, ab : Seq.seq t_T'0, b : t_Intersection'0, bc : Seq.seq t_T'0, c : t_Intersection'0 . ([%#shash_set20] produces'1 a ab b) + -> ([%#shash_set21] produces'1 b bc c) -> ([%#shash_set22] produces'1 a (Seq.(++) ab bc) c) + + function produces_refl'1 (self : t_Intersection'0) : () = + [%#shash_set19] () + + axiom produces_refl'1_spec : forall self : t_Intersection'0 . [%#shash_set18] produces'1 self (Seq.empty : Seq.seq t_T'0) self + + use seq.Seq + + use seq.Seq + + use seq.Seq + + use seq.Seq + + predicate produces'0 (self : t_Copied'0) (visited : Seq.seq t_T'0) (o : t_Copied'0) = + [%#scopied7] exists s : Seq.seq t_T'0 . produces'1 (iter'0 self) s (iter'0 o) + /\ Seq.length visited = Seq.length s + /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + + function produces_trans'0 (a : t_Copied'0) (ab : Seq.seq t_T'0) (b : t_Copied'0) (bc : Seq.seq t_T'0) (c : t_Copied'0) : () + + + axiom produces_trans'0_spec : forall a : t_Copied'0, ab : Seq.seq t_T'0, b : t_Copied'0, bc : Seq.seq t_T'0, c : t_Copied'0 . ([%#scopied11] produces'0 a ab b) + -> ([%#scopied12] produces'0 b bc c) -> ([%#scopied13] produces'0 a (Seq.(++) ab bc) c) + + function produces_refl'0 (self : t_Copied'0) : () + + axiom produces_refl'0_spec : forall self : t_Copied'0 . [%#scopied10] produces'0 self (Seq.empty : Seq.seq t_T'0) self + + predicate resolve'3 (self : borrowed (t_Intersection'0)) = + [%#sresolve24] self.final = self.current + + function view'3 (self : borrowed (t_Intersection'0)) : Fset.fset t_DeepModelTy'0 = + [%#smodel25] view'2 self.current + + use set.Fset + + predicate completed'1 (self : borrowed (t_Intersection'0)) = + [%#shash_set14] resolve'3 self /\ Fset.is_empty (view'3 self) + + predicate completed'0 (self : borrowed (t_Copied'0)) = + [%#scopied6] exists inner : borrowed (t_Intersection'0) . inner.current = iter'0 self.current + /\ inner.final = iter'0 self.final /\ completed'1 inner + + predicate contains'1 (self : Seq.seq t_T'0) (x : t_T'0) = + [%#sseq17] exists i : int . 0 <= i /\ i < Seq.length self /\ Seq.get self i = x + + predicate from_iter_post'0 (prod : Seq.seq t_T'0) (res : t_HashSet'0) = + [%#shash_set8] forall x : t_DeepModelTy'0 . contains'0 (view'0 res) x + = (exists x1 : t_T'0 . deep_model'0 x1 = x /\ contains'1 prod x1) + + let rec collect'0 (self:t_Copied'0) (return' (ret:t_HashSet'0))= {[@expl:collect 'self' type invariant] inv'2 self} + any + [ return' (result:t_HashSet'0)-> {inv'3 result} + {[%#siter3] exists done' : borrowed (t_Copied'0), prod : Seq.seq t_T'0 . resolve'0 done'.final + /\ completed'0 done' /\ produces'0 self prod done'.current /\ from_iter_post'0 prod result} + (! return' {result}) ] + + + use prelude.prelude.Intrinsic + + meta "compute_max_steps" 1000000 + + let rec hashset_intersection'0 (xs:t_HashSet'0) (ys:t_HashSet'0) (return' (ret:t_HashSet'0))= (! bb0 + [ bb0 = s0 [ s0 = intersection'0 {xs} {ys} (fun (_ret':t_Intersection'0) -> [ &_5 <- _ret' ] s1) | s1 = bb1 ] + | bb1 = s0 [ s0 = copied'0 {_5} (fun (_ret':t_Copied'0) -> [ &_4 <- _ret' ] s1) | s1 = bb2 ] + | bb2 = s0 [ s0 = collect'0 {_4} (fun (_ret':t_HashSet'0) -> [ &_0 <- _ret' ] s1) | s1 = bb3 ] + | bb3 = return' {_0} ] + ) + [ & _0 : t_HashSet'0 = any_l () + | & xs : t_HashSet'0 = xs + | & ys : t_HashSet'0 = ys + | & _4 : t_Copied'0 = any_l () + | & _5 : t_Intersection'0 = any_l () ] + + [ return' (result:t_HashSet'0)-> {[@expl:hashset_intersection ensures] [%#scollections0] view'0 result + = Fset.inter (view'1 xs) (view'1 ys)} + (! return' {result}) ] + +end diff --git a/creusot/tests/should_succeed/cc/collections.rs b/creusot/tests/should_succeed/cc/collections.rs new file mode 100644 index 000000000..9de9c88f3 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections.rs @@ -0,0 +1,79 @@ +extern crate creusot_contracts; +use creusot_contracts::*; +use std::{ + collections::{hash_map, HashMap, HashSet}, + hash::Hash, +}; + +#[trusted] +#[logic] +pub fn any() -> T { + dead +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashmap_into_iter( + xs: HashMap, +) -> HashMap { + let it = xs.into_iter(); + let it0 = snapshot! { it }; + let r: HashMap = it.collect(); + proof_assert! { + exists, it1: &mut hash_map::IntoIter> + it1.completed() && it0.produces(prod, *it1) && + forall r@.get(k) == Some(v) + ==> exists k1.deep_model() == k && prod.contains((k1, v)) + }; + proof_assert! { forall r@.contains(k) == xs@.contains(k) }; + r +} + +#[ensures(forall (result@.get(k) == Some(v)) == (xs@.get(k) == Some(*v)))] +pub fn roundtrip_hashmap_iter(xs: &HashMap) -> HashMap<&K, &V> { + let it = xs.iter(); + let it0 = snapshot! { it }; + let r: HashMap<&K, &V> = it.collect(); + + proof_assert! { + exists, it1: &mut hash_map::Iter> + it1.completed() && it0.produces(prod, *it1) + && forall r@.get(k) == Some(v) + ==> exists k1.deep_model() == k && prod.contains((k1, v)) }; + r +} + +#[ensures(forall result@.get(k) == Some(v) ==> xs@.get(k) == Some(*v) && (^xs)@.get(k) == Some(^v))] +#[ensures(forall xs@.get(k) == Some(v) ==> result@.contains(k) && *result@[k] == v)] +#[ensures(forall (^xs)@.get(k) == Some(v) ==> result@.contains(k) && ^result@[k] == v)] +pub fn roundtrip_hashmap_iter_mut( + xs: &mut HashMap, +) -> HashMap<&K, &mut V> { + let it = xs.iter_mut(); + let it0 = snapshot! { it }; + let r: HashMap<&K, &mut V> = it.collect(); + proof_assert! { + exists, it1: &mut hash_map::IterMut> + it1.completed() && it0.produces(prod, *it1) + && forall r@.get(k) == Some(v) + ==> exists k1.deep_model() == k && prod.contains((k1, v)) + }; + r +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashset_into_iter(xs: HashSet) -> HashSet { + xs.into_iter().collect() +} + +#[ensures(result@ == xs@)] +pub fn roundtrip_hashset_iter(xs: &HashSet) -> HashSet<&T> { + xs.iter().collect() +} + +#[ensures(result@ == xs@.intersection(ys@))] +pub fn hashset_intersection( + xs: &HashSet, + ys: &HashSet, +) -> HashSet { + xs.intersection(ys).copied().collect() +} diff --git a/creusot/tests/should_succeed/cc/collections/why3session.xml b/creusot/tests/should_succeed/cc/collections/why3session.xml new file mode 100644 index 000000000..efb577440 --- /dev/null +++ b/creusot/tests/should_succeed/cc/collections/why3session.xml @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/creusot/tests/should_succeed/cc/collections/why3shapes.gz b/creusot/tests/should_succeed/cc/collections/why3shapes.gz new file mode 100644 index 0000000000000000000000000000000000000000..dbb36120cf6cd30f695b694964280297211c82e5 GIT binary patch literal 2951 zcmV;23wZP&iwFP!00000|GimDZzDGnzWY}Q*n@YI3ya0)0<(Y-j6h>InL`3y4K~Tn z2xChgN%my+*Kd*Pcei9GhXo9yyGRzdUl>ziNv2miWF-)?au+6Q@0(v8^2_4>v? zANKJjq$4d*{>L9TdSf@h?uT+S7b%)&#;XB*dU`&6rw1BncRkDUF!y1!g#YdElI}_TdpbS5?2g<2rr3s$GkK@gDciKN}PwB9_J*LO{c6IvxoK`gK4_m)G<(bWdhv!3@t~sQyFWW;pj;8I8 zr!vpez{}(5ycx7_VgLA;!s+sM`C#X{c{IEn4rxb^>W&Ql z^!%7kXVcI-&DuY{=C7!?JO4h8Xa(PJ`YRraDLp?t?PGe(h$1Qb z*tmkU6c=}=r7?2uuluKzr^0%4!0m3A4t|%ubw@S*QSIcYmX38iro)NgpYhNg5hh#u zFAHO2`7c*jZ8$D2BYBV9evfYa=CFU+#nWN?{P5WyKR@~BhaL)PcYG;GXxEbo+9%L= zOXr~(WYPsWXp*n*hOVI_x2~ZGxU>aWQp7+yf)mUFpKIo zA^w@}LSHqQkr`^jXkD^F`kN=4ES)EttQ7}&1~26qGECm0GutG`aJ$54D2gWskw#ij zbXss?{QN$}31Y)&1PnQ6G|@2{$NLW4U9zA>SO~2pvvVd`Vn}Eha>zWqeZUf5WWx0* z0%iL!Vx|wRJ<-4Hz8$h|VjW$k=$1tIa3XIf=IYRtiKeUU)_q}W+rrfL6bfwJJq<_{ zpfJ*y<%lLrokvtN;>1EQGa)}0c@r(V|Cfzb5@+lcvBF4 zIIp~4*45Re)&6kUf1{O@%NpqAn9lghdbhDup&7SNFIOtbNk#e|tsS+_xfHK*>7aJt zlSt!zj6ln!e8Q!o<5ELJG3Qc}sw-SNrJ1W-+J|$F_0dr!9jlM$p~3RG%h|J$&JK7N ztBz@t_c{gyeU`o6jpxE-R_n4$OkJ?hu=VP1?BdS3LK|;Qgu1ZzXkJHv?6MQ=fR)ej za^-7^W!g{L?qd4m;c@@_HY}O*b+LLLOvu6WE~~(Mccr{S3Fzv+G-b#DBh%4Pml=^y zZLy4kVv+N}|IHr!`kp23Yy*#l>q{P8vH|bHdUpn;)$cAI z3UL+zVj2O{d0hmEc}ZdhGjkEKzF%gM%suTPh(sEy>{t+GR}qoX&AcKasa~jvXnQ@_ z-dwDRRNkWdkV%68)lx+ypj_LA6_Fxgr$tOEXTj!dFIZm@nRx}H`-(`-?|4gTs{l(h zS*yILwr2YI<T@%Fkk9Kt0boC~6f7S&cmbi-X}FPW?Dr9sa|PkJ_bp}nL(PFN^^<<*u6?^+;c zso@|>$PB^AM)`bpH(I#HVc&4*-2Q7iwVi|Z^^8sEvB{SD55$1%&HlsiotN%{UFt`e zt{-9EI#(%W2VkT+{?iz&Y6?!#7W)&Vjaw0uL3=^owj{bP@BD5)hnBqxt-fspleQ5o zw2i=gyws_~d8e+x?gHYl?TY6H(;RWKfM|%g(owtIC|f|B=;;ryc$SZDd$bL7_rrX; z?tTcP`(gXs0PWxD`*G4cV@;22h@inMHXX9IPrWUg=>plD8N2Ho@!Pt67{HHbID8tu ztBo1JuiWC!gf@qtEu_}m-DWszIqVWJhuoICR7IIAZ9#KC8d6Kb<`Oy4Vq1osG~MWy zM(VTwk$gJh+MG@1!luDH(b8N!bArmhB&5SJh1}@A{)@o(<7D#w^qKs0saw{@p)ZRD zo$=<0)P?=?HpRQRhzPxA~Ju<&fzXWB&0=c2|7QZ7lv74J?_nkA& zJ+Uq@OZxh$xbYnF*r%)WMXjL>WY<2oUC_6gx=h6Fn;BBQIfHW5O|5+`lGecp#zEGC z84s$~Nz00dXjfb~j!rw}q!SJuci`v_8?}g1h#IU>LMYB;RN8oJMdHesm33yeNOAxR zCW=r2OB$IqLL_4p0yALc3cvwdSeU%`CO|ZFs#;doqo_s2O=S%WzBVfm4$uLgpA&RV zr>iQVj7OkSjjGOCqKQbSQMdx*Ks!(lkFfI@{8=Z=Hp?5Y-Wkgin4EZK}DD`il1h)^L{5a=?J{Un$} z?hqU@$F1YWaqYNrTox5f$Vyhgqa_!p2+8Z32^$Ts1DKFjh-CY#8Y(Ly)V4}h_G3k6 ztShp=stl_<(~TccT-BnC*4%5Rc_3#BW~cQjRdQ7wz9HLf|JY%>x6MaJE5E) zUy%dQ3GPJJgvoQRl_k^KDsaUTD5>a)Q?>%0RuY}$@6lvg64D|QI)qp=ZdIefjz*b0n2x+B^Qxu8HDf!oSU_LRf8Cq{F+DLTA$UqX6mP$wwGN80_ni!U1 z9-L-prc|-=npdV~6zra2%>?PS;!v4H7(dhNWD%vkh-4xRJV_KmlBI}x=&LLXRWv=l zP8ND@b@H(ewT|A_P*se$jsqimkcDtSualLQm@#ATbbWb8ur>d%m0*wZlC^TXvDyta< zE%V__W(x}$a0&s+K`Nvw2+Pn15sANytm&%Leyp}ji*-fQEQpBFD;t8)ISW8-f(f-C zJR0r{IKwhRmQ_%Cq@+|?nJ5#OpsPC3Qe*&vz*j^5WMJG`aF(1!jyBF{XOuJ28PR<| zj}!`wpcQ1)L=Hj;3hF{RvetHG=_GF{@r)C75<0x9OJYljOHNE~ywDcZ$_i)kZ9O&R z1P%tlFsx#vbf==KIIBTWdg5|rRko>><^OeE$waG>tV)ruQ>qvphS0&uS_!0A**|1l xtIPlQXk_FdGPxGU)VbOq;)`5WRYK`4sa*lffx(=$&YC}?`G3aa$^a84005~U$G!jn literal 0 HcmV?d00001 diff --git a/creusot/tests/should_succeed/ghost/ghost_set.coma b/creusot/tests/should_succeed/ghost/ghost_set.coma index e4e93b45f..715ebc53b 100644 --- a/creusot/tests/should_succeed/ghost/ghost_set.coma +++ b/creusot/tests/should_succeed/ghost/ghost_set.coma @@ -1,7 +1,7 @@ module M_ghost_set__ghost_map [#"ghost_set.rs" 4 0 4 18] let%span sghost_set0 = "ghost_set.rs" 5 18 5 36 - let%span sfset1 = "../../../../creusot-contracts/src/logic/fset.rs" 185 4 185 34 - let%span sfset2 = "../../../../creusot-contracts/src/logic/fset.rs" 183 14 183 31 + let%span sfset1 = "../../../../creusot-contracts/src/logic/fset.rs" 196 4 196 34 + let%span sfset2 = "../../../../creusot-contracts/src/logic/fset.rs" 194 14 194 31 let%span sghost_set3 = "ghost_set.rs" 7 22 7 53 let%span sghost_set4 = "ghost_set.rs" 8 25 8 26 let%span sghost_set5 = "ghost_set.rs" 10 22 10 63 @@ -25,22 +25,22 @@ module M_ghost_set__ghost_map [#"ghost_set.rs" 4 0 4 18] let%span sghost23 = "../../../../creusot-contracts/src/ghost.rs" 85 22 85 26 let%span sghost24 = "../../../../creusot-contracts/src/ghost.rs" 85 4 85 48 let%span sghost25 = "../../../../creusot-contracts/src/ghost.rs" 84 14 84 36 - let%span sfset26 = "../../../../creusot-contracts/src/logic/fset.rs" 266 29 266 33 - let%span sfset27 = "../../../../creusot-contracts/src/logic/fset.rs" 266 35 266 40 - let%span sfset28 = "../../../../creusot-contracts/src/logic/fset.rs" 264 14 264 44 - let%span sfset29 = "../../../../creusot-contracts/src/logic/fset.rs" 265 14 265 48 + let%span sfset26 = "../../../../creusot-contracts/src/logic/fset.rs" 277 29 277 33 + let%span sfset27 = "../../../../creusot-contracts/src/logic/fset.rs" 277 35 277 40 + let%span sfset28 = "../../../../creusot-contracts/src/logic/fset.rs" 275 14 275 44 + let%span sfset29 = "../../../../creusot-contracts/src/logic/fset.rs" 276 14 276 48 let%span sghost30 = "../../../../creusot-contracts/src/ghost.rs" 69 14 69 18 let%span sghost31 = "../../../../creusot-contracts/src/ghost.rs" 69 4 69 36 let%span sghost32 = "../../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sfset33 = "../../../../creusot-contracts/src/logic/fset.rs" 211 22 211 26 - let%span sfset34 = "../../../../creusot-contracts/src/logic/fset.rs" 210 14 210 34 - let%span sfset35 = "../../../../creusot-contracts/src/logic/fset.rs" 302 29 302 33 - let%span sfset36 = "../../../../creusot-contracts/src/logic/fset.rs" 302 35 302 40 - let%span sfset37 = "../../../../creusot-contracts/src/logic/fset.rs" 300 14 300 45 - let%span sfset38 = "../../../../creusot-contracts/src/logic/fset.rs" 301 14 301 48 - let%span sfset39 = "../../../../creusot-contracts/src/logic/fset.rs" 232 27 232 31 - let%span sfset40 = "../../../../creusot-contracts/src/logic/fset.rs" 232 33 232 38 - let%span sfset41 = "../../../../creusot-contracts/src/logic/fset.rs" 231 14 231 45 + let%span sfset33 = "../../../../creusot-contracts/src/logic/fset.rs" 222 22 222 26 + let%span sfset34 = "../../../../creusot-contracts/src/logic/fset.rs" 221 14 221 34 + let%span sfset35 = "../../../../creusot-contracts/src/logic/fset.rs" 313 29 313 33 + let%span sfset36 = "../../../../creusot-contracts/src/logic/fset.rs" 313 35 313 40 + let%span sfset37 = "../../../../creusot-contracts/src/logic/fset.rs" 311 14 311 45 + let%span sfset38 = "../../../../creusot-contracts/src/logic/fset.rs" 312 14 312 48 + let%span sfset39 = "../../../../creusot-contracts/src/logic/fset.rs" 243 27 243 31 + let%span sfset40 = "../../../../creusot-contracts/src/logic/fset.rs" 243 33 243 38 + let%span sfset41 = "../../../../creusot-contracts/src/logic/fset.rs" 242 14 242 45 let%span sghost42 = "../../../../creusot-contracts/src/ghost.rs" 181 15 181 16 let%span sghost43 = "../../../../creusot-contracts/src/ghost.rs" 181 4 181 28 let%span sghost44 = "../../../../creusot-contracts/src/ghost.rs" 179 14 179 28 diff --git a/creusot/tests/should_succeed/ghost/ghost_vec.coma b/creusot/tests/should_succeed/ghost/ghost_vec.coma index d7d4f155e..4503007f8 100644 --- a/creusot/tests/should_succeed/ghost/ghost_vec.coma +++ b/creusot/tests/should_succeed/ghost/ghost_vec.coma @@ -2,8 +2,8 @@ module M_ghost_vec__ghost_vec [#"ghost_vec.rs" 4 0 4 18] let%span sghost_vec0 = "ghost_vec.rs" 5 16 5 26 let%span sghost_vec1 = "ghost_vec.rs" 6 18 6 49 let%span sghost_vec2 = "ghost_vec.rs" 40 16 40 26 - let%span sseq3 = "../../../../creusot-contracts/src/logic/seq.rs" 421 4 421 34 - let%span sseq4 = "../../../../creusot-contracts/src/logic/seq.rs" 419 14 419 36 + let%span sseq3 = "../../../../creusot-contracts/src/logic/seq.rs" 431 4 431 34 + let%span sseq4 = "../../../../creusot-contracts/src/logic/seq.rs" 429 14 429 36 let%span sghost5 = "../../../../creusot-contracts/src/ghost.rs" 217 9 217 15 let%span sseq6 = "../../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 let%span sghost_vec7 = "ghost_vec.rs" 8 26 8 28 @@ -35,38 +35,38 @@ module M_ghost_vec__ghost_vec [#"ghost_vec.rs" 4 0 4 18] let%span sghost33 = "../../../../creusot-contracts/src/ghost.rs" 85 22 85 26 let%span sghost34 = "../../../../creusot-contracts/src/ghost.rs" 85 4 85 48 let%span sghost35 = "../../../../creusot-contracts/src/ghost.rs" 84 14 84 36 - let%span sseq36 = "../../../../creusot-contracts/src/logic/seq.rs" 488 32 488 36 - let%span sseq37 = "../../../../creusot-contracts/src/logic/seq.rs" 488 38 488 39 - let%span sseq38 = "../../../../creusot-contracts/src/logic/seq.rs" 487 14 487 40 + let%span sseq36 = "../../../../creusot-contracts/src/logic/seq.rs" 498 32 498 36 + let%span sseq37 = "../../../../creusot-contracts/src/logic/seq.rs" 498 38 498 39 + let%span sseq38 = "../../../../creusot-contracts/src/logic/seq.rs" 497 14 497 40 let%span sghost39 = "../../../../creusot-contracts/src/ghost.rs" 69 14 69 18 let%span sghost40 = "../../../../creusot-contracts/src/ghost.rs" 69 4 69 36 let%span sghost41 = "../../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sseq42 = "../../../../creusot-contracts/src/logic/seq.rs" 445 22 445 26 - let%span sseq43 = "../../../../creusot-contracts/src/logic/seq.rs" 444 14 444 34 + let%span sseq42 = "../../../../creusot-contracts/src/logic/seq.rs" 455 22 455 26 + let%span sseq43 = "../../../../creusot-contracts/src/logic/seq.rs" 454 14 454 34 let%span sint44 = "../../../../creusot-contracts/src/logic/int.rs" 60 14 60 31 let%span sghost45 = "../../../../creusot-contracts/src/ghost.rs" 199 22 199 26 let%span sghost46 = "../../../../creusot-contracts/src/ghost.rs" 199 4 199 32 let%span sghost47 = "../../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sseq48 = "../../../../creusot-contracts/src/logic/seq.rs" 516 22 516 26 - let%span sseq49 = "../../../../creusot-contracts/src/logic/seq.rs" 516 4 516 53 - let%span sseq50 = "../../../../creusot-contracts/src/logic/seq.rs" 512 14 515 5 - let%span sseq51 = "../../../../creusot-contracts/src/logic/seq.rs" 547 30 547 34 - let%span sseq52 = "../../../../creusot-contracts/src/logic/seq.rs" 547 4 547 65 - let%span sseq53 = "../../../../creusot-contracts/src/logic/seq.rs" 541 14 544 5 - let%span sseq54 = "../../../../creusot-contracts/src/logic/seq.rs" 545 14 545 84 - let%span sseq55 = "../../../../creusot-contracts/src/logic/seq.rs" 546 14 546 44 - let%span sseq56 = "../../../../creusot-contracts/src/logic/seq.rs" 574 31 574 35 - let%span sseq57 = "../../../../creusot-contracts/src/logic/seq.rs" 574 4 574 49 - let%span sseq58 = "../../../../creusot-contracts/src/logic/seq.rs" 570 14 573 5 + let%span sseq48 = "../../../../creusot-contracts/src/logic/seq.rs" 526 22 526 26 + let%span sseq49 = "../../../../creusot-contracts/src/logic/seq.rs" 526 4 526 53 + let%span sseq50 = "../../../../creusot-contracts/src/logic/seq.rs" 522 14 525 5 + let%span sseq51 = "../../../../creusot-contracts/src/logic/seq.rs" 557 30 557 34 + let%span sseq52 = "../../../../creusot-contracts/src/logic/seq.rs" 557 4 557 65 + let%span sseq53 = "../../../../creusot-contracts/src/logic/seq.rs" 551 14 554 5 + let%span sseq54 = "../../../../creusot-contracts/src/logic/seq.rs" 555 14 555 84 + let%span sseq55 = "../../../../creusot-contracts/src/logic/seq.rs" 556 14 556 44 + let%span sseq56 = "../../../../creusot-contracts/src/logic/seq.rs" 584 31 584 35 + let%span sseq57 = "../../../../creusot-contracts/src/logic/seq.rs" 584 4 584 49 + let%span sseq58 = "../../../../creusot-contracts/src/logic/seq.rs" 580 14 583 5 let%span sghost59 = "../../../../creusot-contracts/src/ghost.rs" 181 15 181 16 let%span sghost60 = "../../../../creusot-contracts/src/ghost.rs" 181 4 181 28 let%span sghost61 = "../../../../creusot-contracts/src/ghost.rs" 179 14 179 28 - let%span sseq62 = "../../../../creusot-contracts/src/logic/seq.rs" 466 33 466 37 - let%span sseq63 = "../../../../creusot-contracts/src/logic/seq.rs" 466 39 466 40 - let%span sseq64 = "../../../../creusot-contracts/src/logic/seq.rs" 465 14 465 41 - let%span sseq65 = "../../../../creusot-contracts/src/logic/seq.rs" 600 32 600 36 - let%span sseq66 = "../../../../creusot-contracts/src/logic/seq.rs" 600 4 600 50 - let%span sseq67 = "../../../../creusot-contracts/src/logic/seq.rs" 596 14 599 5 + let%span sseq62 = "../../../../creusot-contracts/src/logic/seq.rs" 476 33 476 37 + let%span sseq63 = "../../../../creusot-contracts/src/logic/seq.rs" 476 39 476 40 + let%span sseq64 = "../../../../creusot-contracts/src/logic/seq.rs" 475 14 475 41 + let%span sseq65 = "../../../../creusot-contracts/src/logic/seq.rs" 610 32 610 36 + let%span sseq66 = "../../../../creusot-contracts/src/logic/seq.rs" 610 4 610 50 + let%span sseq67 = "../../../../creusot-contracts/src/logic/seq.rs" 606 14 609 5 let%span sresolve68 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sseq69 = "../../../../creusot-contracts/src/logic/seq.rs" 251 8 251 27 diff --git a/creusot/tests/should_succeed/hashmap.coma b/creusot/tests/should_succeed/hashmap.coma index 6d4455377..96141d19c 100644 --- a/creusot/tests/should_succeed/hashmap.coma +++ b/creusot/tests/should_succeed/hashmap.coma @@ -136,7 +136,7 @@ module M_hashmap__qyi15467499327297494705__resolve_coherence [#"hashmap.rs" 116 let%span shashmap16 = "hashmap.rs" 133 12 133 91 let%span shashmap17 = "hashmap.rs" 41 12 44 13 let%span svec18 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq19 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq19 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed20 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -348,7 +348,7 @@ module M_hashmap__qyi7664122466964245986__new [#"hashmap.rs" 152 4 152 46] (* My let%span shashmap13 = "hashmap.rs" 133 12 133 91 let%span shashmap14 = "hashmap.rs" 41 12 44 13 let%span sboxed15 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq16 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq16 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 type t_K'0 @@ -575,7 +575,7 @@ module M_hashmap__qyi7664122466964245986__add [#"hashmap.rs" 158 4 158 41] (* My let%span sindex41 = "../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span sinvariant42 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sresolve43 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 - let%span sseq44 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq44 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span shashmap45 = "hashmap.rs" 143 12 144 139 use prelude.prelude.Snapshot @@ -1152,7 +1152,7 @@ module M_hashmap__qyi7664122466964245986__get [#"hashmap.rs" 190 4 190 43] (* My let%span shashmap26 = "hashmap.rs" 133 12 133 91 let%span shashmap27 = "hashmap.rs" 41 12 44 13 let%span sboxed28 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq29 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq29 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 use prelude.prelude.Borrow @@ -1534,7 +1534,7 @@ module M_hashmap__qyi7664122466964245986__resize [#"hashmap.rs" 209 4 209 24] (* let%span sinvariant57 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sresolve58 = "../../../creusot-contracts/src/resolve.rs" 82 8 85 9 let%span sboxed59 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq60 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq60 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 use prelude.prelude.Snapshot @@ -2508,7 +2508,7 @@ module M_hashmap__qyi15467499327297494705__resolve_coherence__refines [#"hashmap let%span shashmap13 = "hashmap.rs" 133 12 133 91 let%span shashmap14 = "hashmap.rs" 41 12 44 13 let%span svec15 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq16 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq16 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed17 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/heapsort_generic.coma b/creusot/tests/should_succeed/heapsort_generic.coma index 224550a74..ac5ca7141 100644 --- a/creusot/tests/should_succeed/heapsort_generic.coma +++ b/creusot/tests/should_succeed/heapsort_generic.coma @@ -176,7 +176,7 @@ module M_heapsort_generic__sift_down [#"heapsort_generic.rs" 41 0 43 29] let%span svec63 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sslice64 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant65 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq66 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq66 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed67 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot @@ -689,7 +689,7 @@ module M_heapsort_generic__heap_sort [#"heapsort_generic.rs" 94 0 96 29] let%span sinvariant72 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice73 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant74 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq75 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq75 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed76 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot diff --git a/creusot/tests/should_succeed/hillel.coma b/creusot/tests/should_succeed/hillel.coma index 70594d91f..92d67b95c 100644 --- a/creusot/tests/should_succeed/hillel.coma +++ b/creusot/tests/should_succeed/hillel.coma @@ -24,7 +24,7 @@ module M_hillel__right_pad [#"hillel.rs" 17 0 17 59] let%span svec22 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant23 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant24 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq25 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq25 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed26 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot @@ -243,7 +243,7 @@ module M_hillel__left_pad [#"hillel.rs" 34 0 34 58] let%span svec27 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant28 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant29 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq30 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq30 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed31 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot @@ -534,7 +534,7 @@ module M_hillel__insert_unique [#"hillel.rs" 80 0 80 62] let%span sslice52 = "../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 let%span sslice53 = "../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sindex54 = "../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sseq55 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq55 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sinvariant56 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span svec57 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant58 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 @@ -1055,7 +1055,7 @@ module M_hillel__unique [#"hillel.rs" 102 0 102 56] let%span svec56 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant57 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant58 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq59 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq59 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sslice60 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sboxed61 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 diff --git a/creusot/tests/should_succeed/iterators/02_iter_mut.coma b/creusot/tests/should_succeed/iterators/02_iter_mut.coma index 6dc2b28ac..d8c0cdad4 100644 --- a/creusot/tests/should_succeed/iterators/02_iter_mut.coma +++ b/creusot/tests/should_succeed/iterators/02_iter_mut.coma @@ -227,7 +227,7 @@ module M_02_iter_mut__qyi4305820612590367313__next [#"02_iter_mut.rs" 64 4 64 44 let%span sinvariant14 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice15 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span s02_iter_mut16 = "02_iter_mut.rs" 23 20 23 64 - let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq17 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed18 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -456,7 +456,7 @@ module M_02_iter_mut__qyi7060081090368749043__into_iter [#"02_iter_mut.rs" 71 4 let%span sslice5 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sinvariant6 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice7 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq8 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq8 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed9 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -568,7 +568,7 @@ module M_02_iter_mut__iter_mut [#"02_iter_mut.rs" 79 0 79 55] let%span sslice19 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant20 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span s02_iter_mut21 = "02_iter_mut.rs" 23 20 23 64 - let%span sseq22 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq22 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed23 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -1129,7 +1129,7 @@ module M_02_iter_mut__qyi9908912287408438076__resolve_coherence__refines [#"02_i let%span sslice6 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sinvariant7 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice8 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq9 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq9 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed10 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -1322,7 +1322,7 @@ module M_02_iter_mut__qyi4305820612590367313__next__refines [#"02_iter_mut.rs" 6 let%span sindex10 = "../../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 let%span s02_iter_mut11 = "02_iter_mut.rs" 23 20 23 64 let%span sslice12 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed14 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/iterators/03_std_iterators.coma b/creusot/tests/should_succeed/iterators/03_std_iterators.coma index cb7da2c3f..1f3a9b3f1 100644 --- a/creusot/tests/should_succeed/iterators/03_std_iterators.coma +++ b/creusot/tests/should_succeed/iterators/03_std_iterators.coma @@ -29,7 +29,7 @@ module M_03_std_iterators__slice_iter [#"03_std_iterators.rs" 6 0 6 42] let%span sslice27 = "../../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 let%span sslice28 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sindex29 = "../../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sseq30 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq30 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span smodel31 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 let%span sinvariant32 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sboxed33 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 @@ -340,7 +340,7 @@ module M_03_std_iterators__vec_iter [#"03_std_iterators.rs" 17 0 17 41] let%span sresolve25 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span svec26 = "../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 let%span sindex27 = "../../../../creusot-contracts/src/logic/ops/index.rs" 49 8 49 31 - let%span sseq28 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq28 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span smodel29 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 let%span sslice30 = "../../../../creusot-contracts/src/std/slice.rs" 28 14 28 41 let%span sslice31 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 @@ -2287,7 +2287,7 @@ module M_03_std_iterators__my_reverse [#"03_std_iterators.rs" 94 0 94 37] let%span sslice54 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant55 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant56 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq57 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq57 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed58 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend.coma b/creusot/tests/should_succeed/iterators/08_collect_extend.coma index aedea4bc3..50f3f4a7e 100644 --- a/creusot/tests/should_succeed/iterators/08_collect_extend.coma +++ b/creusot/tests/should_succeed/iterators/08_collect_extend.coma @@ -24,7 +24,7 @@ module M_08_collect_extend__extend [#"08_collect_extend.rs" 26 0 26 66] let%span siter22 = "../../../../creusot-contracts/src/std/iter.rs" 44 14 44 42 let%span sresolve23 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant24 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq25 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span svec26 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sboxed27 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 @@ -345,7 +345,7 @@ module M_08_collect_extend__collect [#"08_collect_extend.rs" 44 0 44 52] let%span sresolve21 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span smodel22 = "../../../../creusot-contracts/src/model.rs" 110 8 110 22 let%span svec23 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq24 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sinvariant25 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sboxed26 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 diff --git a/creusot/tests/should_succeed/knapsack.coma b/creusot/tests/should_succeed/knapsack.coma index 7dd3a4f21..2f83db4b1 100644 --- a/creusot/tests/should_succeed/knapsack.coma +++ b/creusot/tests/should_succeed/knapsack.coma @@ -146,7 +146,7 @@ module M_knapsack__knapsack01_dyn [#"knapsack.rs" 49 0 49 91] let%span svec55 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant56 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sinvariant57 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq58 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq58 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed59 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize diff --git a/creusot/tests/should_succeed/knapsack_full.coma b/creusot/tests/should_succeed/knapsack_full.coma index 0e6106397..88a92da69 100644 --- a/creusot/tests/should_succeed/knapsack_full.coma +++ b/creusot/tests/should_succeed/knapsack_full.coma @@ -408,7 +408,7 @@ module M_knapsack_full__knapsack01_dyn [#"knapsack_full.rs" 86 0 86 91] let%span svec103 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant104 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sinvariant105 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq106 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq106 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed107 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize diff --git a/creusot/tests/should_succeed/linked_list.coma b/creusot/tests/should_succeed/linked_list.coma index 484004290..699904ecb 100644 --- a/creusot/tests/should_succeed/linked_list.coma +++ b/creusot/tests/should_succeed/linked_list.coma @@ -5,8 +5,8 @@ module M_linked_list__qyi14323471455460008969__new [#"linked_list.rs" 72 4 72 27 let%span slinked_list3 = "linked_list.rs" 72 20 72 27 let%span slinked_list4 = "linked_list.rs" 71 14 71 35 let%span sptr5 = "../../../creusot-contracts/src/std/ptr.rs" 121 22 121 44 - let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 421 4 421 34 - let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 419 14 419 36 + let%span sseq6 = "../../../creusot-contracts/src/logic/seq.rs" 431 4 431 34 + let%span sseq7 = "../../../creusot-contracts/src/logic/seq.rs" 429 14 429 36 let%span slinked_list8 = "linked_list.rs" 48 12 48 74 let%span sptr9 = "../../../creusot-contracts/src/std/ptr.rs" 80 14 80 48 let%span sptr10 = "../../../creusot-contracts/src/std/ptr.rs" 82 8 82 30 @@ -14,7 +14,7 @@ module M_linked_list__qyi14323471455460008969__new [#"linked_list.rs" 72 4 72 27 let%span slinked_list12 = "linked_list.rs" 67 4 67 41 let%span slinked_list13 = "linked_list.rs" 26 12 36 69 let%span sboxed14 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sptr_own16 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 use prelude.prelude.Opaque @@ -215,9 +215,9 @@ module M_linked_list__qyi14323471455460008969__push_back [#"linked_list.rs" 77 4 let%span sghost26 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 let%span sghost27 = "../../../creusot-contracts/src/ghost.rs" 199 4 199 32 let%span sghost28 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sseq29 = "../../../creusot-contracts/src/logic/seq.rs" 488 32 488 36 - let%span sseq30 = "../../../creusot-contracts/src/logic/seq.rs" 488 38 488 39 - let%span sseq31 = "../../../creusot-contracts/src/logic/seq.rs" 487 14 487 40 + let%span sseq29 = "../../../creusot-contracts/src/logic/seq.rs" 498 32 498 36 + let%span sseq30 = "../../../creusot-contracts/src/logic/seq.rs" 498 38 498 39 + let%span sseq31 = "../../../creusot-contracts/src/logic/seq.rs" 497 14 497 40 let%span sghost32 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 let%span sghost33 = "../../../creusot-contracts/src/ghost.rs" 181 4 181 28 let%span sghost34 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 @@ -226,20 +226,20 @@ module M_linked_list__qyi14323471455460008969__push_back [#"linked_list.rs" 77 4 let%span sghost37 = "../../../creusot-contracts/src/ghost.rs" 69 14 69 18 let%span sghost38 = "../../../creusot-contracts/src/ghost.rs" 69 4 69 36 let%span sghost39 = "../../../creusot-contracts/src/ghost.rs" 68 14 68 35 - let%span sseq40 = "../../../creusot-contracts/src/logic/seq.rs" 445 22 445 26 - let%span sseq41 = "../../../creusot-contracts/src/logic/seq.rs" 444 14 444 34 + let%span sseq40 = "../../../creusot-contracts/src/logic/seq.rs" 455 22 455 26 + let%span sseq41 = "../../../creusot-contracts/src/logic/seq.rs" 454 14 454 34 let%span slinked_list42 = "linked_list.rs" 56 10 56 25 - let%span sseq43 = "../../../creusot-contracts/src/logic/seq.rs" 547 30 547 34 - let%span sseq44 = "../../../creusot-contracts/src/logic/seq.rs" 547 4 547 65 - let%span sseq45 = "../../../creusot-contracts/src/logic/seq.rs" 541 14 544 5 - let%span sseq46 = "../../../creusot-contracts/src/logic/seq.rs" 545 14 545 84 - let%span sseq47 = "../../../creusot-contracts/src/logic/seq.rs" 546 14 546 44 + let%span sseq43 = "../../../creusot-contracts/src/logic/seq.rs" 557 30 557 34 + let%span sseq44 = "../../../creusot-contracts/src/logic/seq.rs" 557 4 557 65 + let%span sseq45 = "../../../creusot-contracts/src/logic/seq.rs" 551 14 554 5 + let%span sseq46 = "../../../creusot-contracts/src/logic/seq.rs" 555 14 555 84 + let%span sseq47 = "../../../creusot-contracts/src/logic/seq.rs" 556 14 556 44 let%span soption48 = "../../../creusot-contracts/src/std/option.rs" 31 0 423 1 let%span slinked_list49 = "linked_list.rs" 67 4 67 41 let%span sinvariant50 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sseq51 = "../../../creusot-contracts/src/logic/seq.rs" 80 4 80 12 let%span sboxed52 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 - let%span sseq53 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq53 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sresolve54 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 let%span sptr_own55 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 let%span sinvariant56 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 @@ -976,9 +976,9 @@ module M_linked_list__qyi14323471455460008969__push_front [#"linked_list.rs" 100 let%span sghost18 = "../../../creusot-contracts/src/ghost.rs" 199 22 199 26 let%span sghost19 = "../../../creusot-contracts/src/ghost.rs" 199 4 199 32 let%span sghost20 = "../../../creusot-contracts/src/ghost.rs" 197 14 197 31 - let%span sseq21 = "../../../creusot-contracts/src/logic/seq.rs" 466 33 466 37 - let%span sseq22 = "../../../creusot-contracts/src/logic/seq.rs" 466 39 466 40 - let%span sseq23 = "../../../creusot-contracts/src/logic/seq.rs" 465 14 465 41 + let%span sseq21 = "../../../creusot-contracts/src/logic/seq.rs" 476 33 476 37 + let%span sseq22 = "../../../creusot-contracts/src/logic/seq.rs" 476 39 476 40 + let%span sseq23 = "../../../creusot-contracts/src/logic/seq.rs" 475 14 475 41 let%span sghost24 = "../../../creusot-contracts/src/ghost.rs" 181 15 181 16 let%span sghost25 = "../../../creusot-contracts/src/ghost.rs" 181 4 181 28 let%span sghost26 = "../../../creusot-contracts/src/ghost.rs" 179 14 179 28 @@ -986,7 +986,7 @@ module M_linked_list__qyi14323471455460008969__push_front [#"linked_list.rs" 100 let%span sresolve28 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span slinked_list29 = "linked_list.rs" 67 4 67 41 let%span sinvariant30 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq31 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq31 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sresolve32 = "../../../creusot-contracts/src/resolve.rs" 68 8 68 23 let%span sboxed33 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 let%span sptr_own34 = "../../../creusot-contracts/src/ptr_own.rs" 44 20 44 66 diff --git a/creusot/tests/should_succeed/selection_sort_generic.coma b/creusot/tests/should_succeed/selection_sort_generic.coma index 4efd70dba..3a397dfc7 100644 --- a/creusot/tests/should_succeed/selection_sort_generic.coma +++ b/creusot/tests/should_succeed/selection_sort_generic.coma @@ -74,7 +74,7 @@ module M_selection_sort_generic__selection_sort [#"selection_sort_generic.rs" 30 let%span sslice72 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant73 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant74 = "../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq75 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq75 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed76 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot diff --git a/creusot/tests/should_succeed/slices/01.coma b/creusot/tests/should_succeed/slices/01.coma index 783e2e70b..cc2a4f000 100644 --- a/creusot/tests/should_succeed/slices/01.coma +++ b/creusot/tests/should_succeed/slices/01.coma @@ -157,7 +157,7 @@ module M_01__slice_first [#"01.rs" 20 0 20 44] let%span sslice10 = "../../../../creusot-contracts/src/std/slice.rs" 29 14 29 42 let%span sinvariant11 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span sslice12 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq13 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed14 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/sparse_array.coma b/creusot/tests/should_succeed/sparse_array.coma index 1f3157eeb..b15308e89 100644 --- a/creusot/tests/should_succeed/sparse_array.coma +++ b/creusot/tests/should_succeed/sparse_array.coma @@ -13,7 +13,7 @@ module M_sparse_array__qyi13879026616235705248__resolve_coherence [#"sparse_arra let%span svec11 = "../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 let%span ssparse_array12 = "sparse_array.rs" 68 12 76 17 let%span svec13 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq14 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq14 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed15 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -227,7 +227,7 @@ module M_sparse_array__qyi912363311032332466__get [#"sparse_array.rs" 105 4 105 let%span sindex14 = "../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span ssparse_array15 = "sparse_array.rs" 68 12 76 17 let%span svec16 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq17 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq17 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed18 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize @@ -514,7 +514,7 @@ module M_sparse_array__qyi912363311032332466__lemma_permutation [#"sparse_array. let%span ssparse_array7 = "sparse_array.rs" 68 12 76 17 let%span svec8 = "../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 let%span svec9 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq10 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed11 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.UIntSize @@ -681,7 +681,7 @@ module M_sparse_array__qyi912363311032332466__set [#"sparse_array.rs" 129 4 129 let%span svec31 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant32 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span ssparse_array33 = "sparse_array.rs" 68 12 76 17 - let%span sseq34 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq34 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed35 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -1098,7 +1098,7 @@ module M_sparse_array__create [#"sparse_array.rs" 151 0 151 56] let%span ssparse_array12 = "sparse_array.rs" 89 20 90 52 let%span ssparse_array13 = "sparse_array.rs" 68 12 76 17 let%span svec14 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 type t_T'0 @@ -1679,7 +1679,7 @@ module M_sparse_array__qyi13879026616235705248__resolve_coherence__refines [#"sp let%span svec8 = "../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 let%span ssparse_array9 = "sparse_array.rs" 68 12 76 17 let%span svec10 = "../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq11 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed12 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/sparse_array/why3session.xml b/creusot/tests/should_succeed/sparse_array/why3session.xml index c438d10e8..ad69af784 100644 --- a/creusot/tests/should_succeed/sparse_array/why3session.xml +++ b/creusot/tests/should_succeed/sparse_array/why3session.xml @@ -4,13 +4,13 @@ - + - + @@ -38,7 +38,7 @@ - + @@ -62,14 +62,12 @@ - - @@ -80,7 +78,6 @@ - @@ -95,7 +92,7 @@ - + @@ -103,7 +100,6 @@ - @@ -112,8 +108,7 @@ - - + @@ -132,19 +127,17 @@ - + - - @@ -157,12 +150,12 @@ - + - + diff --git a/creusot/tests/should_succeed/sparse_array/why3shapes.gz b/creusot/tests/should_succeed/sparse_array/why3shapes.gz index 2a742f7004c030a06158d534a3400ed527678d71..aa6aaafaf87a884ab6895e27aa7302c3bbec27b1 100644 GIT binary patch literal 3482 zcmV;L4Q28liwFP!00000|Lq#fZW}rBuCEZV2k*{aSbTGl03!q|(1*<)W+2Q>VDphE zqt9X9_3*xpn%hmPP-7Wt!`{jbn4`Ap54q;Z;cW%9M*V_xepr7+& zUd+p)55N|z0l>w)EcyU+!5aWv%*$f(rd?^bUHQU8cp4<8ny!N5UZ~gXm?XH$Xj0ZvHllbw|_V;D& zjSbjHSbn?K`6T*lwAi2H zn!HH`3$_Is?%lh%ZETOEO>6uGMPXkb`=~=+&}LU%z>Yf=m+rmWEbrXaZ4E-&!0l|Z zY(Cr6RBQM~2P*0vw5)D!ufyhH)L9#Sv@z_37zev_uNRcNpVzl>wlmz}=O6K*xY; z>FA4Ejuy+k>M*)owv+I>rulg%-oDMqq3WyfTWd1tOa}WVJAt)h0lYe`l=KW*M)xMY~lUo5$V{ zOYr&TxqQ&rvz=RpQO3rahkkW!dmf;rw&&Hby3(!y)2;y1Vbx+KQdo%;HVkH7Isslf z0baTTQNl|M%Q}>@PD@qCMM09Kj>}xf_mq}7y2o1)RjRk@sy8{Sdh@P&>#ln1z3NT7 z>dm_9omc&Mz_Of6cM}e;^74pZ5wJv>J_r{4a17zHh^0D(O-?@Ds=S4q`R2Q2vjJIe zGh!*3bh!}zo;#_Mq(_w$H(+Wz1$ABi2OzSf1=fv86b6>aHI z+b$m2Wo+mm$nSos<4(G~o21-_F zEf077`|`^DeEaDtl3DBY!*_rA{>gpc^GChOdb{?x93wkD5i!+?yl*IMky~ zHE_fo;Q44fBA%3d9)4QWu+e7a>DcXc;N$FML!=*cY@`W)4)J>Y_iJM-)!;k(Cv-z; z9L5`+vA`VIXSXZa=?EOzEHx=QBHSalHJsj0r;}4_sfPt_w>P-XilX$iC)f|S(N zyCTwWJKR6dZ<9Ps@OOL{*VCK3xK39$_mf@A-Ov_aNbu|Cf9SZLXW!mV99r=SX8R|U z<#1TtofqbB<#wmiY&H(OV5)yoS-+^~W_;h#$%8XK4-f3}Y*UZTOwDKG-ymdR_K_~X z%76>X7fhZoTn#`Mj28)VIOFfxqvPk%EPH3(h<`fTGg1ll{-Nv_pk0pd?i>b0C&yBU({7KSct;SLP9x(hV0rx!O#pT)cG$VZ%))*cwLOBtHav})BLpfT` z8EH9Zq{DN@v4iyP$`dc=czk!ANt8oOF>+f=9-KXvTWUat_Gr!-)$q{0yUEjCpDewd`4@b-+X}C~25ba=?U=F(z_^i9F7v))A9F@R|!8a)ARb2rc%xAZM|= z|Hr$l9=tnxg>r=s7bDl@My`JxT#Y-tQuk&%7DH?pLk}FsL%GXF%V{_+dYAl2cXYjf zybWaslpB(~z9IQ~K~)!bv-~J`VfbeF@##xNbQiMTWYi-cbyRkAPk@%YYyB&8v^_0n zxI#a^+QIL|m!1`W>qZxOzAo~(F7kX`)kkHq_3&yG!=bK$%9_wkMP=|F7kX`ic%&L6{1zD0*6RcSjsI$6ly70N-P))NK9Ff z7K8f7I!5QYD zBFZ=}lu1RTvuL3lN;4@vK^FrgV9t@?1d?)^YnDS5F@&&!TfwZLR)7`6a$`9Lk+NJ` zj)BZAXO>gTVWMSHLNSB!gTbC?1%x`nWKbxp3poS?lEmN23i)NUarly4QxapqP(|M= zh%%u$EA1o=aw@5nxVOmTSvanvG(H)vQUXDuQJ9E`BZLav#&IgSmF#P|C~rd4-eHz- z+A+o|nnb94h?OD~^i)bK#S<_RUVxI0IvI$N9ybu~OCw@sOrTpV`QUqTWG1e2=9+)AAek~yNi3{fBEVFK|a1QM!>VM8}H#u{ynvPN1X{s0LvjcZ*c6v=b1Lc(m0k3K^3-lzam zEV$TI0{$m|fOsJ(Wg>2PW|&U`C8FR1BR~{4pf!qz-73L$m0-V0*fR&c0ub0=1&>X< z$5N}MDjl zn*@!b8JrxLFosYpX1N=|%<jbII_9bKxuM6BZ%h)N1`~wA;+LHYc}V*vgsmc@kX)!t#GXZB>?Q1S zLv$Xf$B{OBI}erLioh;n<_O-ihd&JFlas5}&z6eTvTBUS$U&z~FN3}(MK_%4)EA%9DeSQM28oLck1?;NJ8=p$#Y{z8qR4h(f*C=<)ygQ2_( z>-5uU$8LuBL($Qn2zb5xe0vP@6@58A`6 I*H}UT01=bI{r~^~ literal 3437 zcmV-z4U+O7iwFP!00000|Lr=d3^s5Iv%Y_Fo3*>&-S7rK zmdCPK*2NHj8rlO;L(94t0${`U0NC(lUCiEeEA4ixzkP6D$SKh1X4%&eN3)pyiD^$nbez#BXfVOO0_)#-GC zCmMb!a%AtfgX4}oCmPv-utqNX)j0mt9z-{4Sr@ZWc<4QVX!No!#_?zN0J1U5y6ECh zH$YPX2y7UE)BxL)Pz`j(Evus-lzkA&J_zOP&Cb19{q%5O+_Yy7+Pzu*?cse1p$1e9 zZcxj9HG7jQ7VIiCd~!dh-QM=B0n-`3LAG$O&;8URH@M$bH*nyN;?})&+tri1du%~i z7r4DmR{P(!E!7r&uLFv92d(_W<9*ydkGklh5BG+>5z}C|?sbFQ{eAP876-$9y$SYY z4*Ku?(Q#Y4yKNe9zICsAWIB*(A&Lec51`AT{aAz0ZR&w`-i2Q}>(OmZpfs}HGl;$I zIt6eFsFe=CtL3m-?p2S`=dy!@_bttj2l0+=#!gjV$A5MvgWhCtY_bb@$I*rpFhjA~ zD6j2*?KZGEP1)>n#iUv>sa8xHS4^xG6Ki(Gam9pMF`-sW=qn~%Q88J~ysRc(R`Twv z*MYh9%)N5!Q#Wnb|LO}#iT|Ph+PCLm54EY_<>X$wzcc_1^hM26oG zTeq=!?)|s~UvHkO;kwW8O z=Cu>xwG-gAI}kOz#JH?OE$djTIySN*$y&!{spCgV%M#twt%$1CTlLkOT~)n#U%ho- zz4cM`#=d$}U%ks}7!M7oQo8ry@Tx4&__YC5BTb(KO9N^O;kJsUdWB6%KK-h`g_8M} zhvj|)(qJ=!dz$sR&8^3&YqV)kORx)%n@zgkjllBye!t|-KWsJ+pHjSe|I2gO1;bY2G_z)-?(1Az-_lg6xZeTh}J! z8wk2dA0OA7w4HS&Ws|m#ce~lJn7usz9`XV=YAKYzyB@3?4OZ!H`{`}kd>h#g+{->0 zC9l0W!&&I%Tv7`m!jNY3>C^60)&D3)-VA0x#IsnPV~2u1jqK{y@z}yQa3y@3@{aqE z@qTM#?aYSgetUKgK=m`fhSxZzRVOSA!|Y0e2h=|GbZ@5X@eudpgn7FD;4~kJ1E-`iyFw& zJM_ns_vrh{5N4v(ZPRX^?zfMdw4MKnbxrWQ5~c5^z<+YD-MhYa&W5AWh|{}aSG#{R zW(8+)%TRfQTt>s6+VQeyU3yuh2@$*20%>_(y1w?;N#8wAk8Q>ozE}Z!v7*q@GgqbJ0$PyZcMNf?oUydF8*N%s~|8;fe{{HykF0n=D^wW2L`2NLxKk!Gp$p*Xjyc`odc|sBBCh7G< z*W8;k{y5d6O*L@F9T50rJ0f0`d>MW^)6itI@^b8sI`C~q+abU6YiHcLwiCxrXLZ4HZw_=|X_;`>0VX_I69i_F;HJRMoVYs3BWWxKy_*2Fo*l;pw<5fxf zKiNd*%FB8jbB7`_Y&+clT;C=In62-3>F2bWKRl&PzI*sIJG9(;+Tt?_e%<^JJ=g2( zJJ^Y1E55*N|AMld4y%Xr!tzz_a4JoUY2b#`@T9VR(az1J4s^=kOzP;suFN*=*i34< znErxLggHjK{VD@C$QzOu4A%l+L%d2*!nr}d_~Q8aVwQt5Z<5bMdqJw9K0K8D47A(n z-Ce?9FBgd-7m3^B>{vwq{M^{8&0i!fwrZT!?-|2i67a|)LEK(lPYcrT!W!eFMW`o& zP)`J5d?<(YoDu6eBaY7*rw-ElD^I+ha$r+hc#usK$rx z{Y{?!B99tny<-|c<%m!;AiJZ*!|jT}@nQqipC&HrJ&X&4ZtLfk)!oC->(E{&YQTg& zRdY(!ERQ!Cwuh7zuHL`^)v>2S>x7AHknNcuJ7I!siiwuESP zW^l=m^+(so$JZu&)UI49k z*M?W-usbcM21`i3I=~;rmtItV>%A`WdR^psUF7w;$SGaSP#4+jA}{J9dtGGfCNcIJ zKk}OR0@^yD z4UfD=U*I)y-fQA{ugzu{Tuw|tj7gBxi6xeuLXDCu$wHoMtE{xba!VF1ST+mZWbov3 zU@RdCh+YE=s14@qb3p+Z;xKDwfrNq_bL3oytfNm-W|mYy?Ue^N*A|6EZjmgaMX<;$ z7z^5hvLG!83)})(z*&+aDz7t36iqOaE60?~5fo<}y_##wnI&e?SkxAkMQPbAGRZU( z=$&SclmtmiWTuU05LGN_WGrz@WC<<7DG5O?n8ag@;DcAhc+?T2r%Wm`Z>}JrGI-52 zBtscRQa%aCFewyCDs6N}LR_YTGNE9cyC6_Al*wswMmm!Ty$>`eWl26u#vn67WG)jJ zPl+HP^M+V3k|N4#k}C*>c zGi4kX%H%52RkQ?)N|TgRIcN01&@qxxiRfG`As~zu+6rZb{5;wuo#Yx>N>MWHf>4lT zc7l2BBt|)xXeC(5zMO^QI!P0<(JE&UEE$F9m}3lu2A1ZMTS;HbMFkU+4vu_w+7Xe* zETRuFdBqU)TuLj&3osHvfRYZKj7-R&wDG|kk-RZpX^eA4R-sj36|>SCY6x>CZfXBe+N?WC@lHY{8 zI5Q5IjugFQp%Y(&yNhXgqUqaw_Km8KFbF!mdW7qe0(p<-kx zWMNc92$2{t#SLgZ2PQ2rVS#ZAjJ|QuD*yo)V_*V;cBG}`QI-xnN`7XU-Zt+&fi`J)KzlHw+YK*=!*UU82pXu}*3 z$c$kQC@dhifMxte3kVjJy<{Gk@}aBOfcnSRB}k!3Q|92a&(8G~ac^GtxQ1hnAJ`BaGT@(qn!;ADZL1r8QCvp~iI P>Dj*l+QY5aSV8~*+)cZI diff --git a/creusot/tests/should_succeed/take_first_mut.coma b/creusot/tests/should_succeed/take_first_mut.coma index 2675be451..1a5bff38a 100644 --- a/creusot/tests/should_succeed/take_first_mut.coma +++ b/creusot/tests/should_succeed/take_first_mut.coma @@ -14,7 +14,7 @@ module M_take_first_mut__take_first_mut [#"take_first_mut.rs" 14 0 14 74] let%span sresolve12 = "../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span sinvariant13 = "../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sslice14 = "../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 - let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq15 = "../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed16 = "../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/traits/16_impl_cloning.coma b/creusot/tests/should_succeed/traits/16_impl_cloning.coma index 3a2eea5c9..1742955d5 100644 --- a/creusot/tests/should_succeed/traits/16_impl_cloning.coma +++ b/creusot/tests/should_succeed/traits/16_impl_cloning.coma @@ -6,7 +6,7 @@ module M_16_impl_cloning__test [#"16_impl_cloning.rs" 16 0 16 30] let%span sinvariant4 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span svec5 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span svec6 = "../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41 - let%span sseq7 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq7 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed8 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/type_invariants/vec_inv.coma b/creusot/tests/should_succeed/type_invariants/vec_inv.coma index f409ef5a3..9e3d550bc 100644 --- a/creusot/tests/should_succeed/type_invariants/vec_inv.coma +++ b/creusot/tests/should_succeed/type_invariants/vec_inv.coma @@ -7,7 +7,7 @@ module M_vec_inv__vec [#"vec_inv.rs" 18 0 18 32] let%span svec5 = "../../../../creusot-contracts/src/std/vec.rs" 49 20 49 83 let%span svec6 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sresolve7 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 - let%span sseq8 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq8 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed9 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 let%span sinvariant10 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span svec_inv11 = "vec_inv.rs" 13 20 13 43 diff --git a/creusot/tests/should_succeed/vector/02_gnome.coma b/creusot/tests/should_succeed/vector/02_gnome.coma index abef160bf..fbef0a055 100644 --- a/creusot/tests/should_succeed/vector/02_gnome.coma +++ b/creusot/tests/should_succeed/vector/02_gnome.coma @@ -54,7 +54,7 @@ module M_02_gnome__gnome_sort [#"02_gnome.rs" 22 0 24 29] let%span sslice52 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant53 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant54 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq55 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq55 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed56 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot diff --git a/creusot/tests/should_succeed/vector/03_knuth_shuffle.coma b/creusot/tests/should_succeed/vector/03_knuth_shuffle.coma index 39fbc17b1..3017bc95e 100644 --- a/creusot/tests/should_succeed/vector/03_knuth_shuffle.coma +++ b/creusot/tests/should_succeed/vector/03_knuth_shuffle.coma @@ -41,7 +41,7 @@ module M_03_knuth_shuffle__knuth_shuffle [#"03_knuth_shuffle.rs" 13 0 13 39] let%span sslice39 = "../../../../creusot-contracts/src/std/slice.rs" 18 20 18 30 let%span sinvariant40 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant41 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq42 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq42 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed43 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Snapshot diff --git a/creusot/tests/should_succeed/vector/05_binary_search_generic.coma b/creusot/tests/should_succeed/vector/05_binary_search_generic.coma index b91900894..ab275ff98 100644 --- a/creusot/tests/should_succeed/vector/05_binary_search_generic.coma +++ b/creusot/tests/should_succeed/vector/05_binary_search_generic.coma @@ -46,7 +46,7 @@ module M_05_binary_search_generic__binary_search [#"05_binary_search_generic.rs" let%span sindex44 = "../../../../creusot-contracts/src/logic/ops/index.rs" 27 8 27 31 let%span sinvariant45 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 let%span svec46 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 - let%span sseq47 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq47 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed48 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/vector/07_read_write.coma b/creusot/tests/should_succeed/vector/07_read_write.coma index 44666face..025e575c5 100644 --- a/creusot/tests/should_succeed/vector/07_read_write.coma +++ b/creusot/tests/should_succeed/vector/07_read_write.coma @@ -22,7 +22,7 @@ module M_07_read_write__read_write [#"07_read_write.rs" 6 0 6 75] let%span svec20 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant21 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 let%span sinvariant22 = "../../../../creusot-contracts/src/invariant.rs" 24 8 24 18 - let%span sseq23 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq23 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed24 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow diff --git a/creusot/tests/should_succeed/vector/09_capacity.coma b/creusot/tests/should_succeed/vector/09_capacity.coma index 56392b3f0..33fb8df27 100644 --- a/creusot/tests/should_succeed/vector/09_capacity.coma +++ b/creusot/tests/should_succeed/vector/09_capacity.coma @@ -15,7 +15,7 @@ module M_09_capacity__change_capacity [#"09_capacity.rs" 6 0 6 41] let%span sresolve13 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span svec14 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant15 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq16 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq16 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed17 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow @@ -191,7 +191,7 @@ module M_09_capacity__clear_vec [#"09_capacity.rs" 14 0 14 35] let%span sresolve4 = "../../../../creusot-contracts/src/resolve.rs" 54 20 54 34 let%span svec5 = "../../../../creusot-contracts/src/std/vec.rs" 65 20 65 41 let%span sinvariant6 = "../../../../creusot-contracts/src/invariant.rs" 34 20 34 44 - let%span sseq7 = "../../../../creusot-contracts/src/logic/seq.rs" 623 20 623 95 + let%span sseq7 = "../../../../creusot-contracts/src/logic/seq.rs" 633 20 633 95 let%span sboxed8 = "../../../../creusot-contracts/src/std/boxed.rs" 28 8 28 18 use prelude.prelude.Borrow