diff --git a/creusot/src/backend/clone_map/elaborator.rs b/creusot/src/backend/clone_map/elaborator.rs index bc5982c441..5d6ac35cc8 100644 --- a/creusot/src/backend/clone_map/elaborator.rs +++ b/creusot/src/backend/clone_map/elaborator.rs @@ -18,7 +18,7 @@ use crate::{ dependency::HackedId, logic::{lower_logical_defn, lower_pure_defn, sigs, spec_axiom}, signature::sig_to_why3, - term::{lower_impure, lower_pure}, + term::lower_pure, ty_inv::InvariantElaborator, TransId, Why3Generator, }, @@ -183,7 +183,7 @@ impl<'tcx> SymbolElaborator<'tcx> { let span = ctx.def_span(def_id); let res = crate::constant::from_ty_const(&mut ctx.ctx, constant, param_env, span); - let res = lower_impure(ctx, names, &res); + let res = lower_pure(ctx, names, &res); vec![Decl::Let(LetDecl { kind: Some(LetKind::Constant), diff --git a/creusot/src/backend/constant.rs b/creusot/src/backend/constant.rs index 1ec964b1ef..28e8cad3f1 100644 --- a/creusot/src/backend/constant.rs +++ b/creusot/src/backend/constant.rs @@ -6,7 +6,7 @@ use crate::{ctx::TranslatedItem, translation::constant::from_ty_const}; use super::{ clone_map::{CloneMap, CloneSummary}, signature::signature_of, - term::lower_impure, + term::lower_pure, CloneDepth, Why3Generator, }; @@ -27,7 +27,7 @@ impl<'tcx> Why3Generator<'tcx> { let span = self.def_span(def_id); let res = from_ty_const(&mut self.ctx, constant, param_env, span); let mut names = CloneMap::new(self.tcx, def_id.into()); - let _ = lower_impure(self, &mut names, &res); + let _ = lower_pure(self, &mut names, &res); let _ = signature_of(self, &mut names, def_id); let (_, summary) = names.to_clones(self, CloneDepth::Shallow); diff --git a/creusot/src/backend/logic.rs b/creusot/src/backend/logic.rs index bc2d8f60d5..6a149bf2cb 100644 --- a/creusot/src/backend/logic.rs +++ b/creusot/src/backend/logic.rs @@ -82,9 +82,9 @@ fn builtin_body<'tcx>( // Program symbol (for proofs) let mut val_sig = sig.clone(); - let val_args: Vec<_> = val_args.into_iter().map(|id| Exp::pure_var(id)).collect(); + let val_args: Vec<_> = val_args.into_iter().map(|id| Exp::var(id)).collect(); val_sig.contract.ensures = - vec![Exp::pure_var("result").eq(Exp::pure_var(val_sig.name.clone()).app(val_args.clone()))]; + vec![Exp::var("result").eq(Exp::var(val_sig.name.clone()).app(val_args.clone()))]; if util::is_predicate(ctx.tcx, def_id) { sig.retty = None; @@ -101,7 +101,7 @@ fn builtin_body<'tcx>( decls.extend(clones); if !builtin.module.is_empty() { - let body = Exp::pure_qvar(builtin.without_search_path()).app(val_args); + let body = Exp::qvar(builtin.without_search_path()).app(val_args); if util::is_predicate(ctx.tcx, def_id) { decls.push(Decl::PredDecl(Predicate { sig, body })); @@ -127,12 +127,12 @@ pub(crate) fn val_decl<'tcx, N: Namer<'tcx>>( sig.contract.variant = Vec::new(); let (val_args, val_binders) = binders_to_args(ctx, sig.args); - let val_args: Vec<_> = val_args.into_iter().map(|id| Exp::pure_var(id)).collect(); + let val_args: Vec<_> = val_args.into_iter().map(|id| Exp::var(id)).collect(); sig.contract .ensures // = vec!(Exp::pure_var("result".into()).eq(Exp::pure_var(sig.name.clone()).app(val_args))); - .push(Exp::pure_var("result").eq(Exp::pure_var(sig.name.clone()).app(val_args))); + .push(Exp::var("result").eq(Exp::var(sig.name.clone()).app(val_args))); sig.args = val_binders; Decl::ValDecl(ValDecl { sig, ghost: false, val: true, kind: None }) } @@ -255,12 +255,12 @@ pub fn sigs<'tcx>(ctx: &mut Why3Generator<'tcx>, mut sig: Signature) -> (Signatu contract.variant = Vec::new(); prog_sig.contract = contract; let (val_args, val_binders) = binders_to_args(ctx, prog_sig.args); - let val_args: Vec<_> = val_args.into_iter().map(|id| Exp::pure_var(id)).collect(); + let val_args: Vec<_> = val_args.into_iter().map(|id| Exp::var(id)).collect(); prog_sig.args = val_binders; prog_sig.contract.ensures = - vec![Exp::pure_var("result").eq(Exp::pure_var(sig.name.clone()).app(val_args))]; + vec![Exp::var("result").eq(Exp::var(sig.name.clone()).app(val_args))]; (sig, prog_sig) } @@ -281,8 +281,8 @@ fn subst_qname(body: &mut Exp, name: &Ident, lim_name: &Ident) { impl<'a> ExpMutVisitor for QNameSubst<'a> { fn visit_mut(&mut self, exp: &mut Exp) { match exp { - Exp::QVar(qname, _) if qname.module.is_empty() && &qname.name == self.0 => { - *exp = Exp::pure_var(self.1.clone()) + Exp::QVar(qname) if qname.module.is_empty() && &qname.name == self.0 => { + *exp = Exp::var(self.1.clone()) } _ => super_visit_mut(self, exp), } @@ -420,13 +420,13 @@ fn function_call(sig: &Signature) -> Exp { .cloned() .flat_map(|b| b.var_type_pairs()) .filter(|arg| &*arg.0 != "_") - .map(|arg| Exp::pure_var(arg.0)) + .map(|arg| Exp::var(arg.0)) .collect(); if args.is_empty() { args = vec![Exp::Tuple(vec![])]; } - Exp::pure_var(sig.name.clone()).app(args) + Exp::var(sig.name.clone()).app(args) } fn definition_axiom(sig: &Signature, body: Exp, suffix: &str) -> Axiom { diff --git a/creusot/src/backend/logic/vcgen.rs b/creusot/src/backend/logic/vcgen.rs index 3b613fdd02..6fc3b55a94 100644 --- a/creusot/src/backend/logic/vcgen.rs +++ b/creusot/src/backend/logic/vcgen.rs @@ -6,7 +6,7 @@ use std::{ use rustc_hir::def_id::DefId; use rustc_middle::ty::{EarlyBinder, GenericArgsRef, ParamEnv, Ty, TyKind}; use rustc_span::{Span, Symbol}; -use why3::{declaration::Signature, exp::Purity, ty::Type, Exp, Ident, QName}; +use why3::{declaration::Signature, ty::Type, Exp, Ident, QName}; use crate::{ backend::{ @@ -216,7 +216,7 @@ impl<'a, 'tcx> VCGen<'a, 'tcx> { use crate::pearlite::*; match &t.kind { // VC(v, Q) = Q(v) - TermKind::Var(v) => k(Exp::pure_var(util::ident_of(*v))), + TermKind::Var(v) => k(Exp::var(util::ident_of(*v))), // VC(l, Q) = Q(l) TermKind::Lit(l) => k(self.lower_literal(l)), // Items are just global names so @@ -227,9 +227,9 @@ impl<'a, 'tcx> VCGen<'a, 'tcx> { if get_builtin(self.ctx.borrow().tcx, *id).is_some() { // Builtins can leverage Why3 polymorphism and sometimes can cause typeck errors in why3 due to ambiguous type variables so lets fix the type now. - k(Exp::pure_qvar(item_name).ascribe(self.ty(t.ty))) + k(Exp::qvar(item_name).ascribe(self.ty(t.ty))) } else { - k(Exp::pure_qvar(item_name)) + k(Exp::qvar(item_name)) } } // VC(assert { C }, Q) => VC(C, |c| c && Q(())) @@ -259,7 +259,7 @@ impl<'a, 'tcx> VCGen<'a, 'tcx> { let variant = if *id == self.self_id { self.build_variant(&args)? } else { Exp::mk_true() }; - let call = Exp::pure_qvar(fname).app(args); + let call = Exp::qvar(fname).app(args); sig.contract.subst(&[("result".into(), call.clone())].into_iter().collect()); let inner = k(call)?; @@ -283,15 +283,11 @@ impl<'a, 'tcx> VCGen<'a, 'tcx> { // Ok(Exp::if_(lhs, k(Exp::mk_true())?, self.build_vc(rhs, k)?,)) // }), BinOp::Div => self.build_vc(&lhs, &|lhs| { - self.build_vc(rhs, &|rhs| k(Exp::pure_var("div").app(vec![lhs.clone(), rhs]))) + self.build_vc(rhs, &|rhs| k(Exp::var("div").app(vec![lhs.clone(), rhs]))) }), _ => self.build_vc(&lhs, &|lhs| { self.build_vc(rhs, &|rhs| { - k(Exp::BinaryOp( - binop_to_binop(*op, Purity::Logic), - Box::new(lhs.clone()), - Box::new(rhs), - )) + k(Exp::BinaryOp(binop_to_binop(*op), Box::new(lhs.clone()), Box::new(rhs))) }) }), }, @@ -383,7 +379,7 @@ impl<'a, 'tcx> VCGen<'a, 'tcx> { k => unreachable!("Projection from {k:?}"), }; - self.build_vc(lhs, &|lhs| k(Exp::pure_qvar(accessor.clone()).app(vec![lhs]))) + self.build_vc(lhs, &|lhs| k(Exp::qvar(accessor.clone()).app(vec![lhs]))) } // TODO: lol TermKind::Absurd => todo!("absrd"), diff --git a/creusot/src/backend/place.rs b/creusot/src/backend/place.rs index 4d32c1935e..69ab7de126 100644 --- a/creusot/src/backend/place.rs +++ b/creusot/src/backend/place.rs @@ -103,8 +103,7 @@ fn create_assign_rec<'tcx>( let varnames = freshvars.take(variant.fields.len()).collect::>(); let field_pats = varnames.clone().into_iter().map(|x| VarP(x)).collect(); - let mut varexps: Vec = - varnames.into_iter().map(|x| Exp::impure_var(x)).collect(); + let mut varexps: Vec = varnames.into_iter().map(|x| Exp::var(x)).collect(); varexps[ix.as_usize()] = inner; @@ -118,8 +117,7 @@ fn create_assign_rec<'tcx>( TyKind::Tuple(fields) => { let varnames = freshvars.take(fields.len()).collect::>(); let field_pats = varnames.clone().into_iter().map(|x| VarP(x.into())).collect(); - let mut varexps: Vec = - varnames.into_iter().map(|x| Exp::impure_var(x.into())).collect(); + let mut varexps: Vec = varnames.into_iter().map(|x| Exp::var(x)).collect(); varexps[ix.as_usize()] = inner; @@ -133,8 +131,7 @@ fn create_assign_rec<'tcx>( let varnames = freshvars.take(subst.as_closure().upvar_tys().len()).collect::>(); let field_pats = varnames.clone().into_iter().map(|x| VarP(x.into())).collect(); - let mut varexps: Vec = - varnames.into_iter().map(|x| Exp::impure_var(x.into())).collect(); + let mut varexps: Vec = varnames.into_iter().map(|x| Exp::var(x)).collect(); varexps[ix.as_usize()] = inner; let cons = names.constructor(*id, subst); @@ -149,8 +146,8 @@ fn create_assign_rec<'tcx>( }, Downcast(_, _) => inner, Index(ix) => { - let set = Exp::impure_qvar(QName::from_string("Slice.set").unwrap()); - let ix_exp = Exp::impure_var(Ident::build(ix.as_str())); + let set = Exp::qvar(QName::from_string("Slice.set").unwrap()); + let ix_exp = Exp::var(Ident::build(ix.as_str())); Call( Box::new(set), @@ -174,7 +171,7 @@ pub(crate) fn translate_rplace<'tcx, N: Namer<'tcx>>( loc: Symbol, proj: &[mir::ProjectionElem>], ) -> Exp { - let mut inner = Exp::impure_var(Ident::build(loc.as_str())); + let mut inner = Exp::var(Ident::build(loc.as_str())); if proj.is_empty() { return inner; } @@ -199,7 +196,7 @@ pub(crate) fn translate_rplace<'tcx, N: Namer<'tcx>>( ctx.translate_accessor(def.variants()[variant_id].fields[*ix].did); let acc = names.accessor(def.did(), subst, variant_id.as_usize(), *ix); - inner = Call(Box::new(Exp::impure_qvar(acc)), vec![inner]); + inner = Call(Box::new(Exp::qvar(acc)), vec![inner]); } TyKind::Tuple(fields) => { let mut pat = vec![Wildcard; fields.len()]; @@ -208,23 +205,21 @@ pub(crate) fn translate_rplace<'tcx, N: Namer<'tcx>>( inner = Let { pattern: TupleP(pat), arg: Box::new(inner), - body: Box::new(Exp::impure_var("a".into())), + body: Box::new(Exp::var("a")), } } TyKind::Closure(id, subst) => { - inner = Call( - Box::new(Exp::impure_qvar(names.accessor(*id, subst, 0, *ix))), - vec![inner], - ); + inner = + Call(Box::new(Exp::qvar(names.accessor(*id, subst, 0, *ix))), vec![inner]); } e => unreachable!("{:?}", e), }, Downcast(_, _) => {} Index(ix) => { // TODO: Use [_] syntax - let ix_exp = Exp::impure_var(Ident::build(ix.as_str())); + let ix_exp = Exp::var(Ident::build(ix.as_str())); inner = Call( - Box::new(Exp::impure_qvar(QName::from_string("Slice.get").unwrap())), + Box::new(Exp::qvar(QName::from_string("Slice.get").unwrap())), vec![inner, ix_exp], ) } diff --git a/creusot/src/backend/program.rs b/creusot/src/backend/program.rs index 1094aeb126..f3abb35d62 100644 --- a/creusot/src/backend/program.rs +++ b/creusot/src/backend/program.rs @@ -1,8 +1,5 @@ use super::{ - clone_map::PreludeModule, - dependency::HackedId, - signature::signature_of, - term::{lower_impure, lower_pure}, + clone_map::PreludeModule, dependency::HackedId, signature::signature_of, term::lower_pure, CloneDepth, CloneSummary, Namer, TransId, Why3Generator, }; use crate::{ @@ -217,7 +214,7 @@ fn lower_promoted<'tcx>( sig.name = format!("promoted{:?}", body_id.promoted.unwrap().as_usize()).into(); let mut previous_block = None; - let mut exp = Exp::impure_var("_0".into()); + let mut exp = Exp::var("_0"); for (id, bbd) in fmir.blocks.into_iter().rev() { // Safety check match bbd.terminator { @@ -271,8 +268,7 @@ pub fn to_why<'tcx>( .locals .into_iter() .map(|(id, decl)| { - let init = - if decl.arg { Some(Exp::impure_var(Ident::build(id.as_str()))) } else { None }; + let init = if decl.arg { Some(Exp::var(Ident::build(id.as_str()))) } else { None }; ( false, Ident::build(id.as_str()), @@ -304,7 +300,7 @@ impl<'tcx> Operand<'tcx> { match self { Operand::Move(pl) => pl.as_rplace(ctx, names, locals), Operand::Copy(pl) => pl.as_rplace(ctx, names, locals), - Operand::Constant(c) => lower_impure(ctx, names, &c), + Operand::Constant(c) => lower_pure(ctx, names, &c), } } fn invalidated_places(&self, places: &mut Vec>) { @@ -328,12 +324,12 @@ impl<'tcx> Expr<'tcx> { } ExprKind::BinOp(BinOp::Eq, l, r) if l.ty(ctx.tcx, locals).is_bool() => { names.import_prelude_module(PreludeModule::Bool); - Exp::impure_qvar(QName::from_string("Bool.eqb").unwrap()) + Exp::qvar(QName::from_string("Bool.eqb").unwrap()) .app(vec![l.to_why(ctx, names, locals), r.to_why(ctx, names, locals)]) } ExprKind::BinOp(BinOp::Ne, l, r) if l.ty(ctx.tcx, locals).is_bool() => { names.import_prelude_module(PreludeModule::Bool); - Exp::impure_qvar(QName::from_string("Bool.neqb").unwrap()) + Exp::qvar(QName::from_string("Bool.neqb").unwrap()) .app(vec![l.to_why(ctx, names, locals), r.to_why(ctx, names, locals)]) } ExprKind::BinOp(op, l, r) => { @@ -372,7 +368,7 @@ impl<'tcx> Expr<'tcx> { } TyKind::Bool => { names.import_prelude_module(PreludeModule::Bool); - Exp::impure_qvar(QName::from_string("Bool.to_int").unwrap()) + Exp::qvar(QName::from_string("Bool.to_int").unwrap()) } _ => ctx .crash_and_error(DUMMY_SP, "Non integral casts are currently unsupported"), @@ -383,7 +379,7 @@ impl<'tcx> Expr<'tcx> { TyKind::Uint(uty) => uint_from_int(uty), TyKind::Char => { names.import_prelude_module(PreludeModule::Char); - Exp::impure_qvar(QName::from_string("Char.chr").unwrap()) + Exp::qvar(QName::from_string("Char.chr").unwrap()) } _ => ctx .crash_and_error(DUMMY_SP, "Non integral casts are currently unsupported"), @@ -392,7 +388,7 @@ impl<'tcx> Expr<'tcx> { from_int.app_to(to_int.app_to(e.to_why(ctx, names, locals))) } ExprKind::Len(pl) => { - let len_call = Exp::impure_qvar(QName::from_string("Slice.length").unwrap()) + let len_call = Exp::qvar(QName::from_string("Slice.length").unwrap()) .app_to(pl.to_why(ctx, names, locals)); len_call } @@ -402,11 +398,11 @@ impl<'tcx> Expr<'tcx> { let len = fields.len(); - let arr_var = Exp::impure_var(id.clone()); + let arr_var = Exp::var(id.clone()); let arr_elts = Exp::RecField { record: Box::new(arr_var.clone()), label: "elts".into() }; let fields = fields.into_iter().enumerate().map(|(ix, f)| { - Exp::impure_qvar(QName::from_string("Seq.get").unwrap()) + Exp::qvar(QName::from_string("Seq.get").unwrap()) .app(vec![arr_elts.clone(), Exp::Const(Constant::Int(ix as i128, None))]) .eq(f.to_why(ctx, names, locals)) }); @@ -418,7 +414,7 @@ impl<'tcx> Expr<'tcx> { fields .map(|e| Exp::Assume(Box::new(e))) .chain(std::iter::once(Exp::Assume(Box::new( - Exp::impure_qvar(QName::from_string("Slice.length").unwrap()) + Exp::qvar(QName::from_string("Slice.length").unwrap()) .app_to(arr_var.clone()) .eq(Exp::Const(Constant::Int(len as i128, None))), )))) @@ -427,11 +423,9 @@ impl<'tcx> Expr<'tcx> { )), } } - ExprKind::Repeat(e, len) => { - Exp::impure_qvar(QName::from_string("Slice.create").unwrap()) - .app_to(len.to_why(ctx, names, locals)) - .app_to(Exp::FnLit(Box::new(e.to_why(ctx, names, locals)))) - } + ExprKind::Repeat(e, len) => Exp::qvar(QName::from_string("Slice.create").unwrap()) + .app_to(len.to_why(ctx, names, locals)) + .app_to(Exp::FnLit(Box::new(e.to_why(ctx, names, locals)))), }; if self.span != DUMMY_SP { @@ -637,7 +631,7 @@ pub(crate) fn borrow_generated_id( projection: &[ProjectionElem], ) -> Exp { let mut borrow_id = Exp::Call( - Box::new(Exp::pure_qvar(QName::from_string("Borrow.get_id").unwrap())), + Box::new(Exp::qvar(QName::from_string("Borrow.get_id").unwrap())), vec![original_borrow], ); for proj in projection { @@ -647,7 +641,7 @@ pub(crate) fn borrow_generated_id( } ProjectionElem::Field(idx, _) => { borrow_id = Exp::Call( - Box::new(Exp::pure_qvar(QName::from_string("Borrow.inherit_id").unwrap())), + Box::new(Exp::qvar(QName::from_string("Borrow.inherit_id").unwrap())), vec![borrow_id, Exp::Const(Constant::Int(idx.as_u32() as i128 + 1, None))], ); } @@ -676,7 +670,7 @@ impl<'tcx> Statement<'tcx> { match self { Statement::Assignment(lhs, RValue::Borrow(BorrowKind::Mut, rhs), span) => { let borrow = Exp::Call( - Box::new(Exp::impure_qvar(QName::from_string("Borrow.borrow_mut").unwrap())), + Box::new(Exp::qvar(QName::from_string("Borrow.borrow_mut").unwrap())), vec![rhs.as_rplace(ctx, names, locals)], ); let reassign = Exp::Final(Box::new(lhs.as_rplace(ctx, names, locals))); @@ -699,7 +693,7 @@ impl<'tcx> Statement<'tcx> { let borrow_id = borrow_generated_id(original_borrow, &rhs.projection[deref_index + 1..]); let borrow = Exp::Call( - Box::new(Exp::impure_qvar(QName::from_string("Borrow.borrow_final").unwrap())), + Box::new(Exp::qvar(QName::from_string("Borrow.borrow_final").unwrap())), vec![rhs.as_rplace(ctx, names, locals), borrow_id], ); let reassign = Exp::Final(Box::new(lhs.as_rplace(ctx, names, locals))); @@ -742,7 +736,7 @@ impl<'tcx> Statement<'tcx> { Statement::Resolve(id, subst, pl) => { ctx.translate(id); - let rp = Exp::impure_qvar(names.value(id, subst)); + let rp = Exp::qvar(names.value(id, subst)); let assume = rp.app_to(pl.as_rplace(ctx, names, locals)); vec![mlcfg::Statement::Assume(assume)] @@ -754,7 +748,7 @@ impl<'tcx> Statement<'tcx> { ))] } Statement::AssumeBorrowInv(pl) => { - let inv_fun = Exp::impure_qvar( + let inv_fun = Exp::qvar( names.ty_inv(pl.ty(ctx.tcx, locals).builtin_deref(false).unwrap().ty), ); let arg = Exp::Final(Box::new(pl.as_rplace(ctx, names, locals))); @@ -762,7 +756,7 @@ impl<'tcx> Statement<'tcx> { vec![mlcfg::Statement::Assume(inv_fun.app_to(arg))] } Statement::AssertTyInv(pl) => { - let inv_fun = Exp::impure_qvar(names.ty_inv(pl.ty(ctx.tcx, locals))); + let inv_fun = Exp::qvar(names.ty_inv(pl.ty(ctx.tcx, locals))); let arg = pl.as_rplace(ctx, names, locals); let exp = Exp::Attr( Attribute::Attr(format!("expl:type invariant")), @@ -810,17 +804,17 @@ fn func_call_to_why3<'tcx>( let mut closure_args = vec![args.remove(0)]; - closure_args.extend(names.clone().map(|nm| Exp::impure_var(nm.to_string().into()))); + closure_args.extend(names.clone().map(|nm| Exp::var(nm.to_string()))); Exp::Let { pattern: Pattern::TupleP( names.map(|nm| Pattern::VarP(nm.to_string().into())).collect(), ), arg: Box::new(args.remove(0)), - body: Box::new(Exp::impure_qvar(fname).app(closure_args)), + body: Box::new(Exp::qvar(fname).app(closure_args)), } } else { - Exp::impure_qvar(fname).app(args) + Exp::qvar(fname).app(args) }; exp } @@ -849,44 +843,44 @@ pub(crate) fn uint_to_prelude(ity: UintTy) -> PreludeModule { pub(crate) fn int_from_int(ity: &IntTy) -> Exp { match ity { - IntTy::Isize => Exp::impure_qvar(QName::from_string("IntSize.of_int").unwrap()), - IntTy::I8 => Exp::impure_qvar(QName::from_string("Int8.of_int").unwrap()), - IntTy::I16 => Exp::impure_qvar(QName::from_string("Int16.of_int").unwrap()), - IntTy::I32 => Exp::impure_qvar(QName::from_string("Int32.of_int").unwrap()), - IntTy::I64 => Exp::impure_qvar(QName::from_string("Int64.of_int").unwrap()), - IntTy::I128 => Exp::impure_qvar(QName::from_string("Int128.of_int").unwrap()), + IntTy::Isize => Exp::qvar(QName::from_string("IntSize.of_int").unwrap()), + IntTy::I8 => Exp::qvar(QName::from_string("Int8.of_int").unwrap()), + IntTy::I16 => Exp::qvar(QName::from_string("Int16.of_int").unwrap()), + IntTy::I32 => Exp::qvar(QName::from_string("Int32.of_int").unwrap()), + IntTy::I64 => Exp::qvar(QName::from_string("Int64.of_int").unwrap()), + IntTy::I128 => Exp::qvar(QName::from_string("Int128.of_int").unwrap()), } } pub(crate) fn uint_from_int(uty: &UintTy) -> Exp { match uty { - UintTy::Usize => Exp::impure_qvar(QName::from_string("UIntSize.of_int").unwrap()), - UintTy::U8 => Exp::impure_qvar(QName::from_string("UInt8.of_int").unwrap()), - UintTy::U16 => Exp::impure_qvar(QName::from_string("UInt16.of_int").unwrap()), - UintTy::U32 => Exp::impure_qvar(QName::from_string("UInt32.of_int").unwrap()), - UintTy::U64 => Exp::impure_qvar(QName::from_string("UInt64.of_int").unwrap()), - UintTy::U128 => Exp::impure_qvar(QName::from_string("UInt128.of_int").unwrap()), + UintTy::Usize => Exp::qvar(QName::from_string("UIntSize.of_int").unwrap()), + UintTy::U8 => Exp::qvar(QName::from_string("UInt8.of_int").unwrap()), + UintTy::U16 => Exp::qvar(QName::from_string("UInt16.of_int").unwrap()), + UintTy::U32 => Exp::qvar(QName::from_string("UInt32.of_int").unwrap()), + UintTy::U64 => Exp::qvar(QName::from_string("UInt64.of_int").unwrap()), + UintTy::U128 => Exp::qvar(QName::from_string("UInt128.of_int").unwrap()), } } pub(crate) fn int_to_int(ity: &IntTy) -> Exp { match ity { - IntTy::Isize => Exp::impure_qvar(QName::from_string("IntSize.to_int").unwrap()), - IntTy::I8 => Exp::impure_qvar(QName::from_string("Int8.to_int").unwrap()), - IntTy::I16 => Exp::impure_qvar(QName::from_string("Int16.to_int").unwrap()), - IntTy::I32 => Exp::impure_qvar(QName::from_string("Int32.to_int").unwrap()), - IntTy::I64 => Exp::impure_qvar(QName::from_string("Int64.to_int").unwrap()), - IntTy::I128 => Exp::impure_qvar(QName::from_string("Int128.to_int").unwrap()), + IntTy::Isize => Exp::qvar(QName::from_string("IntSize.to_int").unwrap()), + IntTy::I8 => Exp::qvar(QName::from_string("Int8.to_int").unwrap()), + IntTy::I16 => Exp::qvar(QName::from_string("Int16.to_int").unwrap()), + IntTy::I32 => Exp::qvar(QName::from_string("Int32.to_int").unwrap()), + IntTy::I64 => Exp::qvar(QName::from_string("Int64.to_int").unwrap()), + IntTy::I128 => Exp::qvar(QName::from_string("Int128.to_int").unwrap()), } } pub(crate) fn uint_to_int(uty: &UintTy) -> Exp { match uty { - UintTy::Usize => Exp::impure_qvar(QName::from_string("UIntSize.to_int").unwrap()), - UintTy::U8 => Exp::impure_qvar(QName::from_string("UInt8.to_int").unwrap()), - UintTy::U16 => Exp::impure_qvar(QName::from_string("UInt16.to_int").unwrap()), - UintTy::U32 => Exp::impure_qvar(QName::from_string("UInt32.to_int").unwrap()), - UintTy::U64 => Exp::impure_qvar(QName::from_string("UInt64.to_int").unwrap()), - UintTy::U128 => Exp::impure_qvar(QName::from_string("UInt128.to_int").unwrap()), + UintTy::Usize => Exp::qvar(QName::from_string("UIntSize.to_int").unwrap()), + UintTy::U8 => Exp::qvar(QName::from_string("UInt8.to_int").unwrap()), + UintTy::U16 => Exp::qvar(QName::from_string("UInt16.to_int").unwrap()), + UintTy::U32 => Exp::qvar(QName::from_string("UInt32.to_int").unwrap()), + UintTy::U64 => Exp::qvar(QName::from_string("UInt64.to_int").unwrap()), + UintTy::U128 => Exp::qvar(QName::from_string("UInt128.to_int").unwrap()), } } diff --git a/creusot/src/backend/term.rs b/creusot/src/backend/term.rs index ad7976ae3a..7d5362e57c 100644 --- a/creusot/src/backend/term.rs +++ b/creusot/src/backend/term.rs @@ -9,7 +9,7 @@ use crate::{ use rustc_hir::def_id::DefId; use rustc_middle::ty::{EarlyBinder, GenericArgsRef, Ty, TyCtxt, TyKind}; use why3::{ - exp::{BinOp, Binder, Constant, Exp, Pattern as Pat, Purity}, + exp::{BinOp, Binder, Constant, Exp, Pattern as Pat}, ty::Type, Ident, QName, }; @@ -20,34 +20,19 @@ pub(crate) fn lower_pure<'tcx, N: Namer<'tcx>>( term: &Term<'tcx>, ) -> Exp { let span = term.span; - let mut term = Lower { ctx, names, pure: Purity::Logic }.lower_term(term); + let mut term = Lower { ctx, names }.lower_term(term); term.reassociate(); ctx.attach_span(span, term) } -pub(crate) fn lower_impure<'tcx, N: Namer<'tcx>>( - ctx: &mut Why3Generator<'tcx>, - names: &mut N, - term: &Term<'tcx>, -) -> Exp { - let mut term = Lower { ctx, names, pure: Purity::Program }.lower_term(term); - term.reassociate(); - term -} - pub(super) struct Lower<'a, 'tcx, N: Namer<'tcx>> { pub(super) ctx: &'a mut Why3Generator<'tcx>, pub(super) names: &'a mut N, - // true when we are translating a purely logical term - pub(super) pure: Purity, } impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> { pub(crate) fn lower_term(&mut self, term: &Term<'tcx>) -> Exp { match &term.kind { - TermKind::Lit(l) => { - let c = lower_literal(self.ctx, self.names, l); - c - } + TermKind::Lit(l) => lower_literal(self.ctx, self.names, l), // FIXME: this is a weird dance. TermKind::Item(id, subst) => { let method = (*id, *subst); @@ -57,11 +42,11 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> { let clone = self.names.value(*id, subst); match self.ctx.type_of(id).instantiate_identity().kind() { TyKind::FnDef(_, _) => Exp::Tuple(Vec::new()), - _ => Exp::pure_qvar(clone), + _ => Exp::qvar(clone), } }) } - TermKind::Var(v) => Exp::pure_var(util::ident_of(*v)), + TermKind::Var(v) => Exp::var(util::ident_of(*v)), TermKind::Binary { op, box lhs, box rhs } => { let lhs = self.lower_term(lhs); let rhs = self.lower_term(rhs); @@ -71,54 +56,10 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> { self.names.import_prelude_module(PreludeModule::Int); } - match (op, self.pure) { - (Div, _) => Exp::pure_var("div").app(vec![lhs, rhs]), - (Rem, _) => Exp::pure_var("mod").app(vec![lhs, rhs]), - (Eq | Ne | Lt | Le | Gt | Ge, Purity::Program) => { - let (lfvs, rfvs) = (lhs.fvs(), rhs.fvs()); - let mut freshvars = (0..) - .map(|i| format!("x{i}").into()) - .filter(|x: &Ident| !(lfvs.contains(x) || rfvs.contains(x))); - - let (a, lhs) = if lhs.is_pure() { - (lhs, None) - } else { - let v = freshvars.next().unwrap(); - (Exp::Var(v.clone(), self.pure), Some((v, lhs))) - }; - - let (b, rhs) = if rhs.is_pure() { - (rhs, None) - } else { - let v = freshvars.next().unwrap(); - (Exp::Var(v.clone(), self.pure), Some((v, rhs))) - }; - - let op = binop_to_binop(*op, Purity::Logic); - let mut inner = - Exp::Pure(Box::new(Exp::BinaryOp(op, Box::new(a), Box::new(b)))); - - if let Some((a, lhs)) = lhs { - inner = Exp::Let { - pattern: Pat::VarP(a), - arg: Box::new(lhs), - body: Box::new(inner), - } - }; - - if let Some((b, rhs)) = rhs { - inner = Exp::Let { - pattern: Pat::VarP(b), - arg: Box::new(rhs), - body: Box::new(inner), - } - }; - - inner - } - _ => { - Exp::BinaryOp(binop_to_binop(*op, self.pure), Box::new(lhs), Box::new(rhs)) - } + match op { + Div => Exp::var("div").app(vec![lhs, rhs]), + Rem => Exp::var("mod").app(vec![lhs, rhs]), + _ => Exp::BinaryOp(binop_to_binop(*op), Box::new(lhs), Box::new(rhs)), } } TermKind::Unary { op, box arg } => { @@ -145,24 +86,17 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> { self.ctx.translate(method.0); let clone = self.names.value(method.0, method.1); - if self.pure == Purity::Program { - mk_binders(Exp::QVar(clone, self.pure), args) - } else { - Exp::QVar(clone, self.pure).app(args) - } + Exp::qvar(clone).app(args) }) } TermKind::Forall { binder, box body } => { - let ty = translate_ty(self.ctx, self.names, rustc_span::DUMMY_SP, binder.1); - self.pure_exp(|this| { - Exp::forall(vec![(binder.0.to_string().into(), ty)], this.lower_term(body)) - }) + let ty = self.lower_ty(binder.1); + + Exp::forall(vec![(binder.0.to_string().into(), ty)], self.lower_term(body)) } TermKind::Exists { binder, box body } => { - let ty = translate_ty(self.ctx, self.names, rustc_span::DUMMY_SP, binder.1); - self.pure_exp(|this| { - Exp::exists(vec![(binder.0.to_string().into(), ty)], this.lower_term(body)) - }) + let ty = self.lower_ty(binder.1); + Exp::exists(vec![(binder.0.to_string().into(), ty)], self.lower_term(body)) } TermKind::Constructor { typ, variant, fields } => { self.ctx.translate(*typ); @@ -187,7 +121,7 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> { Exp::Final(Box::new(self.lower_term(term))) } TermKind::Impl { box lhs, box rhs } => { - self.pure_exp(|this| this.lower_term(lhs).implies(this.lower_term(rhs))) + self.lower_term(lhs).implies(self.lower_term(rhs)) } TermKind::Old { box term } => Exp::Old(Box::new(self.lower_term(term))), TermKind::Match { box scrutinee, arms } => { @@ -197,13 +131,13 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> { } else { (&arms[1].1, &arms[0].1) }; - Exp::IfThenElse( - Box::new(self.lower_term(scrutinee)), - Box::new(self.lower_term(true_br)), - Box::new(self.lower_term(false_br)), + Exp::if_( + self.lower_term(scrutinee), + self.lower_term(true_br), + self.lower_term(false_br), ) } else { - let _ = translate_ty(self.ctx, self.names, rustc_span::DUMMY_SP, scrutinee.ty); + let _ = self.lower_ty(scrutinee.ty); let arms = arms .iter() .map(|(pat, body)| (self.lower_pat(pat), self.lower_term(body))) @@ -232,7 +166,7 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> { k => unreachable!("Projection from {k:?}"), }; - Exp::pure_qvar(accessor).app(vec![lhs]) + Exp::qvar(accessor).app(vec![lhs]) } TermKind::Closure { body } => { let TyKind::Closure(id, subst) = term.ty.kind() else { @@ -254,34 +188,17 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> { TermKind::Reborrow { cur, fin, term, projection } => { let inner = self.lower_term(&*term); let borrow_id = borrow_generated_id(inner, &projection); - Exp::Call( - Box::new(Exp::QVar("Borrow.borrow_logic".into(), Purity::Logic)), - vec![self.lower_term(&*cur), self.lower_term(&*fin), borrow_id], - ) + + Exp::qvar("Borrow.borrow_logic".into()).app(vec![ + self.lower_term(&*cur), + self.lower_term(&*fin), + borrow_id, + ]) } TermKind::Assert { cond } => { let cond = self.lower_term(&*cond); - if self.pure == Purity::Program && !cond.is_pure() { - Exp::Let { - pattern: Pat::VarP("a".into()), - arg: Box::new(cond), - body: Box::new(Exp::Assert(Box::new(Exp::impure_var("a".into())))), - } - } else { - Exp::Assert(Box::new(cond)) - } - } - } - } - fn pure_exp(&mut self, f: impl FnOnce(&mut Self) -> Exp) -> Exp { - match self.pure { - Purity::Logic => f(self), - Purity::Program => { - self.pure = Purity::Logic; - let ret = f(self); - self.pure = Purity::Program; - Exp::Pure(Box::new(ret)) + Exp::Assert(Box::new(cond)) } } } @@ -326,14 +243,7 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> { self.names.value(def_id.unwrap(), _substs); // self.names.import_builtin_module(builtin.clone().module_qname()); - if let Purity::Program = self.pure { - return Some(mk_binders( - Exp::pure_qvar(builtin.without_search_path()), - args.clone(), - )); - } else { - return Some(Exp::pure_qvar(builtin.without_search_path()).app(args.clone())); - } + return Some(Exp::qvar(builtin.without_search_path()).app(args.clone())); } None } @@ -375,46 +285,24 @@ pub(crate) fn lower_literal<'tcx, N: Namer<'tcx>>( } } -pub(crate) fn binop_to_binop(op: pearlite::BinOp, purity: Purity) -> why3::exp::BinOp { - match (op, purity) { - (pearlite::BinOp::Add, _) => BinOp::Add, - (pearlite::BinOp::Sub, _) => BinOp::Sub, - (pearlite::BinOp::Mul, _) => BinOp::Mul, - (pearlite::BinOp::Lt, _) => BinOp::Lt, - (pearlite::BinOp::Le, _) => BinOp::Le, - (pearlite::BinOp::Gt, _) => BinOp::Gt, - (pearlite::BinOp::Ge, _) => BinOp::Ge, - (pearlite::BinOp::Eq, Purity::Logic) => BinOp::Eq, - (pearlite::BinOp::Ne, Purity::Logic) => BinOp::Ne, - (pearlite::BinOp::And, Purity::Logic) => BinOp::LogAnd, - (pearlite::BinOp::And, Purity::Program) => BinOp::LazyAnd, - (pearlite::BinOp::Or, Purity::Logic) => BinOp::LogOr, - (pearlite::BinOp::Or, Purity::Program) => BinOp::LazyOr, - _ => unreachable!("{op:?} {purity:?}"), +pub(crate) fn binop_to_binop(op: pearlite::BinOp) -> why3::exp::BinOp { + match op { + pearlite::BinOp::Add => BinOp::Add, + pearlite::BinOp::Sub => BinOp::Sub, + pearlite::BinOp::Mul => BinOp::Mul, + pearlite::BinOp::Lt => BinOp::Lt, + pearlite::BinOp::Le => BinOp::Le, + pearlite::BinOp::Gt => BinOp::Gt, + pearlite::BinOp::Ge => BinOp::Ge, + pearlite::BinOp::Eq => BinOp::Eq, + pearlite::BinOp::Ne => BinOp::Ne, + pearlite::BinOp::And => BinOp::LogAnd, + pearlite::BinOp::Or => BinOp::LogOr, + pearlite::BinOp::Div => todo!("Refactor binop_to_binop to support Div"), + pearlite::BinOp::Rem => todo!("Refactor binop_to_binop to support Rem"), } } -pub(super) fn mk_binders(func: Exp, args: Vec) -> Exp { - let mut impure_args = Vec::with_capacity(args.len()); - let mut call_args = Vec::with_capacity(args.len()); - for (nm, arg) in ('a'..).zip(args.into_iter()) { - if arg.is_pure() { - call_args.push(arg); - } else { - call_args.push(Exp::impure_var(format!("{}'", nm).into())); - impure_args.push((format!("{}'", nm), arg)); - } - } - - let call = func.app(call_args); - - impure_args.into_iter().rfold(call, |acc, arg| Exp::Let { - pattern: Pat::VarP(arg.0.into()), - arg: Box::new(arg.1), - body: Box::new(acc), - }) -} - fn is_identity_from<'tcx>(tcx: TyCtxt<'tcx>, id: DefId, subst: GenericArgsRef<'tcx>) -> bool { if tcx.def_path_str(id) == "std::convert::From::from" && subst.len() == 1 { let out_ty: Ty<'tcx> = tcx.fn_sig(id).no_bound_vars().unwrap().output().skip_binder(); diff --git a/creusot/src/backend/ty.rs b/creusot/src/backend/ty.rs index a85cd71ab5..0e1ad3eabc 100644 --- a/creusot/src/backend/ty.rs +++ b/creusot/src/backend/ty.rs @@ -598,13 +598,13 @@ pub(crate) fn build_accessor( let mut exp = Exp::Any(field_ty.clone()); if ix == variant_ix { pat[field_ix] = Pattern::VarP("a".into()); - exp = Exp::pure_var("a"); + exp = Exp::var("a"); }; (Pattern::ConsP(name.clone(), pat), exp) }) .collect(); - let discr_exp = Exp::Match(Box::new(Exp::pure_var("self")), branches); + let discr_exp = Exp::Match(Box::new(Exp::var("self")), branches); Decl::Let(LetDecl { sig, diff --git a/creusot/src/backend/ty_inv.rs b/creusot/src/backend/ty_inv.rs index e56e1b6669..29e0faadcb 100644 --- a/creusot/src/backend/ty_inv.rs +++ b/creusot/src/backend/ty_inv.rs @@ -465,7 +465,7 @@ fn build_inv_axiom<'tcx>( let ty = inv_kind.to_skeleton_ty(ctx.tcx); let kind = TyInvKind::from_ty(ctx.tcx, ty); // TODO : Refactor and push binding down - let lhs: Exp = Exp::impure_qvar(names.ty_inv(ty)).app_to(Exp::pure_var("x")); + let lhs: Exp = Exp::qvar(names.ty_inv(ty)).app_to(Exp::var("x")); let rhs = if TyInvKind::Trivial == inv_kind { Exp::mk_true() } else { diff --git a/creusot/tests/should_fail/bug/01_resolve_unsoundness.mlcfg b/creusot/tests/should_fail/bug/01_resolve_unsoundness.mlcfg index edcae4251c..e65d13878a 100644 --- a/creusot/tests/should_fail/bug/01_resolve_unsoundness.mlcfg +++ b/creusot/tests/should_fail/bug/01_resolve_unsoundness.mlcfg @@ -88,7 +88,8 @@ module C01ResolveUnsoundness_MakeVecOfSize requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) : bool @@ -127,11 +128,11 @@ module C01ResolveUnsoundness_MakeVecOfSize goto BB0 } BB0 { - [#"../01_resolve_unsoundness.rs" 10 29 10 39] out <- ([#"../01_resolve_unsoundness.rs" 10 29 10 39] new0 ()); + [#"../01_resolve_unsoundness.rs" 10 29 10 39] out <- ([#"../01_resolve_unsoundness.rs" 10 29 10 39] new0 ([#"../01_resolve_unsoundness.rs" 10 29 10 39] ())); goto BB1 } BB1 { - [#"../01_resolve_unsoundness.rs" 11 16 11 17] i <- ([#"../01_resolve_unsoundness.rs" 11 16 11 17] (0 : usize)); + [#"../01_resolve_unsoundness.rs" 11 16 11 17] i <- ([#"../01_resolve_unsoundness.rs" 11 16 11 17] [#"../01_resolve_unsoundness.rs" 11 16 11 17] (0 : usize)); goto BB2 } BB2 { @@ -148,12 +149,12 @@ module C01ResolveUnsoundness_MakeVecOfSize BB4 { [#"../01_resolve_unsoundness.rs" 14 8 14 11] _13 <- Borrow.borrow_mut out; [#"../01_resolve_unsoundness.rs" 14 8 14 11] out <- ^ _13; - [#"../01_resolve_unsoundness.rs" 14 8 14 23] _12 <- ([#"../01_resolve_unsoundness.rs" 14 8 14 23] push0 _13 false); + [#"../01_resolve_unsoundness.rs" 14 8 14 23] _12 <- ([#"../01_resolve_unsoundness.rs" 14 8 14 23] push0 _13 ([#"../01_resolve_unsoundness.rs" 14 17 14 22] false)); _13 <- any borrowed (Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)); goto BB5 } BB5 { - [#"../01_resolve_unsoundness.rs" 15 8 15 14] i <- ([#"../01_resolve_unsoundness.rs" 15 8 15 14] i + (1 : usize)); + [#"../01_resolve_unsoundness.rs" 15 8 15 14] i <- ([#"../01_resolve_unsoundness.rs" 15 8 15 14] i + ([#"../01_resolve_unsoundness.rs" 15 13 15 14] (1 : usize))); goto BB2 } BB6 { diff --git a/creusot/tests/should_fail/bug/222.mlcfg b/creusot/tests/should_fail/bug/222.mlcfg index 2d61a81f46..a3ba445795 100644 --- a/creusot/tests/should_fail/bug/222.mlcfg +++ b/creusot/tests/should_fail/bug/222.mlcfg @@ -106,7 +106,7 @@ module C222_UsesInvariant goto BB2 } BB2 { - [#"../222.rs" 40 42 42 1] _0 <- ([#"../222.rs" 40 42 42 1] ()); + [#"../222.rs" 40 42 42 1] _0 <- ([#"../222.rs" 40 42 42 1] [#"../222.rs" 40 42 42 1] ()); return _0 } diff --git a/creusot/tests/should_fail/bug/492.mlcfg b/creusot/tests/should_fail/bug/492.mlcfg index 21d7ec792e..e142f65282 100644 --- a/creusot/tests/should_fail/bug/492.mlcfg +++ b/creusot/tests/should_fail/bug/492.mlcfg @@ -52,7 +52,7 @@ module C492_ReborrowTuple [#"../492.rs" 6 5 6 6] _3 <- Borrow.borrow_final ( * x) (Borrow.get_id x); [#"../492.rs" 6 5 6 6] x <- { x with current = ( ^ _3) ; }; assume { inv0 ( ^ _3) }; - [#"../492.rs" 6 4 6 11] _0 <- ([#"../492.rs" 6 4 6 11] (_3, (32 : uint32))); + [#"../492.rs" 6 4 6 11] _0 <- ([#"../492.rs" 6 4 6 11] (_3, ([#"../492.rs" 6 8 6 10] (32 : uint32)))); _3 <- any borrowed t; assert { [@expl:type invariant] inv1 x }; assume { resolve0 x }; @@ -119,7 +119,7 @@ module C492_Test goto BB0 } BB0 { - [#"../492.rs" 11 16 11 17] x <- ([#"../492.rs" 11 16 11 17] (5 : int32)); + [#"../492.rs" 11 16 11 17] x <- ([#"../492.rs" 11 16 11 17] [#"../492.rs" 11 16 11 17] (5 : int32)); [#"../492.rs" 12 34 12 40] _6 <- Borrow.borrow_mut x; [#"../492.rs" 12 34 12 40] x <- ^ _6; [#"../492.rs" 12 34 12 40] _5 <- Borrow.borrow_final ( * _6) (Borrow.get_id _6); @@ -134,9 +134,9 @@ module C492_Test assume { resolve0 _4 }; assume { resolve1 _6 }; assert { [@expl:assertion] [#"../492.rs" 13 18 13 30] ^ res = (5 : int32) }; - [#"../492.rs" 14 4 14 13] res <- { res with current = ([#"../492.rs" 14 4 14 13] (10 : int32)) ; }; + [#"../492.rs" 14 4 14 13] res <- { res with current = ([#"../492.rs" 14 4 14 13] [#"../492.rs" 14 11 14 13] (10 : int32)) ; }; assume { resolve1 res }; - [#"../492.rs" 10 14 15 1] _0 <- ([#"../492.rs" 10 14 15 1] ()); + [#"../492.rs" 10 14 15 1] _0 <- ([#"../492.rs" 10 14 15 1] [#"../492.rs" 10 14 15 1] ()); return _0 } diff --git a/creusot/tests/should_fail/bug/692.mlcfg b/creusot/tests/should_fail/bug/692.mlcfg index b38b939b26..80de0a8417 100644 --- a/creusot/tests/should_fail/bug/692.mlcfg +++ b/creusot/tests/should_fail/bug/692.mlcfg @@ -38,7 +38,10 @@ module C692_Incorrect requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed c . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve1 ( ^ s))) + axiom fn_mut_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv3 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed c . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve1 ( ^ s))) predicate unnest0 (self : c) (_2 : c) val unnest0 (self : c) (_2 : c) : bool ensures { result = unnest0 self _2 } @@ -52,13 +55,19 @@ module C692_Incorrect requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : c, b : c, c : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : c, b : c, c : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv1 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : c) : () val unnest_refl0 (self : c) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed c) (args : ()) (res : bool) : () val postcondition_mut_unnest0 (self : borrowed c) (args : ()) (res : bool) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -67,7 +76,11 @@ module C692_Incorrect requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv3 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant4 (self : bool) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant4 (self : bool) : bool @@ -96,7 +109,10 @@ module C692_Incorrect requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res} ensures { result = fn_once0 self args res } - axiom fn_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve1 self /\ postcondition0 self args res)) + axiom fn_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv3 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve1 self /\ postcondition0 self args res)) predicate resolve2 (self : borrowed c) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed c) : bool @@ -109,7 +125,10 @@ module C692_Incorrect requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res} ensures { result = fn_mut0 self args res } - axiom fn_mut0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve2 self /\ postcondition0 ( * self) args res)) + axiom fn_mut0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv3 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve2 self /\ postcondition0 ( * self) args res)) predicate invariant1 (self : c) val invariant1 (self : c) : bool ensures { result = invariant1 self } @@ -137,7 +156,8 @@ module C692_Incorrect ensures { result = resolve0 self } let rec cfg incorrect [#"../692.rs" 8 0 8 76] [@cfg:stackify] [@cfg:subregion_analysis] (cond : c) (branch : b) : () - requires {[#"../692.rs" 5 0 6 87] precondition0 cond () /\ (forall b : bool . precondition1 branch (b) /\ (exists b : bool . forall b0 : bool . postcondition0 cond () b0 -> b0 = b))} + requires {[#"../692.rs" 5 0 6 87] precondition0 cond () /\ (forall b : bool . precondition1 branch (b) /\ (exists b : bool . forall b0 : bool . postcondition0 cond () b0 + -> b0 = b))} requires {[#"../692.rs" 8 57 8 61] inv1 cond} requires {[#"../692.rs" 8 66 8 72] inv0 branch} ensures { [#"../692.rs" 7 10 7 15] false } @@ -157,7 +177,7 @@ module C692_Incorrect goto BB1 } BB1 { - [#"../692.rs" 8 77 8 79] _0 <- ([#"../692.rs" 8 77 8 79] ()); + [#"../692.rs" 8 77 8 79] _0 <- ([#"../692.rs" 8 77 8 79] [#"../692.rs" 8 77 8 79] ()); goto BB2 } BB2 { @@ -219,18 +239,18 @@ module C692_ValidNormal_Closure2 end } BB1 { - [#"../692.rs" 16 25 16 26] _4 <- ([#"../692.rs" 16 25 16 26] (2 : uint32)); + [#"../692.rs" 16 25 16 26] _4 <- ([#"../692.rs" 16 25 16 26] [#"../692.rs" 16 25 16 26] (2 : uint32)); goto BB3 } BB2 { - [#"../692.rs" 16 36 16 37] _4 <- ([#"../692.rs" 16 36 16 37] (1 : uint32)); + [#"../692.rs" 16 36 16 37] _4 <- ([#"../692.rs" 16 36 16 37] [#"../692.rs" 16 36 16 37] (1 : uint32)); goto BB3 } BB3 { [#"../692.rs" 16 14 16 39] _1 <- { _1 with current = (let C692_ValidNormal_Closure2.C692_ValidNormal_Closure2 x0 = * _1 in C692_ValidNormal_Closure2.C692_ValidNormal_Closure2 ({ (field_00 ( * _1)) with current = ([#"../692.rs" 16 14 16 39] _4) ; })) ; }; _4 <- any uint32; assume { resolve0 _1 }; - [#"../692.rs" 16 14 16 39] res <- ([#"../692.rs" 16 14 16 39] ()); + [#"../692.rs" 16 14 16 39] res <- ([#"../692.rs" 16 14 16 39] [#"../692.rs" 16 14 16 39] ()); [#"../692.rs" 15 17 15 64] _0 <- ([#"../692.rs" 15 17 15 64] res); return _0 } @@ -267,7 +287,7 @@ module C692_ValidNormal_Closure1 goto BB0 } BB0 { - [#"../692.rs" 14 7 14 15] res <- ([#"../692.rs" 14 7 14 15] field_00 _1 > (7 : uint32)); + [#"../692.rs" 14 7 14 15] res <- ([#"../692.rs" 14 7 14 15] field_00 _1 > ([#"../692.rs" 14 11 14 15] (7 : uint32))); [#"../692.rs" 13 15 13 47] _0 <- ([#"../692.rs" 13 15 13 47] res); return _0 } @@ -319,7 +339,8 @@ module C692_ValidNormal = true val incorrect0 [#"../692.rs" 8 0 8 76] (cond : C692_ValidNormal_Closure1.c692_validnormal_closure1) (branch : C692_ValidNormal_Closure2.c692_validnormal_closure2) : () - requires {[#"../692.rs" 5 0 6 87] precondition0 cond () /\ (forall b : bool . precondition1 branch (b) /\ (exists b : bool . forall b0 : bool . postcondition0 cond () b0 -> b0 = b))} + requires {[#"../692.rs" 5 0 6 87] precondition0 cond () /\ (forall b : bool . precondition1 branch (b) /\ (exists b : bool . forall b0 : bool . postcondition0 cond () b0 + -> b0 = b))} requires {[#"../692.rs" 8 57 8 61] inv0 cond} requires {[#"../692.rs" 8 66 8 72] inv1 branch} ensures { [#"../692.rs" 7 10 7 15] false } @@ -341,7 +362,7 @@ module C692_ValidNormal goto BB0 } BB0 { - [#"../692.rs" 12 16 12 20] r <- ([#"../692.rs" 12 16 12 20] (0 : uint32)); + [#"../692.rs" 12 16 12 20] r <- ([#"../692.rs" 12 16 12 20] [#"../692.rs" 12 16 12 20] (0 : uint32)); [#"../692.rs" 13 15 13 47] cond <- ([#"../692.rs" 13 15 13 47] C692_ValidNormal_Closure1.C692_ValidNormal_Closure1 n); [#"../692.rs" 15 17 15 64] _7 <- Borrow.borrow_mut r; [#"../692.rs" 15 17 15 64] r <- ^ _7; diff --git a/creusot/tests/should_fail/bug/695.mlcfg b/creusot/tests/should_fail/bug/695.mlcfg index d3ed638384..095ac86c5c 100644 --- a/creusot/tests/should_fail/bug/695.mlcfg +++ b/creusot/tests/should_fail/bug/695.mlcfg @@ -38,7 +38,10 @@ module C695_InversedIf requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once1 self args res = (exists s : borrowed c . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv3 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once1 self args res = (exists s : borrowed c . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : c) (_2 : c) val unnest0 (self : c) (_2 : c) : bool ensures { result = unnest0 self _2 } @@ -52,13 +55,19 @@ module C695_InversedIf requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : c, b : c, c : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : c, b : c, c : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : c) : () val unnest_refl0 (self : c) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed c) (args : ()) (res : bool) : () val postcondition_mut_unnest0 (self : borrowed c) (args : ()) (res : bool) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -67,7 +76,11 @@ module C695_InversedIf requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv3 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant6 (self : borrowed c) val invariant6 (self : borrowed c) : bool ensures { result = invariant6 self } @@ -115,7 +128,10 @@ module C695_InversedIf requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res} ensures { result = fn_once0 self args res } - axiom fn_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once1 self args res = (resolve0 self /\ postcondition0 self args res)) + axiom fn_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv3 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once1 self args res = (resolve0 self /\ postcondition0 self args res)) predicate resolve1 (self : borrowed c) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed c) : bool @@ -128,7 +144,10 @@ module C695_InversedIf requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res} ensures { result = fn_mut0 self args res } - axiom fn_mut0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) + axiom fn_mut0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv3 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) predicate invariant1 (self : b) val invariant1 (self : b) : bool ensures { result = invariant1 self } @@ -207,7 +226,7 @@ module C695_InversedIf BB4 { assert { [@expl:type invariant] inv0 cond }; assume { resolve0 cond }; - [#"../695.rs" 10 8 10 21] _11 <- ([#"../695.rs" 10 8 10 21] (false)); + [#"../695.rs" 10 8 10 21] _11 <- ([#"../695.rs" 10 8 10 21] (([#"../695.rs" 10 15 10 20] false))); [#"../695.rs" 10 8 10 21] _0 <- ([#"../695.rs" 10 8 10 21] call_once0 branch _11); branch <- any b; _11 <- any bool; @@ -216,7 +235,7 @@ module C695_InversedIf BB5 { assert { [@expl:type invariant] inv0 cond }; assume { resolve0 cond }; - [#"../695.rs" 8 8 8 20] _9 <- ([#"../695.rs" 8 8 8 20] (true)); + [#"../695.rs" 8 8 8 20] _9 <- ([#"../695.rs" 8 8 8 20] (([#"../695.rs" 8 15 8 19] true))); [#"../695.rs" 8 8 8 20] _0 <- ([#"../695.rs" 8 8 8 20] call_once0 branch _9); branch <- any b; _9 <- any bool; @@ -288,18 +307,18 @@ module C695_Valid_Closure2 end } BB1 { - [#"../695.rs" 20 25 20 26] _4 <- ([#"../695.rs" 20 25 20 26] (2 : uint32)); + [#"../695.rs" 20 25 20 26] _4 <- ([#"../695.rs" 20 25 20 26] [#"../695.rs" 20 25 20 26] (2 : uint32)); goto BB3 } BB2 { - [#"../695.rs" 20 36 20 37] _4 <- ([#"../695.rs" 20 36 20 37] (1 : uint32)); + [#"../695.rs" 20 36 20 37] _4 <- ([#"../695.rs" 20 36 20 37] [#"../695.rs" 20 36 20 37] (1 : uint32)); goto BB3 } BB3 { [#"../695.rs" 20 14 20 39] _1 <- { _1 with current = (let C695_Valid_Closure2.C695_Valid_Closure2 x0 = * _1 in C695_Valid_Closure2.C695_Valid_Closure2 ({ (field_00 ( * _1)) with current = ([#"../695.rs" 20 14 20 39] _4) ; })) ; }; _4 <- any uint32; assume { resolve0 _1 }; - [#"../695.rs" 20 14 20 39] res <- ([#"../695.rs" 20 14 20 39] ()); + [#"../695.rs" 20 14 20 39] res <- ([#"../695.rs" 20 14 20 39] [#"../695.rs" 20 14 20 39] ()); [#"../695.rs" 19 17 19 64] _0 <- ([#"../695.rs" 19 17 19 64] res); return _0 } @@ -336,7 +355,7 @@ module C695_Valid_Closure1 goto BB0 } BB0 { - [#"../695.rs" 18 7 18 15] res <- ([#"../695.rs" 18 7 18 15] field_00 _1 > (7 : uint32)); + [#"../695.rs" 18 7 18 15] res <- ([#"../695.rs" 18 7 18 15] field_00 _1 > ([#"../695.rs" 18 11 18 15] (7 : uint32))); [#"../695.rs" 17 15 17 47] _0 <- ([#"../695.rs" 17 15 17 47] res); return _0 } @@ -415,7 +434,7 @@ module C695_Valid goto BB0 } BB0 { - [#"../695.rs" 16 16 16 20] r <- ([#"../695.rs" 16 16 16 20] (0 : uint32)); + [#"../695.rs" 16 16 16 20] r <- ([#"../695.rs" 16 16 16 20] [#"../695.rs" 16 16 16 20] (0 : uint32)); [#"../695.rs" 17 15 17 47] cond <- ([#"../695.rs" 17 15 17 47] C695_Valid_Closure1.C695_Valid_Closure1 n); [#"../695.rs" 19 17 19 64] _7 <- Borrow.borrow_mut r; [#"../695.rs" 19 17 19 64] r <- ^ _7; diff --git a/creusot/tests/should_fail/bug/869.mlcfg b/creusot/tests/should_fail/bug/869.mlcfg index 336bd0c7c1..3e719f8f9e 100644 --- a/creusot/tests/should_fail/bug/869.mlcfg +++ b/creusot/tests/should_fail/bug/869.mlcfg @@ -67,7 +67,7 @@ module C869_Unsound assume { resolve0 xm }; assert { [@expl:assertion] [#"../869.rs" 19 20 19 37] Snapshot.inner ( * evil) = (not Snapshot.inner ( ^ evil)) }; assert { [@expl:assertion] [#"../869.rs" 20 20 20 37] Snapshot.inner ( * evil) = (not Snapshot.inner ( * evil)) }; - [#"../869.rs" 4 17 21 1] _0 <- ([#"../869.rs" 4 17 21 1] ()); + [#"../869.rs" 4 17 21 1] _0 <- ([#"../869.rs" 4 17 21 1] [#"../869.rs" 4 17 21 1] ()); return _0 } diff --git a/creusot/tests/should_fail/bug/specialize.mlcfg b/creusot/tests/should_fail/bug/specialize.mlcfg index 2b62b6f2c4..a226b35a67 100644 --- a/creusot/tests/should_fail/bug/specialize.mlcfg +++ b/creusot/tests/should_fail/bug/specialize.mlcfg @@ -62,7 +62,7 @@ module Specialize_F } BB1 { assert { [@expl:assertion] [#"../specialize.rs" 24 20 24 25] false }; - [#"../specialize.rs" 21 18 25 1] _0 <- ([#"../specialize.rs" 21 18 25 1] ()); + [#"../specialize.rs" 21 18 25 1] _0 <- ([#"../specialize.rs" 21 18 25 1] [#"../specialize.rs" 21 18 25 1] ()); goto BB2 } BB2 { @@ -99,7 +99,8 @@ module Specialize_G requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -126,7 +127,7 @@ module Specialize_G } BB1 { assert { [@expl:assertion] [#"../specialize.rs" 31 20 31 25] false }; - [#"../specialize.rs" 27 19 32 1] _0 <- ([#"../specialize.rs" 27 19 32 1] ()); + [#"../specialize.rs" 27 19 32 1] _0 <- ([#"../specialize.rs" 27 19 32 1] [#"../specialize.rs" 27 19 32 1] ()); goto BB2 } BB2 { @@ -164,7 +165,8 @@ module Specialize_H requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -191,7 +193,7 @@ module Specialize_H } BB1 { assert { [@expl:assertion] [#"../specialize.rs" 37 20 37 25] false }; - [#"../specialize.rs" 34 18 38 1] _0 <- ([#"../specialize.rs" 34 18 38 1] ()); + [#"../specialize.rs" 34 18 38 1] _0 <- ([#"../specialize.rs" 34 18 38 1] [#"../specialize.rs" 34 18 38 1] ()); goto BB2 } BB2 { @@ -228,14 +230,16 @@ module Specialize_Impl0 requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = invariant0 self } axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . inv0 x = true - goal x_refn : [#"../specialize.rs" 12 4 12 22] forall self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . inv0 self -> inv0 self + goal x_refn : [#"../specialize.rs" 12 4 12 22] forall self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . inv0 self + -> inv0 self end module Specialize_Impl1 goal x_refn : [#"../specialize.rs" 18 4 18 14] true diff --git a/creusot/tests/should_fail/bug/subregion.mlcfg b/creusot/tests/should_fail/bug/subregion.mlcfg index f5199bad20..372f9de375 100644 --- a/creusot/tests/should_fail/bug/subregion.mlcfg +++ b/creusot/tests/should_fail/bug/subregion.mlcfg @@ -15,7 +15,7 @@ module Subregion_ListReversalH goto BB0 } BB0 { - [#"../subregion.rs" 4 16 4 17] r <- ([#"../subregion.rs" 4 16 4 17] (0 : usize)); + [#"../subregion.rs" 4 16 4 17] r <- ([#"../subregion.rs" 4 16 4 17] [#"../subregion.rs" 4 16 4 17] (0 : usize)); goto BB1 } BB1 { @@ -23,7 +23,7 @@ module Subregion_ListReversalH goto BB2 } BB2 { - [#"../subregion.rs" 6 10 6 16] _7 <- ([#"../subregion.rs" 6 10 6 16] l <> (0 : usize)); + [#"../subregion.rs" 6 10 6 16] _7 <- ([#"../subregion.rs" 6 10 6 16] l <> ([#"../subregion.rs" 6 15 6 16] (0 : usize))); switch (_7) | False -> goto BB4 | True -> goto BB3 diff --git a/creusot/tests/should_fail/final_borrows.mlcfg b/creusot/tests/should_fail/final_borrows.mlcfg index a4d8b7fa04..c44cf38b7f 100644 --- a/creusot/tests/should_fail/final_borrows.mlcfg +++ b/creusot/tests/should_fail/final_borrows.mlcfg @@ -48,7 +48,7 @@ module FinalBorrows_NotFinalBorrow assume { inv0 ( ^ _b2) }; assert { [@expl:type invariant] inv1 _b2 }; assume { resolve0 _b2 }; - [#"../final_borrows.rs" 5 40 9 1] _0 <- ([#"../final_borrows.rs" 5 40 9 1] ()); + [#"../final_borrows.rs" 5 40 9 1] _0 <- ([#"../final_borrows.rs" 5 40 9 1] [#"../final_borrows.rs" 5 40 9 1] ()); assert { [@expl:type invariant] inv1 bor }; assume { resolve0 bor }; return _0 @@ -116,7 +116,7 @@ module FinalBorrows_StoreChangesProphecy } BB3 { assert { [@expl:assertion] [#"../final_borrows.rs" 15 18 15 27] b1 = bor }; - [#"../final_borrows.rs" 11 52 16 1] _0 <- ([#"../final_borrows.rs" 11 52 16 1] ()); + [#"../final_borrows.rs" 11 52 16 1] _0 <- ([#"../final_borrows.rs" 11 52 16 1] [#"../final_borrows.rs" 11 52 16 1] ()); goto BB4 } BB4 { @@ -134,7 +134,7 @@ module FinalBorrows_CallChangesProphecy_Inner goto BB0 } BB0 { - [#"../final_borrows.rs" 20 8 20 9] _0 <- ([#"../final_borrows.rs" 20 8 20 9] (2 : int32)); + [#"../final_borrows.rs" 20 8 20 9] _0 <- ([#"../final_borrows.rs" 20 8 20 9] [#"../final_borrows.rs" 20 8 20 9] (2 : int32)); return _0 } @@ -163,7 +163,7 @@ module FinalBorrows_CallChangesProphecy [#"../final_borrows.rs" 22 13 22 22] b1 <- Borrow.borrow_final ( * bor) (Borrow.get_id bor); [#"../final_borrows.rs" 22 13 22 22] bor <- { bor with current = ( ^ b1) ; }; assume { resolve0 b1 }; - [#"../final_borrows.rs" 24 11 24 18] _3 <- ([#"../final_borrows.rs" 24 11 24 18] inner0 ()); + [#"../final_borrows.rs" 24 11 24 18] _3 <- ([#"../final_borrows.rs" 24 11 24 18] inner0 ([#"../final_borrows.rs" 24 11 24 18] ())); goto BB1 } BB1 { @@ -171,7 +171,7 @@ module FinalBorrows_CallChangesProphecy _3 <- any int32; assume { resolve0 bor }; assert { [@expl:assertion] [#"../final_borrows.rs" 25 18 25 27] b1 = bor }; - [#"../final_borrows.rs" 18 44 26 1] _0 <- ([#"../final_borrows.rs" 18 44 26 1] ()); + [#"../final_borrows.rs" 18 44 26 1] _0 <- ([#"../final_borrows.rs" 18 44 26 1] [#"../final_borrows.rs" 18 44 26 1] ()); return _0 } @@ -322,7 +322,8 @@ module FinalBorrows_Indexing requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) function index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t = [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model1 self) ix val index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t @@ -339,7 +340,10 @@ module FinalBorrows_Indexing requires {[#"../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self} ensures { result = to_mut_seq0 self } - axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv3 (to_mut_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self)) + axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv3 (to_mut_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self)) predicate resolve1 (self : borrowed (slice t)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed (slice t)) : bool @@ -368,7 +372,7 @@ module FinalBorrows_Indexing goto BB0 } BB0 { - [#"../final_borrows.rs" 38 11 38 12] _6 <- ([#"../final_borrows.rs" 38 11 38 12] (0 : usize)); + [#"../final_borrows.rs" 38 11 38 12] _6 <- ([#"../final_borrows.rs" 38 11 38 12] [#"../final_borrows.rs" 38 11 38 12] (0 : usize)); [#"../final_borrows.rs" 38 9 38 13] _7 <- ([#"../final_borrows.rs" 38 9 38 13] Slice.length ( * x)); [#"../final_borrows.rs" 38 9 38 13] _8 <- ([#"../final_borrows.rs" 38 9 38 13] _6 < _7); assert { [@expl:index in bounds] [#"../final_borrows.rs" 38 9 38 13] _8 }; diff --git a/creusot/tests/should_fail/opaque_unproveable.mlcfg b/creusot/tests/should_fail/opaque_unproveable.mlcfg index 3e329c822b..d16c6770d3 100644 --- a/creusot/tests/should_fail/opaque_unproveable.mlcfg +++ b/creusot/tests/should_fail/opaque_unproveable.mlcfg @@ -12,7 +12,7 @@ module OpaqueUnproveable_Test } BB0 { assert { [@expl:assertion] [#"../opaque_unproveable.rs" 16 18 16 29] opaque0 () }; - [#"../opaque_unproveable.rs" 14 14 17 1] _0 <- ([#"../opaque_unproveable.rs" 14 14 17 1] ()); + [#"../opaque_unproveable.rs" 14 14 17 1] _0 <- ([#"../opaque_unproveable.rs" 14 14 17 1] [#"../opaque_unproveable.rs" 14 14 17 1] ()); return _0 } diff --git a/creusot/tests/should_fail/traits/17_impl_refinement.mlcfg b/creusot/tests/should_fail/traits/17_impl_refinement.mlcfg index 2b137a4f8b..a712c14c11 100644 --- a/creusot/tests/should_fail/traits/17_impl_refinement.mlcfg +++ b/creusot/tests/should_fail/traits/17_impl_refinement.mlcfg @@ -14,7 +14,7 @@ module C17ImplRefinement_Impl0_MyFunction goto BB0 } BB0 { - [#"../17_impl_refinement.rs" 15 8 15 10] _0 <- ([#"../17_impl_refinement.rs" 15 8 15 10] (20 : usize)); + [#"../17_impl_refinement.rs" 15 8 15 10] _0 <- ([#"../17_impl_refinement.rs" 15 8 15 10] [#"../17_impl_refinement.rs" 15 8 15 10] (20 : usize)); return _0 } @@ -42,11 +42,13 @@ module C17ImplRefinement_Impl0 use prelude.UIntSize use prelude.Int use prelude.Borrow - goal my_function_refn : [#"../17_impl_refinement.rs" 14 4 14 34] forall self : () . inv0 self -> (forall result : usize . UIntSize.to_int result >= 15 -> UIntSize.to_int result >= 10) + goal my_function_refn : [#"../17_impl_refinement.rs" 14 4 14 34] forall self : () . inv0 self + -> (forall result : usize . UIntSize.to_int result >= 15 -> UIntSize.to_int result >= 10) end module C17ImplRefinement_Impl1 use prelude.UInt64 use prelude.UInt64 use prelude.Int - goal need_false_refn : [#"../17_impl_refinement.rs" 29 4 29 25] forall x : uint64 . UInt64.to_int x >= 10 -> UInt64.to_int x >= 15 + goal need_false_refn : [#"../17_impl_refinement.rs" 29 4 29 25] forall x : uint64 . UInt64.to_int x >= 10 + -> UInt64.to_int x >= 15 end diff --git a/creusot/tests/should_succeed/100doors.mlcfg b/creusot/tests/should_succeed/100doors.mlcfg index 81005bcef7..b6db1c061c 100644 --- a/creusot/tests/should_succeed/100doors.mlcfg +++ b/creusot/tests/should_succeed/100doors.mlcfg @@ -174,7 +174,8 @@ module C100doors_F requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) : bool @@ -207,7 +208,9 @@ module C100doors_F predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces0 self visited o } @@ -223,14 +226,22 @@ module C100doors_F requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv11 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv11 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv11 ab) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv11 bc) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -252,7 +263,8 @@ module C100doors_F ensures { result = index_logic0 self ix } predicate resolve2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve3 (index_logic0 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve3 (index_logic0 self i) val resolve2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve2 self } @@ -263,7 +275,8 @@ module C100doors_F use prelude.Slice predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq bool) (fin : Seq.seq bool) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq bool) (fin : Seq.seq bool) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -350,7 +363,8 @@ module C100doors_F val from_elem0 (elem : bool) (n : usize) : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global) requires {inv1 elem} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model0 result) = UIntSize.to_int n } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic0 result i = elem } ensures { inv2 result } let rec cfg f [#"../100doors.rs" 18 0 18 10] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -379,11 +393,11 @@ module C100doors_F goto BB0 } BB0 { - [#"../100doors.rs" 19 35 19 51] door_open <- ([#"../100doors.rs" 19 35 19 51] from_elem0 false (100 : usize)); + [#"../100doors.rs" 19 35 19 51] door_open <- ([#"../100doors.rs" 19 35 19 51] from_elem0 ([#"../100doors.rs" 19 40 19 45] false) ([#"../100doors.rs" 19 47 19 50] (100 : usize))); goto BB1 } BB1 { - [#"../100doors.rs" 21 16 21 22] _3 <- ([#"../100doors.rs" 21 16 21 22] Core_Ops_Range_Range_Type.C_Range (1 : usize) (101 : usize)); + [#"../100doors.rs" 21 16 21 22] _3 <- ([#"../100doors.rs" 21 16 21 22] Core_Ops_Range_Range_Type.C_Range ([#"../100doors.rs" 21 16 21 17] (1 : usize)) ([#"../100doors.rs" 21 19 21 22] (101 : usize))); [#"../100doors.rs" 20 4 20 41] iter <- ([#"../100doors.rs" 20 4 20 41] into_iter0 _3); _3 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB2 @@ -426,7 +440,7 @@ module C100doors_F } BB9 { assume { resolve2 door_open }; - [#"../100doors.rs" 20 4 20 41] _0 <- ([#"../100doors.rs" 20 4 20 41] ()); + [#"../100doors.rs" 20 4 20 41] _0 <- ([#"../100doors.rs" 20 4 20 41] [#"../100doors.rs" 20 4 20 41] ()); goto BB21 } BB10 { @@ -458,14 +472,14 @@ module C100doors_F goto BB16 } BB16 { - [#"../100doors.rs" 25 14 25 25] _23 <- ([#"../100doors.rs" 25 14 25 25] door <= (100 : usize)); + [#"../100doors.rs" 25 14 25 25] _23 <- ([#"../100doors.rs" 25 14 25 25] door <= ([#"../100doors.rs" 25 22 25 25] (100 : usize))); switch (_23) | False -> goto BB20 | True -> goto BB17 end } BB17 { - [#"../100doors.rs" 26 45 26 53] _28 <- ([#"../100doors.rs" 26 45 26 53] door - (1 : usize)); + [#"../100doors.rs" 26 45 26 53] _28 <- ([#"../100doors.rs" 26 45 26 53] door - ([#"../100doors.rs" 26 52 26 53] (1 : usize))); [#"../100doors.rs" 26 44 26 54] _26 <- ([#"../100doors.rs" 26 44 26 54] index0 door_open _28); _28 <- any usize; goto BB18 @@ -473,7 +487,7 @@ module C100doors_F BB18 { [#"../100doors.rs" 26 12 26 21] _31 <- Borrow.borrow_mut door_open; [#"../100doors.rs" 26 12 26 21] door_open <- ^ _31; - [#"../100doors.rs" 26 22 26 30] _32 <- ([#"../100doors.rs" 26 22 26 30] door - (1 : usize)); + [#"../100doors.rs" 26 22 26 30] _32 <- ([#"../100doors.rs" 26 22 26 30] door - ([#"../100doors.rs" 26 29 26 30] (1 : usize))); [#"../100doors.rs" 26 21 26 31] _30 <- ([#"../100doors.rs" 26 21 26 31] index_mut0 _31 _32); _31 <- any borrowed (Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)); _32 <- any usize; @@ -483,11 +497,11 @@ module C100doors_F [#"../100doors.rs" 26 12 26 54] _30 <- { _30 with current = ([#"../100doors.rs" 26 12 26 54] not _26) ; }; assume { resolve1 _30 }; [#"../100doors.rs" 27 12 27 24] door <- ([#"../100doors.rs" 27 12 27 24] door + pass); - [#"../100doors.rs" 25 26 28 9] _11 <- ([#"../100doors.rs" 25 26 28 9] ()); + [#"../100doors.rs" 25 26 28 9] _11 <- ([#"../100doors.rs" 25 26 28 9] [#"../100doors.rs" 25 26 28 9] ()); goto BB15 } BB20 { - [#"../100doors.rs" 25 8 28 9] _11 <- ([#"../100doors.rs" 25 8 28 9] ()); + [#"../100doors.rs" 25 8 28 9] _11 <- ([#"../100doors.rs" 25 8 28 9] [#"../100doors.rs" 25 8 28 9] ()); goto BB6 } BB21 { diff --git a/creusot/tests/should_succeed/all_zero.mlcfg b/creusot/tests/should_succeed/all_zero.mlcfg index a5d2f172c2..7f2f2add47 100644 --- a/creusot/tests/should_succeed/all_zero.mlcfg +++ b/creusot/tests/should_succeed/all_zero.mlcfg @@ -66,7 +66,8 @@ module AllZero_AllZero use prelude.Snapshot let rec cfg all_zero [#"../all_zero.rs" 34 0 34 29] [@cfg:stackify] [@cfg:subregion_analysis] (l : borrowed (AllZero_List_Type.t_list)) : () - ensures { [#"../all_zero.rs" 32 0 32 77] forall i : int . 0 <= i /\ i < len0 ( * l) -> get0 ( ^ l) i = Core_Option_Option_Type.C_Some (0 : uint32) } + ensures { [#"../all_zero.rs" 32 0 32 77] forall i : int . 0 <= i /\ i < len0 ( * l) + -> get0 ( ^ l) i = Core_Option_Option_Type.C_Some (0 : uint32) } ensures { [#"../all_zero.rs" 33 10 33 34] len0 ( * l) = len0 ( ^ l) } = [@vc:do_not_keep_trace] [@vc:sp] @@ -90,8 +91,12 @@ module AllZero_AllZero goto BB2 } BB2 { - invariant { [#"../all_zero.rs" 39 4 41 88] (forall i : int . 0 <= i /\ i < len0 ( * loop_l) -> get0 ( ^ loop_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) -> (forall i : int . 0 <= i /\ i < len0 ( * Snapshot.inner old_l) -> get0 ( ^ Snapshot.inner old_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) }; - invariant { [#"../all_zero.rs" 39 4 41 88] len0 ( ^ loop_l) = len0 ( * loop_l) -> len0 ( ^ Snapshot.inner old_l) = len0 ( * Snapshot.inner old_l) }; + invariant { [#"../all_zero.rs" 39 4 41 88] (forall i : int . 0 <= i /\ i < len0 ( * loop_l) + -> get0 ( ^ loop_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) + -> (forall i : int . 0 <= i /\ i < len0 ( * Snapshot.inner old_l) + -> get0 ( ^ Snapshot.inner old_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) }; + invariant { [#"../all_zero.rs" 39 4 41 88] len0 ( ^ loop_l) = len0 ( * loop_l) + -> len0 ( ^ Snapshot.inner old_l) = len0 ( * Snapshot.inner old_l) }; goto BB3 } BB3 { @@ -108,7 +113,7 @@ module AllZero_AllZero [#"../all_zero.rs" 43 19 43 24] loop_l <- { loop_l with current = (let AllZero_List_Type.C_Cons x0 x1 = * loop_l in AllZero_List_Type.C_Cons ( ^ value) x1) ; }; [#"../all_zero.rs" 43 26 43 30] next <- Borrow.borrow_final (AllZero_List_Type.cons_1 ( * loop_l)) (Borrow.inherit_id (Borrow.get_id loop_l) 2); [#"../all_zero.rs" 43 26 43 30] loop_l <- { loop_l with current = (let AllZero_List_Type.C_Cons x0 x1 = * loop_l in AllZero_List_Type.C_Cons x0 ( ^ next)) ; }; - [#"../all_zero.rs" 44 8 44 18] value <- { value with current = ([#"../all_zero.rs" 44 8 44 18] (0 : uint32)) ; }; + [#"../all_zero.rs" 44 8 44 18] value <- { value with current = ([#"../all_zero.rs" 44 8 44 18] [#"../all_zero.rs" 44 17 44 18] (0 : uint32)) ; }; assume { resolve0 value }; [#"../all_zero.rs" 45 17 45 21] _13 <- Borrow.borrow_mut ( * next); [#"../all_zero.rs" 45 17 45 21] next <- { next with current = ( ^ _13) ; }; @@ -120,7 +125,7 @@ module AllZero_AllZero } BB6 { assume { resolve1 loop_l }; - [#"../all_zero.rs" 43 4 46 5] _0 <- ([#"../all_zero.rs" 43 4 46 5] ()); + [#"../all_zero.rs" 43 4 46 5] _0 <- ([#"../all_zero.rs" 43 4 46 5] [#"../all_zero.rs" 43 4 46 5] ()); return _0 } diff --git a/creusot/tests/should_succeed/bdd.mlcfg b/creusot/tests/should_succeed/bdd.mlcfg index 5f5e1a999c..25edba4d23 100644 --- a/creusot/tests/should_succeed/bdd.mlcfg +++ b/creusot/tests/should_succeed/bdd.mlcfg @@ -95,15 +95,21 @@ module Bdd_Hashmap_Impl2_Hash (64 : uint32) val wrapping_add0 (self : uint64) (rhs : uint64) : uint64 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt64.to_int result = EuclideanDivision.mod (UInt64.to_int self + UInt64.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt64.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self + UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self + UInt64.to_int rhs <= UInt64.to_int max0 -> UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self + UInt64.to_int rhs < UInt64.to_int min0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self + UInt64.to_int rhs > UInt64.to_int max0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self + UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self + UInt64.to_int rhs <= UInt64.to_int max0 + -> UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self + UInt64.to_int rhs < UInt64.to_int min0 + -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self + UInt64.to_int rhs > UInt64.to_int max0 + -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } val wrapping_mul0 (self : uint64) (rhs : uint64) : uint64 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt64.to_int result = EuclideanDivision.mod (UInt64.to_int self * UInt64.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt64.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self * UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self * UInt64.to_int rhs <= UInt64.to_int max0 -> UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self * UInt64.to_int rhs < UInt64.to_int min0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self * UInt64.to_int rhs > UInt64.to_int max0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self * UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self * UInt64.to_int rhs <= UInt64.to_int max0 + -> UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self * UInt64.to_int rhs < UInt64.to_int min0 + -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self * UInt64.to_int rhs > UInt64.to_int max0 + -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } function deep_model2 (self : v) : deep_model_ty1 = [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model5 self @@ -151,7 +157,7 @@ module Bdd_Hashmap_Impl2_Hash goto BB2 } BB2 { - [#"../bdd.rs" 77 39 77 69] _5 <- ([#"../bdd.rs" 77 39 77 69] wrapping_mul0 _6 (17 : uint64)); + [#"../bdd.rs" 77 39 77 69] _5 <- ([#"../bdd.rs" 77 39 77 69] wrapping_mul0 _6 ([#"../bdd.rs" 77 66 77 68] (17 : uint64))); _6 <- any uint64; goto BB3 } @@ -218,7 +224,7 @@ module Bdd_Impl13_AssertReceiverIsTotalEq goto BB0 } BB0 { - [#"../bdd.rs" 90 9 90 11] _0 <- ([#"../bdd.rs" 90 9 90 11] ()); + [#"../bdd.rs" 90 9 90 11] _0 <- ([#"../bdd.rs" 90 9 90 11] [#"../bdd.rs" 90 9 90 11] ()); return _0 } @@ -371,7 +377,7 @@ module Bdd_Impl14_Eq } BB3 { assume { resolve0 _4 }; - [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] false); + [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] false); goto BB22 } BB4 { @@ -394,12 +400,12 @@ module Bdd_Impl14_Eq } BB8 { assume { resolve0 _4 }; - [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] true); + [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] true); goto BB22 } BB9 { assume { resolve0 _4 }; - [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] true); + [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] true); goto BB22 } BB10 { @@ -440,7 +446,7 @@ module Bdd_Impl14_Eq end } BB16 { - [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] true); + [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] true); goto BB21 } BB17 { @@ -453,7 +459,7 @@ module Bdd_Impl14_Eq goto BB20 } BB20 { - [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] false); + [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] false); goto BB21 } BB21 { @@ -578,7 +584,7 @@ module Bdd_Impl19_AssertReceiverIsTotalEq goto BB0 } BB0 { - [#"../bdd.rs" 104 15 104 17] _0 <- ([#"../bdd.rs" 104 15 104 17] ()); + [#"../bdd.rs" 104 15 104 17] _0 <- ([#"../bdd.rs" 104 15 104 17] [#"../bdd.rs" 104 15 104 17] ()); return _0 } @@ -631,15 +637,21 @@ module Bdd_Impl1_Hash (64 : uint32) val wrapping_add0 (self : uint64) (rhs : uint64) : uint64 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt64.to_int result = EuclideanDivision.mod (UInt64.to_int self + UInt64.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt64.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self + UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self + UInt64.to_int rhs <= UInt64.to_int max0 -> UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self + UInt64.to_int rhs < UInt64.to_int min0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self + UInt64.to_int rhs > UInt64.to_int max0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self + UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self + UInt64.to_int rhs <= UInt64.to_int max0 + -> UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self + UInt64.to_int rhs < UInt64.to_int min0 + -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self + UInt64.to_int rhs > UInt64.to_int max0 + -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } val wrapping_mul0 (self : uint64) (rhs : uint64) : uint64 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt64.to_int result = EuclideanDivision.mod (UInt64.to_int self * UInt64.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt64.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self * UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self * UInt64.to_int rhs <= UInt64.to_int max0 -> UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self * UInt64.to_int rhs < UInt64.to_int min0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self * UInt64.to_int rhs > UInt64.to_int max0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self * UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self * UInt64.to_int rhs <= UInt64.to_int max0 + -> UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self * UInt64.to_int rhs < UInt64.to_int min0 + -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self * UInt64.to_int rhs > UInt64.to_int max0 + -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) } let rec cfg hash [#"../bdd.rs" 116 4 116 25] [@cfg:stackify] [@cfg:subregion_analysis] (self : Bdd_Node_Type.t_node) : uint64 ensures { [#"../bdd.rs" 115 14 115 46] UInt64.to_int result = hash_log0 (shallow_model1 self) } @@ -673,7 +685,7 @@ module Bdd_Impl1_Hash [#"../bdd.rs" 120 17 120 18] v <- ([#"../bdd.rs" 120 17 120 18] Bdd_Node_Type.if_v self); [#"../bdd.rs" 120 20 120 26] childt <- ([#"../bdd.rs" 120 20 120 26] Bdd_Node_Type.if_childt self); [#"../bdd.rs" 120 28 120 34] childf <- ([#"../bdd.rs" 120 28 120 34] Bdd_Node_Type.if_childf self); - [#"../bdd.rs" 121 31 121 55] _9 <- ([#"../bdd.rs" 121 31 121 55] wrapping_mul0 (Bdd_Bdd_Type.bdd_1 childt) (5 : uint64)); + [#"../bdd.rs" 121 31 121 55] _9 <- ([#"../bdd.rs" 121 31 121 55] wrapping_mul0 (Bdd_Bdd_Type.bdd_1 childt) ([#"../bdd.rs" 121 53 121 54] (5 : uint64))); goto BB7 } BB4 { @@ -681,11 +693,11 @@ module Bdd_Impl1_Hash absurd } BB5 { - [#"../bdd.rs" 118 21 118 22] _0 <- ([#"../bdd.rs" 118 21 118 22] (1 : uint64)); + [#"../bdd.rs" 118 21 118 22] _0 <- ([#"../bdd.rs" 118 21 118 22] [#"../bdd.rs" 118 21 118 22] (1 : uint64)); goto BB11 } BB6 { - [#"../bdd.rs" 119 20 119 21] _0 <- ([#"../bdd.rs" 119 20 119 21] (2 : uint64)); + [#"../bdd.rs" 119 20 119 21] _0 <- ([#"../bdd.rs" 119 20 119 21] [#"../bdd.rs" 119 20 119 21] (2 : uint64)); goto BB11 } BB7 { @@ -694,7 +706,7 @@ module Bdd_Impl1_Hash goto BB8 } BB8 { - [#"../bdd.rs" 121 70 121 94] _11 <- ([#"../bdd.rs" 121 70 121 94] wrapping_mul0 (Bdd_Bdd_Type.bdd_1 childf) (7 : uint64)); + [#"../bdd.rs" 121 70 121 94] _11 <- ([#"../bdd.rs" 121 70 121 94] wrapping_mul0 (Bdd_Bdd_Type.bdd_1 childf) ([#"../bdd.rs" 121 92 121 93] (7 : uint64))); goto BB9 } BB9 { @@ -761,7 +773,9 @@ module Bdd_Impl8_Size_Impl goal vc_size : match self with | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_True) _ -> [#"../bdd.rs" 223 14 223 25] 0 >= 0 | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_False) _ -> [#"../bdd.rs" 223 14 223 25] 0 >= 0 - | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childt childf) _ -> ([#"../bdd.rs" 223 14 223 25] size childt >= 0) -> (let ht = size childt in ([#"../bdd.rs" 223 14 223 25] size childf >= 0) -> (let hf = size childf in [#"../bdd.rs" 223 14 223 25] 1 + ht + hf >= 0)) + | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childt childf) _ -> ([#"../bdd.rs" 223 14 223 25] size childt >= 0) + -> (let ht = size childt in ([#"../bdd.rs" 223 14 223 25] size childf >= 0) + -> (let hf = size childf in [#"../bdd.rs" 223 14 223 25] 1 + ht + hf >= 0)) end end module Bdd_Context_Type @@ -948,7 +962,9 @@ module Bdd_Impl10_GrowsIsValidBdd_Impl constant b : Bdd_Bdd_Type.t_bdd function grows_is_valid_bdd [#"../bdd.rs" 336 4 336 56] (self : borrowed (Bdd_Context_Type.t_context)) (b : Bdd_Bdd_Type.t_bdd) : () - goal vc_grows_is_valid_bdd : ([#"../bdd.rs" 336 35 336 39] inv0 self) -> ([#"../bdd.rs" 334 15 334 35] is_valid_bdd0 ( * self) b) -> ([#"../bdd.rs" 333 15 333 27] grows0 self) -> ([#"../bdd.rs" 335 14 335 37] is_valid_bdd0 ( ^ self) b) + goal vc_grows_is_valid_bdd : ([#"../bdd.rs" 336 35 336 39] inv0 self) + -> ([#"../bdd.rs" 334 15 334 35] is_valid_bdd0 ( * self) b) + -> ([#"../bdd.rs" 333 15 333 27] grows0 self) -> ([#"../bdd.rs" 335 14 335 37] is_valid_bdd0 ( ^ self) b) end module Bdd_Impl10_GrowsTrans_Impl use Bdd_Bdd_Type as Bdd_Bdd_Type @@ -1090,7 +1106,13 @@ module Bdd_Impl10_GrowsTrans_Impl constant oo : borrowed (Bdd_Context_Type.t_context) function grows_trans [#"../bdd.rs" 345 4 345 62] (self : borrowed (Bdd_Context_Type.t_context)) (o : borrowed (Bdd_Context_Type.t_context)) (oo : borrowed (Bdd_Context_Type.t_context)) : () - goal vc_grows_trans : ([#"../bdd.rs" 345 48 345 50] inv0 oo) -> ([#"../bdd.rs" 345 34 345 35] inv0 o) -> ([#"../bdd.rs" 345 28 345 32] inv0 self) -> ([#"../bdd.rs" 343 15 343 43] * self = * oo /\ ^ self = ^ oo) -> ([#"../bdd.rs" 342 15 342 26] ^ self = * o) -> ([#"../bdd.rs" 341 15 341 24] grows0 o) -> ([#"../bdd.rs" 340 15 340 27] grows0 self) -> ([#"../bdd.rs" 344 14 344 24] grows0 oo) + goal vc_grows_trans : ([#"../bdd.rs" 345 48 345 50] inv0 oo) + -> ([#"../bdd.rs" 345 34 345 35] inv0 o) + -> ([#"../bdd.rs" 345 28 345 32] inv0 self) + -> ([#"../bdd.rs" 343 15 343 43] * self = * oo /\ ^ self = ^ oo) + -> ([#"../bdd.rs" 342 15 342 26] ^ self = * o) + -> ([#"../bdd.rs" 341 15 341 24] grows0 o) + -> ([#"../bdd.rs" 340 15 340 27] grows0 self) -> ([#"../bdd.rs" 344 14 344 24] grows0 oo) end module Bdd_Impl10_SetIrreleventVar_Impl use Bdd_Bdd_Type as Bdd_Bdd_Type @@ -1217,8 +1239,13 @@ module Bdd_Impl10_SetIrreleventVar_Impl constant b : bool function set_irrelevent_var [#"../bdd.rs" 351 4 351 87] (self : Bdd_Context_Type.t_context) (a : Bdd_Bdd_Type.t_bdd) (x : uint64) (v : Map.map uint64 bool) (b : bool) : () - goal vc_set_irrelevent_var : ([#"../bdd.rs" 351 26 351 30] inv0 self) -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a) -> ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a) -> match a with - | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childt childf) _ -> (([#"../bdd.rs" 351 26 351 30] inv0 self) && ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 childt) && ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self childt)) /\ (([#"../bdd.rs" 350 14 350 50] interp0 childt v = interp0 childt (Map.set v x b)) -> (let _ = set_irrelevent_var self childt x v b in (([#"../bdd.rs" 351 26 351 30] inv0 self) && ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 childf) && ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self childf)) /\ (([#"../bdd.rs" 350 14 350 50] interp0 childf v = interp0 childf (Map.set v x b)) -> (let _ = set_irrelevent_var self childf x v b in [#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b))))) + goal vc_set_irrelevent_var : ([#"../bdd.rs" 351 26 351 30] inv0 self) + -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a) + -> ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a) + -> match a with + | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childt childf) _ -> (([#"../bdd.rs" 351 26 351 30] inv0 self) && ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 childt) && ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self childt)) /\ (([#"../bdd.rs" 350 14 350 50] interp0 childt v = interp0 childt (Map.set v x b)) + -> (let _ = set_irrelevent_var self childt x v b in (([#"../bdd.rs" 351 26 351 30] inv0 self) && ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 childf) && ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self childf)) /\ (([#"../bdd.rs" 350 14 350 50] interp0 childf v = interp0 childf (Map.set v x b)) + -> (let _ = set_irrelevent_var self childf x v b in [#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b))))) | _ -> [#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b) end end @@ -1354,7 +1381,10 @@ module Bdd_Impl10_DiscrValuation_Impl requires {[#"../bdd.rs" 351 26 351 30] inv0 self} ensures { result = set_irrelevent_var0 self a x v b } - axiom set_irrelevent_var0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, x : uint64, v : Map.map uint64 bool, b : bool . ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a) -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a) -> ([#"../bdd.rs" 351 26 351 30] inv0 self) -> ([#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b)) + axiom set_irrelevent_var0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, x : uint64, v : Map.map uint64 bool, b : bool . ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a) + -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a) + -> ([#"../bdd.rs" 351 26 351 30] inv0 self) + -> ([#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b)) function size0 [#"../bdd.rs" 224 4 224 24] (self : Bdd_Bdd_Type.t_bdd) : int = [#"../bdd.rs" 226 12 234 13] match self with | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_True) _ -> 0 @@ -1370,27 +1400,37 @@ module Bdd_Impl10_DiscrValuation_Impl constant b : Bdd_Bdd_Type.t_bdd function discr_valuation [#"../bdd.rs" 370 4 370 82] (self : Bdd_Context_Type.t_context) (a : Bdd_Bdd_Type.t_bdd) (b : Bdd_Bdd_Type.t_bdd) : Map.map uint64 bool - goal vc_discr_valuation : ([#"../bdd.rs" 370 23 370 27] inv0 self) -> ([#"../bdd.rs" 366 15 366 21] a <> b) -> ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) -> ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a) -> (let _ = set_irrelevent_var0 in match leastvar0 a < leastvar0 b with + goal vc_discr_valuation : ([#"../bdd.rs" 370 23 370 27] inv0 self) + -> ([#"../bdd.rs" 366 15 366 21] a <> b) + -> ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) + -> ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a) + -> (let _ = set_irrelevent_var0 in match leastvar0 a < leastvar0 b with | True -> match a with | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If v childt childf) _ -> match childf <> b with - | True -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childf <> b) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childf)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childf + size0 b) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childf (discr_valuation self childf b) <> interp0 b (discr_valuation self childf b)) -> (let result = Map.set (discr_valuation self childf b) v false in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) - | False -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childt <> b) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childt)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childt + size0 b) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childt (discr_valuation self childt b) <> interp0 b (discr_valuation self childt b)) -> (let result = Map.set (discr_valuation self childt b) v true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) + | True -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childf <> b) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childf)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childf + size0 b) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childf (discr_valuation self childf b) <> interp0 b (discr_valuation self childf b)) + -> (let result = Map.set (discr_valuation self childf b) v false in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) + | False -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childt <> b) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childt)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childt + size0 b) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childt (discr_valuation self childt b) <> interp0 b (discr_valuation self childt b)) + -> (let result = Map.set (discr_valuation self childt b) v true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) end | _ -> let result = Const.const true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result end | False -> match leastvar0 a > leastvar0 b with | True -> match b with | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If v childt childf) _ -> match childf <> a with - | True -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] a <> childf) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childf) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 a + size0 childf) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation self a childf) <> interp0 childf (discr_valuation self a childf)) -> (let result = Map.set (discr_valuation self a childf) v false in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) - | False -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] a <> childt) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childt) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 a + size0 childt) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation self a childt) <> interp0 childt (discr_valuation self a childt)) -> (let result = Map.set (discr_valuation self a childt) v true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) + | True -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] a <> childf) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childf) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 a + size0 childf) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation self a childf) <> interp0 childf (discr_valuation self a childf)) + -> (let result = Map.set (discr_valuation self a childf) v false in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) + | False -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] a <> childt) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childt) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 a + size0 childt) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation self a childt) <> interp0 childt (discr_valuation self a childt)) + -> (let result = Map.set (discr_valuation self a childt) v true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) end | _ -> let result = Const.const true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result end | False -> match a with | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If v childta childfa) _ -> match b with | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childtb childfb) _ -> match childfa <> childfb with - | True -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childfa <> childfb) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childfb) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childfa)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childfa + size0 childfb) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childfa (discr_valuation self childfa childfb) <> interp0 childfb (discr_valuation self childfa childfb)) -> (let result = Map.set (discr_valuation self childfa childfb) v false in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) - | False -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childta <> childtb) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childtb) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childta)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childta + size0 childtb) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childta (discr_valuation self childta childtb) <> interp0 childtb (discr_valuation self childta childtb)) -> (let result = Map.set (discr_valuation self childta childtb) v true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) + | True -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childfa <> childfb) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childfb) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childfa)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childfa + size0 childfb) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childfa (discr_valuation self childfa childfb) <> interp0 childfb (discr_valuation self childfa childfb)) + -> (let result = Map.set (discr_valuation self childfa childfb) v false in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) + | False -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childta <> childtb) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childtb) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childta)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childta + size0 childtb) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childta (discr_valuation self childta childtb) <> interp0 childtb (discr_valuation self childta childtb)) + -> (let result = Map.set (discr_valuation self childta childtb) v true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result)) end | _ -> let result = Const.const true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result end @@ -1531,7 +1571,10 @@ module Bdd_Impl10_BddCanonical_Impl requires {[#"../bdd.rs" 351 26 351 30] inv0 self} ensures { result = set_irrelevent_var0 self a x v b } - axiom set_irrelevent_var0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, x : uint64, v : Map.map uint64 bool, b : bool . ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a) -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a) -> ([#"../bdd.rs" 351 26 351 30] inv0 self) -> ([#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b)) + axiom set_irrelevent_var0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, x : uint64, v : Map.map uint64 bool, b : bool . ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a) + -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a) + -> ([#"../bdd.rs" 351 26 351 30] inv0 self) + -> ([#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b)) function size0 [#"../bdd.rs" 224 4 224 24] (self : Bdd_Bdd_Type.t_bdd) : int = [#"../bdd.rs" 226 12 234 13] match self with | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_True) _ -> 0 @@ -1584,13 +1627,21 @@ module Bdd_Impl10_BddCanonical_Impl requires {[#"../bdd.rs" 370 23 370 27] inv0 self} ensures { result = discr_valuation0 self a b } - axiom discr_valuation0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, b : Bdd_Bdd_Type.t_bdd . ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a) -> ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) -> ([#"../bdd.rs" 366 15 366 21] a <> b) -> ([#"../bdd.rs" 370 23 370 27] inv0 self) -> ([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation0 self a b) <> interp0 b (discr_valuation0 self a b)) + axiom discr_valuation0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, b : Bdd_Bdd_Type.t_bdd . ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a) + -> ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) + -> ([#"../bdd.rs" 366 15 366 21] a <> b) + -> ([#"../bdd.rs" 370 23 370 27] inv0 self) + -> ([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation0 self a b) <> interp0 b (discr_valuation0 self a b)) constant self : Bdd_Context_Type.t_context constant a : Bdd_Bdd_Type.t_bdd constant b : Bdd_Bdd_Type.t_bdd function bdd_canonical [#"../bdd.rs" 418 4 418 62] (self : Bdd_Context_Type.t_context) (a : Bdd_Bdd_Type.t_bdd) (b : Bdd_Bdd_Type.t_bdd) : () - goal vc_bdd_canonical : ([#"../bdd.rs" 418 25 418 29] inv0 self) -> ([#"../bdd.rs" 415 4 415 56] forall v : Map.map uint64 bool . interp0 a v = interp0 b v) -> ([#"../bdd.rs" 414 15 414 35] is_valid_bdd0 self b) -> ([#"../bdd.rs" 413 15 413 35] is_valid_bdd0 self a) -> (let _ = discr_valuation0 in [#"../bdd.rs" 416 14 416 20] a = b) + goal vc_bdd_canonical : ([#"../bdd.rs" 418 25 418 29] inv0 self) + -> ([#"../bdd.rs" 415 4 415 56] forall v : Map.map uint64 bool . interp0 a v = interp0 b v) + -> ([#"../bdd.rs" 414 15 414 35] is_valid_bdd0 self b) + -> ([#"../bdd.rs" 413 15 413 35] is_valid_bdd0 self a) + -> (let _ = discr_valuation0 in [#"../bdd.rs" 416 14 416 20] a = b) end module Bdd_Impl11_New use Bdd_Bdd_Type as Bdd_Bdd_Type @@ -1743,9 +1794,9 @@ module Bdd_Impl11_New goto BB0 } BB0 { - [#"../bdd.rs" 425 16 425 21] _10 <- ([#"../bdd.rs" 425 16 425 21] promoted0); + [#"../bdd.rs" 425 16 425 21] _10 <- ([#"../bdd.rs" 425 16 425 21] [#"../bdd.rs" 425 16 425 21] promoted0); [#"../bdd.rs" 425 16 425 21] t <- ([#"../bdd.rs" 425 16 425 21] _10); - [#"../bdd.rs" 428 22 428 47] _5 <- ([#"../bdd.rs" 428 22 428 47] new0 ()); + [#"../bdd.rs" 428 22 428 47] _5 <- ([#"../bdd.rs" 428 22 428 47] new0 ([#"../bdd.rs" 428 22 428 47] ())); goto BB1 } BB1 { @@ -1753,15 +1804,15 @@ module Bdd_Impl11_New goto BB2 } BB2 { - [#"../bdd.rs" 430 22 430 47] _8 <- ([#"../bdd.rs" 430 22 430 47] new2 ()); + [#"../bdd.rs" 430 22 430 47] _8 <- ([#"../bdd.rs" 430 22 430 47] new2 ([#"../bdd.rs" 430 22 430 47] ())); goto BB3 } BB3 { - [#"../bdd.rs" 431 22 431 47] _9 <- ([#"../bdd.rs" 431 22 431 47] new3 ()); + [#"../bdd.rs" 431 22 431 47] _9 <- ([#"../bdd.rs" 431 22 431 47] new3 ([#"../bdd.rs" 431 22 431 47] ())); goto BB4 } BB4 { - [#"../bdd.rs" 426 8 433 9] _0 <- ([#"../bdd.rs" 426 8 433 9] Bdd_Context_Type.C_Context alloc _5 _6 _8 _9 (0 : uint64)); + [#"../bdd.rs" 426 8 433 9] _0 <- ([#"../bdd.rs" 426 8 433 9] Bdd_Context_Type.C_Context alloc _5 _6 _8 _9 ([#"../bdd.rs" 432 17 432 18] (0 : uint64))); _5 <- any Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd); _6 <- any Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node)); _8 <- any Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd); @@ -1978,7 +2029,8 @@ module Bdd_Impl11_Hashcons val add0 [#"../bdd.rs" 54 8 54 45] (self : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd))) (key : Bdd_Node_Type.t_node) (val' : Bdd_Bdd_Type.t_bdd) : () requires {[#"../bdd.rs" 54 30 54 33] inv3 key} requires {[#"../bdd.rs" 54 38 54 41] inv5 val'} - ensures { [#"../bdd.rs" 52 8 52 128] forall i : Bdd_NodeLog_Type.t_nodelog . inv6 i -> Map.get (shallow_model3 ( ^ self)) i = (if i = deep_model1 key then + ensures { [#"../bdd.rs" 52 8 52 128] forall i : Bdd_NodeLog_Type.t_nodelog . inv6 i + -> Map.get (shallow_model3 ( ^ self)) i = (if i = deep_model1 key then Core_Option_Option_Type.C_Some val' else Map.get (shallow_model4 self) i @@ -2086,7 +2138,7 @@ module Bdd_Impl11_Hashcons BB7 { [#"../bdd.rs" 447 8 447 77] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 = * self in Bdd_Context_Type.C_Context x0 x1 ([#"../bdd.rs" 447 8 447 77] _27) x3 x4 x5) ; }; _27 <- any Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node)); - [#"../bdd.rs" 448 22 448 34] _32 <- ([#"../bdd.rs" 448 22 448 34] (18446744073709551615 : uint64) - (1 : uint64)); + [#"../bdd.rs" 448 22 448 34] _32 <- ([#"../bdd.rs" 448 22 448 34] ([#"../bdd.rs" 448 22 448 30] (18446744073709551615 : uint64)) - ([#"../bdd.rs" 448 33 448 34] (1 : uint64))); [#"../bdd.rs" 448 11 448 34] _30 <- ([#"../bdd.rs" 448 11 448 34] Bdd_Context_Type.context_cnt ( * self) > _32); _32 <- any uint64; switch (_30) @@ -2105,7 +2157,7 @@ module Bdd_Impl11_Hashcons goto BB9 } BB11 { - [#"../bdd.rs" 454 8 454 21] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 = * self in Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 ([#"../bdd.rs" 454 8 454 21] Bdd_Context_Type.context_cnt ( * self) + (1 : uint64))) ; }; + [#"../bdd.rs" 454 8 454 21] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 = * self in Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 ([#"../bdd.rs" 454 8 454 21] Bdd_Context_Type.context_cnt ( * self) + ([#"../bdd.rs" 454 20 454 21] (1 : uint64)))) ; }; assert { [@expl:type invariant] inv0 self }; assume { resolve0 self }; [#"../bdd.rs" 455 8 455 9] _0 <- ([#"../bdd.rs" 455 8 455 9] r1); @@ -3118,7 +3170,8 @@ module Bdd_Impl11_Not val add0 [#"../bdd.rs" 54 8 54 45] (self : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd))) (key : Bdd_Bdd_Type.t_bdd) (val' : Bdd_Bdd_Type.t_bdd) : () requires {[#"../bdd.rs" 54 30 54 33] inv4 key} requires {[#"../bdd.rs" 54 38 54 41] inv4 val'} - ensures { [#"../bdd.rs" 52 8 52 128] forall i : uint64 . inv5 i -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model1 key then + ensures { [#"../bdd.rs" 52 8 52 128] forall i : uint64 . inv5 i + -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model1 key then Core_Option_Option_Type.C_Some val' else Map.get (shallow_model3 self) i @@ -3578,7 +3631,8 @@ module Bdd_Impl11_And val add0 [#"../bdd.rs" 54 8 54 45] (self : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd))) (key : (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd)) (val' : Bdd_Bdd_Type.t_bdd) : () requires {[#"../bdd.rs" 54 30 54 33] inv4 key} requires {[#"../bdd.rs" 54 38 54 41] inv5 val'} - ensures { [#"../bdd.rs" 52 8 52 128] forall i : (uint64, uint64) . inv6 i -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model2 key then + ensures { [#"../bdd.rs" 52 8 52 128] forall i : (uint64, uint64) . inv6 i + -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model2 key then Core_Option_Option_Type.C_Some val' else Map.get (shallow_model3 self) i @@ -3869,7 +3923,7 @@ module Bdd_Impl11_And BB25 { [#"../bdd.rs" 544 24 544 53] childf <- ([#"../bdd.rs" 544 24 544 53] _52); _52 <- any Bdd_Bdd_Type.t_bdd; - [#"../bdd.rs" 541 31 545 21] _41 <- ([#"../bdd.rs" 541 31 545 21] ()); + [#"../bdd.rs" 541 31 545 21] _41 <- ([#"../bdd.rs" 541 31 545 21] [#"../bdd.rs" 541 31 545 21] ()); goto BB31 } BB26 { @@ -3894,7 +3948,7 @@ module Bdd_Impl11_And BB28 { [#"../bdd.rs" 549 24 549 53] childf <- ([#"../bdd.rs" 549 24 549 53] _61); _61 <- any Bdd_Bdd_Type.t_bdd; - [#"../bdd.rs" 546 28 550 21] _41 <- ([#"../bdd.rs" 546 28 550 21] ()); + [#"../bdd.rs" 546 28 550 21] _41 <- ([#"../bdd.rs" 546 28 550 21] [#"../bdd.rs" 546 28 550 21] ()); goto BB31 } BB29 { @@ -3910,7 +3964,7 @@ module Bdd_Impl11_And BB30 { [#"../bdd.rs" 554 24 554 59] childf <- ([#"../bdd.rs" 554 24 554 59] _70); _70 <- any Bdd_Bdd_Type.t_bdd; - [#"../bdd.rs" 551 29 555 21] _41 <- ([#"../bdd.rs" 551 29 555 21] ()); + [#"../bdd.rs" 551 29 555 21] _41 <- ([#"../bdd.rs" 551 29 555 21] [#"../bdd.rs" 551 29 555 21] ()); goto BB31 } BB31 { @@ -4025,7 +4079,9 @@ module Bdd_Hashmap_Impl2 val deep_model0 (self : (u, v)) : (deep_model_ty0, deep_model_ty1) ensures { result = deep_model0 self } - goal hash_refn : [#"../bdd.rs" 76 8 76 29] forall self : (u, v) . inv0 self -> inv0 self /\ (forall result : uint64 . UInt64.to_int result = hash_log0 (deep_model0 self) -> UInt64.to_int result = hash_log0 (deep_model0 self)) + goal hash_refn : [#"../bdd.rs" 76 8 76 29] forall self : (u, v) . inv0 self + -> inv0 self /\ (forall result : uint64 . UInt64.to_int result = hash_log0 (deep_model0 self) + -> UInt64.to_int result = hash_log0 (deep_model0 self)) end module Bdd_Impl1 use Bdd_Node_Type as Bdd_Node_Type @@ -4080,7 +4136,9 @@ module Bdd_Impl1 val shallow_model1 (self : Bdd_Node_Type.t_node) : Bdd_NodeLog_Type.t_nodelog ensures { result = shallow_model1 self } - goal hash_refn : [#"../bdd.rs" 116 4 116 25] forall self : Bdd_Node_Type.t_node . inv0 self -> (forall result : uint64 . UInt64.to_int result = hash_log0 (shallow_model1 self) -> UInt64.to_int result = hash_log0 (deep_model0 self)) + goal hash_refn : [#"../bdd.rs" 116 4 116 25] forall self : Bdd_Node_Type.t_node . inv0 self + -> (forall result : uint64 . UInt64.to_int result = hash_log0 (shallow_model1 self) + -> UInt64.to_int result = hash_log0 (deep_model0 self)) end module Bdd_Impl2 use Bdd_Bdd_Type as Bdd_Bdd_Type @@ -4123,7 +4181,9 @@ module Bdd_Impl2 val shallow_model1 (self : Bdd_Bdd_Type.t_bdd) : uint64 ensures { result = shallow_model1 self } - goal hash_refn : [#"../bdd.rs" 142 4 142 25] forall self : Bdd_Bdd_Type.t_bdd . inv0 self -> (forall result : uint64 . UInt64.to_int result = hash_log0 (shallow_model1 self) -> UInt64.to_int result = hash_log0 (deep_model0 self)) + goal hash_refn : [#"../bdd.rs" 142 4 142 25] forall self : Bdd_Bdd_Type.t_bdd . inv0 self + -> (forall result : uint64 . UInt64.to_int result = hash_log0 (shallow_model1 self) + -> UInt64.to_int result = hash_log0 (deep_model0 self)) end module Bdd_Impl12 @@ -4166,7 +4226,9 @@ module Bdd_Impl14 val deep_model0 (self : Bdd_Node_Type.t_node) : Bdd_NodeLog_Type.t_nodelog ensures { result = deep_model0 self } - goal eq_refn : [#"../bdd.rs" 90 13 90 22] forall self : Bdd_Node_Type.t_node . forall other : Bdd_Node_Type.t_node . inv0 other /\ inv0 self -> (forall result : bool . result = (deep_model0 self = deep_model0 other) -> result = (deep_model0 self = deep_model0 other)) + goal eq_refn : [#"../bdd.rs" 90 13 90 22] forall self : Bdd_Node_Type.t_node . forall other : Bdd_Node_Type.t_node . inv0 other /\ inv0 self + -> (forall result : bool . result = (deep_model0 self = deep_model0 other) + -> result = (deep_model0 self = deep_model0 other)) end module Bdd_Impl7 use Bdd_Bdd_Type as Bdd_Bdd_Type @@ -4203,7 +4265,9 @@ module Bdd_Impl7 val shallow_model0 (self : Bdd_Bdd_Type.t_bdd) : uint64 ensures { result = shallow_model0 self } - goal eq_refn : [#"../bdd.rs" 202 4 202 34] forall self : Bdd_Bdd_Type.t_bdd . forall other : Bdd_Bdd_Type.t_bdd . inv0 other /\ inv0 self -> (forall result : bool . result = (shallow_model0 self = shallow_model0 other) -> result = (deep_model0 self = deep_model0 other)) + goal eq_refn : [#"../bdd.rs" 202 4 202 34] forall self : Bdd_Bdd_Type.t_bdd . forall other : Bdd_Bdd_Type.t_bdd . inv0 other /\ inv0 self + -> (forall result : bool . result = (shallow_model0 self = shallow_model0 other) + -> result = (deep_model0 self = deep_model0 other)) end module Bdd_Impl15 use Bdd_Node_Type as Bdd_Node_Type @@ -4228,7 +4292,8 @@ module Bdd_Impl15 axiom inv0 : forall x : Bdd_Node_Type.t_node . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../bdd.rs" 90 24 90 29] forall self : Bdd_Node_Type.t_node . inv0 self -> (forall result : Bdd_Node_Type.t_node . result = self -> inv1 result /\ result = self) + goal clone'_refn : [#"../bdd.rs" 90 24 90 29] forall self : Bdd_Node_Type.t_node . inv0 self + -> (forall result : Bdd_Node_Type.t_node . result = self -> inv1 result /\ result = self) end module Bdd_Impl0 use Bdd_Bdd_Type as Bdd_Bdd_Type @@ -4253,7 +4318,8 @@ module Bdd_Impl0 axiom inv0 : forall x : Bdd_Bdd_Type.t_bdd . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../bdd.rs" 109 4 109 27] forall self : Bdd_Bdd_Type.t_bdd . inv0 self -> (forall result : Bdd_Bdd_Type.t_bdd . result = self -> inv1 result /\ result = self) + goal clone'_refn : [#"../bdd.rs" 109 4 109 27] forall self : Bdd_Bdd_Type.t_bdd . inv0 self + -> (forall result : Bdd_Bdd_Type.t_bdd . result = self -> inv1 result /\ result = self) end module Bdd_Impl16 diff --git a/creusot/tests/should_succeed/binary_search.mlcfg b/creusot/tests/should_succeed/binary_search.mlcfg index 1edf5a7ab8..74f0a7549e 100644 --- a/creusot/tests/should_succeed/binary_search.mlcfg +++ b/creusot/tests/should_succeed/binary_search.mlcfg @@ -30,8 +30,10 @@ module BinarySearch_Impl0_LenLogic_Impl use prelude.Int constant self : BinarySearch_List_Type.t_list t function len_logic [#"../binary_search.rs" 22 4 22 29] (self : BinarySearch_List_Type.t_list t) : int - goal vc_len_logic : ([#"../binary_search.rs" 22 17 22 21] inv0 self) -> match self with - | BinarySearch_List_Type.C_Cons _ ls -> ([#"../binary_search.rs" 22 17 22 21] inv0 ls) /\ (([#"../binary_search.rs" 21 14 21 25] len_logic ls >= 0) -> ([#"../binary_search.rs" 21 14 21 25] 1 + len_logic ls >= 0)) + goal vc_len_logic : ([#"../binary_search.rs" 22 17 22 21] inv0 self) + -> match self with + | BinarySearch_List_Type.C_Cons _ ls -> ([#"../binary_search.rs" 22 17 22 21] inv0 ls) /\ (([#"../binary_search.rs" 21 14 21 25] len_logic ls >= 0) + -> ([#"../binary_search.rs" 21 14 21 25] 1 + len_logic ls >= 0)) | BinarySearch_List_Type.C_Nil -> [#"../binary_search.rs" 21 14 21 25] 0 >= 0 end end @@ -111,7 +113,8 @@ module BinarySearch_Impl0_Index requires {[#"../binary_search.rs" 22 17 22 21] inv3 self} ensures { result = len_logic0 self } - axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list t . ([#"../binary_search.rs" 22 17 22 21] inv3 self) -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0) + axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list t . ([#"../binary_search.rs" 22 17 22 21] inv3 self) + -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0) use prelude.UIntSize predicate resolve0 (self : BinarySearch_List_Type.t_list t) val resolve0 (self : BinarySearch_List_Type.t_list t) : bool @@ -162,7 +165,7 @@ module BinarySearch_Impl0_Index [#"../binary_search.rs" 51 26 51 28] ls <- ([#"../binary_search.rs" 51 26 51 28] BinarySearch_List_Type.cons_1 l); assert { [@expl:type invariant] inv0 l }; assume { resolve0 l }; - [#"../binary_search.rs" 52 15 52 21] _14 <- ([#"../binary_search.rs" 52 15 52 21] ix > (0 : usize)); + [#"../binary_search.rs" 52 15 52 21] _14 <- ([#"../binary_search.rs" 52 15 52 21] ix > ([#"../binary_search.rs" 52 20 52 21] (0 : usize))); switch (_14) | False -> goto BB6 | True -> goto BB5 @@ -177,7 +180,7 @@ module BinarySearch_Impl0_Index assert { [@expl:type invariant] inv1 _17 }; assume { resolve1 _17 }; [#"../binary_search.rs" 53 16 53 24] l <- ([#"../binary_search.rs" 53 16 53 24] _17); - [#"../binary_search.rs" 54 16 54 23] ix <- ([#"../binary_search.rs" 54 16 54 23] ix - (1 : usize)); + [#"../binary_search.rs" 54 16 54 23] ix <- ([#"../binary_search.rs" 54 16 54 23] ix - ([#"../binary_search.rs" 54 22 54 23] (1 : usize))); goto BB1 } BB6 { @@ -241,7 +244,8 @@ module BinarySearch_Impl0_Len requires {[#"../binary_search.rs" 22 17 22 21] inv2 self} ensures { result = len_logic0 self } - axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list t . ([#"../binary_search.rs" 22 17 22 21] inv2 self) -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0) + axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list t . ([#"../binary_search.rs" 22 17 22 21] inv2 self) + -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0) use prelude.UIntSize predicate resolve0 (self : BinarySearch_List_Type.t_list t) val resolve0 (self : BinarySearch_List_Type.t_list t) : bool @@ -264,7 +268,7 @@ module BinarySearch_Impl0_Len goto BB0 } BB0 { - [#"../binary_search.rs" 67 29 67 30] len <- ([#"../binary_search.rs" 67 29 67 30] (0 : usize)); + [#"../binary_search.rs" 67 29 67 30] len <- ([#"../binary_search.rs" 67 29 67 30] [#"../binary_search.rs" 67 29 67 30] (0 : usize)); [#"../binary_search.rs" 68 20 68 24] l <- ([#"../binary_search.rs" 68 20 68 24] self); assert { [@expl:type invariant] inv0 self }; assume { resolve0 self }; @@ -287,7 +291,7 @@ module BinarySearch_Impl0_Len [#"../binary_search.rs" 70 26 70 28] ls <- ([#"../binary_search.rs" 70 26 70 28] BinarySearch_List_Type.cons_1 l); assert { [@expl:type invariant] inv0 l }; assume { resolve0 l }; - [#"../binary_search.rs" 71 12 71 20] len <- ([#"../binary_search.rs" 71 12 71 20] len + (1 : usize)); + [#"../binary_search.rs" 71 12 71 20] len <- ([#"../binary_search.rs" 71 12 71 20] len + ([#"../binary_search.rs" 71 19 71 20] (1 : usize))); assert { [@expl:type invariant] inv1 ls }; assume { resolve1 ls }; [#"../binary_search.rs" 72 12 72 18] l <- ([#"../binary_search.rs" 72 12 72 18] ls); @@ -353,7 +357,8 @@ module BinarySearch_BinarySearch ensures { result = get0 self ix } predicate is_sorted0 [#"../binary_search.rs" 88 4 88 30] (self : BinarySearch_List_Type.t_list uint32) = - [#"../binary_search.rs" 90 12 97 13] forall x2 : int . forall x1 : int . x1 <= x2 -> match (get0 self x1, get0 self x2) with + [#"../binary_search.rs" 90 12 97 13] forall x2 : int . forall x1 : int . x1 <= x2 + -> match (get0 self x1, get0 self x2) with | (Core_Option_Option_Type.C_Some v1, Core_Option_Option_Type.C_Some v2) -> v1 <= v2 | (Core_Option_Option_Type.C_None, Core_Option_Option_Type.C_None) -> true | _ -> false @@ -373,7 +378,8 @@ module BinarySearch_BinarySearch requires {[#"../binary_search.rs" 22 17 22 21] inv1 self} ensures { result = len_logic0 self } - axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list uint32 . ([#"../binary_search.rs" 22 17 22 21] inv1 self) -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0) + axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list uint32 . ([#"../binary_search.rs" 22 17 22 21] inv1 self) + -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0) use prelude.UIntSize val index0 [#"../binary_search.rs" 45 4 45 40] (self : BinarySearch_List_Type.t_list uint32) (ix : usize) : uint32 requires {[#"../binary_search.rs" 43 15 43 37] UIntSize.to_int ix < len_logic0 self} @@ -400,9 +406,14 @@ module BinarySearch_BinarySearch let rec cfg binary_search [#"../binary_search.rs" 109 0 109 72] [@cfg:stackify] [@cfg:subregion_analysis] (arr : BinarySearch_List_Type.t_list uint32) (elem : uint32) : Core_Result_Result_Type.t_result usize usize requires {[#"../binary_search.rs" 102 11 102 39] len_logic0 arr <= 1000000} requires {[#"../binary_search.rs" 103 11 103 26] is_sorted0 arr} - ensures { [#"../binary_search.rs" 104 0 104 73] forall x : usize . result = Core_Result_Result_Type.C_Ok x -> get0 arr (UIntSize.to_int x) = Core_Option_Option_Type.C_Some elem } - ensures { [#"../binary_search.rs" 105 0 106 78] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . 0 <= UIntSize.to_int i /\ UIntSize.to_int i < UIntSize.to_int x -> get_default0 arr (UIntSize.to_int i) (0 : uint32) <= elem) } - ensures { [#"../binary_search.rs" 107 0 108 90] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . UIntSize.to_int x < UIntSize.to_int i /\ UIntSize.to_int i < len_logic0 arr -> elem < get_default0 arr (UIntSize.to_int i) (0 : uint32)) } + ensures { [#"../binary_search.rs" 104 0 104 73] forall x : usize . result = Core_Result_Result_Type.C_Ok x + -> get0 arr (UIntSize.to_int x) = Core_Option_Option_Type.C_Some elem } + ensures { [#"../binary_search.rs" 105 0 106 78] forall x : usize . result = Core_Result_Result_Type.C_Err x + -> (forall i : usize . 0 <= UIntSize.to_int i /\ UIntSize.to_int i < UIntSize.to_int x + -> get_default0 arr (UIntSize.to_int i) (0 : uint32) <= elem) } + ensures { [#"../binary_search.rs" 107 0 108 90] forall x : usize . result = Core_Result_Result_Type.C_Err x + -> (forall i : usize . UIntSize.to_int x < UIntSize.to_int i /\ UIntSize.to_int i < len_logic0 arr + -> elem < get_default0 arr (UIntSize.to_int i) (0 : uint32)) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : Core_Result_Result_Type.t_result usize usize; @@ -432,7 +443,7 @@ module BinarySearch_BinarySearch goto BB1 } BB1 { - [#"../binary_search.rs" 110 7 110 21] _9 <- ([#"../binary_search.rs" 110 7 110 21] _10 = (0 : usize)); + [#"../binary_search.rs" 110 7 110 21] _9 <- ([#"../binary_search.rs" 110 7 110 21] _10 = ([#"../binary_search.rs" 110 20 110 21] (0 : usize))); _10 <- any usize; switch (_9) | False -> goto BB3 @@ -440,7 +451,7 @@ module BinarySearch_BinarySearch end } BB2 { - [#"../binary_search.rs" 111 15 111 21] _0 <- ([#"../binary_search.rs" 111 15 111 21] Core_Result_Result_Type.C_Err (0 : usize)); + [#"../binary_search.rs" 111 15 111 21] _0 <- ([#"../binary_search.rs" 111 15 111 21] Core_Result_Result_Type.C_Err ([#"../binary_search.rs" 111 19 111 20] (0 : usize))); goto BB21 } BB3 { @@ -448,29 +459,31 @@ module BinarySearch_BinarySearch goto BB4 } BB4 { - [#"../binary_search.rs" 114 19 114 20] base <- ([#"../binary_search.rs" 114 19 114 20] (0 : usize)); + [#"../binary_search.rs" 114 19 114 20] base <- ([#"../binary_search.rs" 114 19 114 20] [#"../binary_search.rs" 114 19 114 20] (0 : usize)); goto BB5 } BB5 { invariant { [#"../binary_search.rs" 116 16 116 63] 0 < UIntSize.to_int size /\ UIntSize.to_int size + UIntSize.to_int base <= len_logic0 arr }; - invariant { [#"../binary_search.rs" 116 4 116 65] forall i : usize . i < base -> get_default0 arr (UIntSize.to_int i) (0 : uint32) <= elem }; - invariant { [#"../binary_search.rs" 116 4 116 65] forall i : usize . UIntSize.to_int base + UIntSize.to_int size < UIntSize.to_int i /\ UIntSize.to_int i < len_logic0 arr -> elem < get_default0 arr (UIntSize.to_int i) (0 : uint32) }; + invariant { [#"../binary_search.rs" 116 4 116 65] forall i : usize . i < base + -> get_default0 arr (UIntSize.to_int i) (0 : uint32) <= elem }; + invariant { [#"../binary_search.rs" 116 4 116 65] forall i : usize . UIntSize.to_int base + UIntSize.to_int size < UIntSize.to_int i /\ UIntSize.to_int i < len_logic0 arr + -> elem < get_default0 arr (UIntSize.to_int i) (0 : uint32) }; goto BB6 } BB6 { - [#"../binary_search.rs" 119 10 119 18] _21 <- ([#"../binary_search.rs" 119 10 119 18] size > (1 : usize)); + [#"../binary_search.rs" 119 10 119 18] _21 <- ([#"../binary_search.rs" 119 10 119 18] size > ([#"../binary_search.rs" 119 17 119 18] (1 : usize))); switch (_21) | False -> goto BB13 | True -> goto BB7 end } BB7 { - [#"../binary_search.rs" 120 19 120 27] _25 <- ([#"../binary_search.rs" 120 19 120 27] (2 : usize) = (0 : usize)); + [#"../binary_search.rs" 120 19 120 27] _25 <- ([#"../binary_search.rs" 120 19 120 27] ([#"../binary_search.rs" 120 26 120 27] (2 : usize)) = ([#"../binary_search.rs" 120 19 120 27] (0 : usize))); assert { [@expl:division by zero] [#"../binary_search.rs" 120 19 120 27] not _25 }; goto BB8 } BB8 { - [#"../binary_search.rs" 120 19 120 27] half <- ([#"../binary_search.rs" 120 19 120 27] size / (2 : usize)); + [#"../binary_search.rs" 120 19 120 27] half <- ([#"../binary_search.rs" 120 19 120 27] size / ([#"../binary_search.rs" 120 26 120 27] (2 : usize))); [#"../binary_search.rs" 121 18 121 29] mid <- ([#"../binary_search.rs" 121 18 121 29] base + half); [#"../binary_search.rs" 123 19 123 33] _32 <- ([#"../binary_search.rs" 123 19 123 33] index0 arr mid); goto BB9 @@ -520,7 +533,7 @@ module BinarySearch_BinarySearch end } BB17 { - [#"../binary_search.rs" 131 12 131 20] _51 <- ([#"../binary_search.rs" 131 12 131 20] base + (1 : usize)); + [#"../binary_search.rs" 131 12 131 20] _51 <- ([#"../binary_search.rs" 131 12 131 20] base + ([#"../binary_search.rs" 131 19 131 20] (1 : usize))); [#"../binary_search.rs" 131 8 131 21] _0 <- ([#"../binary_search.rs" 131 8 131 21] Core_Result_Result_Type.C_Err _51); _51 <- any usize; goto BB19 diff --git a/creusot/tests/should_succeed/bug/02_derive.mlcfg b/creusot/tests/should_succeed/bug/02_derive.mlcfg index f810252f63..bde749a147 100644 --- a/creusot/tests/should_succeed/bug/02_derive.mlcfg +++ b/creusot/tests/should_succeed/bug/02_derive.mlcfg @@ -43,5 +43,6 @@ module C02Derive_Impl0 axiom inv0 : forall x : C02Derive_Lit_Type.t_lit . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../02_derive.rs" 3 9 3 14] forall self : C02Derive_Lit_Type.t_lit . inv0 self -> (forall result : C02Derive_Lit_Type.t_lit . inv1 result /\ result = self) + goal clone'_refn : [#"../02_derive.rs" 3 9 3 14] forall self : C02Derive_Lit_Type.t_lit . inv0 self + -> (forall result : C02Derive_Lit_Type.t_lit . inv1 result /\ result = self) end diff --git a/creusot/tests/should_succeed/bug/168.mlcfg b/creusot/tests/should_succeed/bug/168.mlcfg index 44d49dffa9..90ce3d79d0 100644 --- a/creusot/tests/should_succeed/bug/168.mlcfg +++ b/creusot/tests/should_succeed/bug/168.mlcfg @@ -9,7 +9,7 @@ module C168_MaxInt goto BB0 } BB0 { - [#"../168.rs" 4 4 4 14] _0 <- ([#"../168.rs" 4 4 4 14] (18446744073709551615 : usize)); + [#"../168.rs" 4 4 4 14] _0 <- ([#"../168.rs" 4 4 4 14] [#"../168.rs" 4 4 4 14] (18446744073709551615 : usize)); return _0 } diff --git a/creusot/tests/should_succeed/bug/173.mlcfg b/creusot/tests/should_succeed/bug/173.mlcfg index ddd9bd8528..a4b853638f 100644 --- a/creusot/tests/should_succeed/bug/173.mlcfg +++ b/creusot/tests/should_succeed/bug/173.mlcfg @@ -12,11 +12,11 @@ module C173_Test233 goto BB0 } BB0 { - [#"../173.rs" 20 12 20 14] x <- ([#"../173.rs" 20 12 20 14] (17 : int32)); + [#"../173.rs" 20 12 20 14] x <- ([#"../173.rs" 20 12 20 14] [#"../173.rs" 20 12 20 14] (17 : int32)); assert { [@expl:assertion] [#"../173.rs" 21 19 21 27] Int32.to_int x = 17 }; - [#"../173.rs" 22 12 22 14] x1 <- ([#"../173.rs" 22 12 22 14] (42 : int32)); + [#"../173.rs" 22 12 22 14] x1 <- ([#"../173.rs" 22 12 22 14] [#"../173.rs" 22 12 22 14] (42 : int32)); assert { [@expl:assertion] [#"../173.rs" 23 19 23 27] Int32.to_int x1 = 42 }; - [#"../173.rs" 19 18 24 1] _0 <- ([#"../173.rs" 19 18 24 1] ()); + [#"../173.rs" 19 18 24 1] _0 <- ([#"../173.rs" 19 18 24 1] [#"../173.rs" 19 18 24 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/195.mlcfg b/creusot/tests/should_succeed/bug/195.mlcfg index dba60edf38..92cf7439f1 100644 --- a/creusot/tests/should_succeed/bug/195.mlcfg +++ b/creusot/tests/should_succeed/bug/195.mlcfg @@ -9,7 +9,7 @@ module C195_Example goto BB0 } BB0 { - [#"../195.rs" 4 41 4 43] _0 <- ([#"../195.rs" 4 41 4 43] ()); + [#"../195.rs" 4 41 4 43] _0 <- ([#"../195.rs" 4 41 4 43] [#"../195.rs" 4 41 4 43] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/206.mlcfg b/creusot/tests/should_succeed/bug/206.mlcfg index 345c839ced..962eca159a 100644 --- a/creusot/tests/should_succeed/bug/206.mlcfg +++ b/creusot/tests/should_succeed/bug/206.mlcfg @@ -81,7 +81,8 @@ module C206_U2_Impl requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -122,7 +123,8 @@ module C206_Ex requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -151,7 +153,7 @@ module C206_Ex goto BB0 } BB0 { - [#"../206.rs" 20 17 20 19] _0 <- ([#"../206.rs" 20 17 20 19] ()); + [#"../206.rs" 20 17 20 19] _0 <- ([#"../206.rs" 20 17 20 19] [#"../206.rs" 20 17 20 19] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/235.mlcfg b/creusot/tests/should_succeed/bug/235.mlcfg index 7ff0fc105d..2a925a016e 100644 --- a/creusot/tests/should_succeed/bug/235.mlcfg +++ b/creusot/tests/should_succeed/bug/235.mlcfg @@ -15,7 +15,7 @@ module C235_F goto BB2 } BB2 { - switch (true) + switch ([#"../235.rs" 8 10 8 14] true) | False -> goto BB4 | True -> goto BB3 end @@ -24,7 +24,7 @@ module C235_F goto BB1 } BB4 { - [#"../235.rs" 8 4 8 17] _0 <- ([#"../235.rs" 8 4 8 17] ()); + [#"../235.rs" 8 4 8 17] _0 <- ([#"../235.rs" 8 4 8 17] [#"../235.rs" 8 4 8 17] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/256.mlcfg b/creusot/tests/should_succeed/bug/256.mlcfg index 30e3140e33..b843973f09 100644 --- a/creusot/tests/should_succeed/bug/256.mlcfg +++ b/creusot/tests/should_succeed/bug/256.mlcfg @@ -11,8 +11,8 @@ module C256_U8Safe goto BB0 } BB0 { - [#"../256.rs" 4 12 4 17] _2 <- ([#"../256.rs" 4 12 4 17] u + (0 : uint8)); - [#"../256.rs" 3 22 5 1] _0 <- ([#"../256.rs" 3 22 5 1] ()); + [#"../256.rs" 4 12 4 17] _2 <- ([#"../256.rs" 4 12 4 17] u + ([#"../256.rs" 4 16 4 17] (0 : uint8))); + [#"../256.rs" 3 22 5 1] _0 <- ([#"../256.rs" 3 22 5 1] [#"../256.rs" 3 22 5 1] ()); return _0 } @@ -75,7 +75,7 @@ module C256_Bug256 goto BB0 } BB0 { - [#"../256.rs" 8 27 8 29] _0 <- ([#"../256.rs" 8 27 8 29] ()); + [#"../256.rs" 8 27 8 29] _0 <- ([#"../256.rs" 8 27 8 29] [#"../256.rs" 8 27 8 29] ()); goto BB1 } BB1 { diff --git a/creusot/tests/should_succeed/bug/258.mlcfg b/creusot/tests/should_succeed/bug/258.mlcfg index 52cd1f2235..132780b4ca 100644 --- a/creusot/tests/should_succeed/bug/258.mlcfg +++ b/creusot/tests/should_succeed/bug/258.mlcfg @@ -9,7 +9,7 @@ module C258_Err goto BB0 } BB0 { - [#"../258.rs" 3 23 3 25] _0 <- ([#"../258.rs" 3 23 3 25] ()); + [#"../258.rs" 3 23 3 25] _0 <- ([#"../258.rs" 3 23 3 25] [#"../258.rs" 3 23 3 25] ()); return _0 } @@ -24,7 +24,7 @@ module C258_Err2 goto BB0 } BB0 { - [#"../258.rs" 5 25 5 27] _0 <- ([#"../258.rs" 5 25 5 27] ()); + [#"../258.rs" 5 25 5 27] _0 <- ([#"../258.rs" 5 25 5 27] [#"../258.rs" 5 25 5 27] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/271.mlcfg b/creusot/tests/should_succeed/bug/271.mlcfg index 1834729226..c38fe9480a 100644 --- a/creusot/tests/should_succeed/bug/271.mlcfg +++ b/creusot/tests/should_succeed/bug/271.mlcfg @@ -10,15 +10,15 @@ module C271_Ex goto BB0 } BB0 { - [#"../271.rs" 6 12 6 13] a <- ([#"../271.rs" 6 12 6 13] (0 : int32)); + [#"../271.rs" 6 12 6 13] a <- ([#"../271.rs" 6 12 6 13] [#"../271.rs" 6 12 6 13] (0 : int32)); goto BB2 } BB1 { - [#"../271.rs" 9 13 9 15] _0 <- ([#"../271.rs" 9 13 9 15] ()); + [#"../271.rs" 9 13 9 15] _0 <- ([#"../271.rs" 9 13 9 15] [#"../271.rs" 9 13 9 15] ()); goto BB3 } BB2 { - [#"../271.rs" 8 13 8 15] _0 <- ([#"../271.rs" 8 13 8 15] ()); + [#"../271.rs" 8 13 8 15] _0 <- ([#"../271.rs" 8 13 8 15] [#"../271.rs" 8 13 8 15] ()); goto BB3 } BB3 { @@ -37,7 +37,7 @@ module C271_Ex2 goto BB0 } BB0 { - [#"../271.rs" 14 12 14 13] a <- ([#"../271.rs" 14 12 14 13] (0 : int32)); + [#"../271.rs" 14 12 14 13] a <- ([#"../271.rs" 14 12 14 13] [#"../271.rs" 14 12 14 13] (0 : int32)); switch (a = 0) | True -> goto BB1 | False -> switch (a = 1) @@ -56,15 +56,15 @@ module C271_Ex2 goto BB6 } BB4 { - [#"../271.rs" 18 13 18 15] _0 <- ([#"../271.rs" 18 13 18 15] ()); + [#"../271.rs" 18 13 18 15] _0 <- ([#"../271.rs" 18 13 18 15] [#"../271.rs" 18 13 18 15] ()); goto BB7 } BB5 { - [#"../271.rs" 16 17 16 19] _0 <- ([#"../271.rs" 16 17 16 19] ()); + [#"../271.rs" 16 17 16 19] _0 <- ([#"../271.rs" 16 17 16 19] [#"../271.rs" 16 17 16 19] ()); goto BB7 } BB6 { - [#"../271.rs" 17 13 17 15] _0 <- ([#"../271.rs" 17 13 17 15] ()); + [#"../271.rs" 17 13 17 15] _0 <- ([#"../271.rs" 17 13 17 15] [#"../271.rs" 17 13 17 15] ()); goto BB7 } BB7 { @@ -89,7 +89,7 @@ module C271_Ex3 goto BB0 } BB0 { - [#"../271.rs" 23 12 23 13] a <- ([#"../271.rs" 23 12 23 13] (0 : int32)); + [#"../271.rs" 23 12 23 13] a <- ([#"../271.rs" 23 12 23 13] [#"../271.rs" 23 12 23 13] (0 : int32)); switch (a = 0) | True -> goto BB1 | False -> switch (a = 1) @@ -114,15 +114,15 @@ module C271_Ex3 goto BB7 } BB5 { - [#"../271.rs" 27 13 27 15] _0 <- ([#"../271.rs" 27 13 27 15] ()); + [#"../271.rs" 27 13 27 15] _0 <- ([#"../271.rs" 27 13 27 15] [#"../271.rs" 27 13 27 15] ()); goto BB8 } BB6 { - [#"../271.rs" 25 17 25 19] _0 <- ([#"../271.rs" 25 17 25 19] ()); + [#"../271.rs" 25 17 25 19] _0 <- ([#"../271.rs" 25 17 25 19] [#"../271.rs" 25 17 25 19] ()); goto BB8 } BB7 { - [#"../271.rs" 26 17 26 19] _0 <- ([#"../271.rs" 26 17 26 19] ()); + [#"../271.rs" 26 17 26 19] _0 <- ([#"../271.rs" 26 17 26 19] [#"../271.rs" 26 17 26 19] ()); goto BB8 } BB8 { diff --git a/creusot/tests/should_succeed/bug/273.mlcfg b/creusot/tests/should_succeed/bug/273.mlcfg index 3e369b934c..89d513cad7 100644 --- a/creusot/tests/should_succeed/bug/273.mlcfg +++ b/creusot/tests/should_succeed/bug/273.mlcfg @@ -21,7 +21,7 @@ module C273_Ex goto BB0 } BB0 { - [#"../273.rs" 5 21 5 31] _1 <- ([#"../273.rs" 5 21 5 31] Core_Option_Option_Type.C_Some true); + [#"../273.rs" 5 21 5 31] _1 <- ([#"../273.rs" 5 21 5 31] Core_Option_Option_Type.C_Some ([#"../273.rs" 5 26 5 30] true)); switch (_1) | Core_Option_Option_Type.C_Some _ -> goto BB1 | _ -> goto BB3 @@ -33,11 +33,11 @@ module C273_Ex BB2 { [#"../273.rs" 5 16 5 17] b <- ([#"../273.rs" 5 16 5 17] Core_Option_Option_Type.some_0 _1); assert { [@expl:assertion] [#"../273.rs" 6 22 6 23] b }; - [#"../273.rs" 5 32 7 5] _0 <- ([#"../273.rs" 5 32 7 5] ()); + [#"../273.rs" 5 32 7 5] _0 <- ([#"../273.rs" 5 32 7 5] [#"../273.rs" 5 32 7 5] ()); goto BB4 } BB3 { - [#"../273.rs" 7 5 7 5] _0 <- ([#"../273.rs" 7 5 7 5] ()); + [#"../273.rs" 7 5 7 5] _0 <- ([#"../273.rs" 7 5 7 5] [#"../273.rs" 7 5 7 5] ()); goto BB4 } BB4 { diff --git a/creusot/tests/should_succeed/bug/387.mlcfg b/creusot/tests/should_succeed/bug/387.mlcfg index e909861af9..7be97d4802 100644 --- a/creusot/tests/should_succeed/bug/387.mlcfg +++ b/creusot/tests/should_succeed/bug/387.mlcfg @@ -46,7 +46,7 @@ module C387_UseTree goto BB0 } BB0 { - [#"../387.rs" 13 26 13 28] _0 <- ([#"../387.rs" 13 26 13 28] ()); + [#"../387.rs" 13 26 13 28] _0 <- ([#"../387.rs" 13 26 13 28] [#"../387.rs" 13 26 13 28] ()); return _0 } @@ -88,8 +88,10 @@ module C387_Impl0_Height ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 53 26 53 66] deep_model0 result >= deep_model0 self } ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 54 26 54 63] deep_model0 result >= deep_model0 other } ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 7 0 62 1] result = self \/ result = other } - ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 56 16 56 79] deep_model0 self <= deep_model0 other -> result = other } - ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 57 16 57 81] deep_model0 other < deep_model0 self -> result = self } + ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 56 16 56 79] deep_model0 self <= deep_model0 other + -> result = other } + ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 57 16 57 81] deep_model0 other < deep_model0 self + -> result = self } ensures { inv0 result } use C387_Node_Type as C387_Node_Type @@ -126,7 +128,7 @@ module C387_Impl0_Height absurd } BB4 { - [#"../387.rs" 18 26 18 27] _0 <- ([#"../387.rs" 18 26 18 27] (0 : uint64)); + [#"../387.rs" 18 26 18 27] _0 <- ([#"../387.rs" 18 26 18 27] [#"../387.rs" 18 26 18 27] (0 : uint64)); goto BB8 } BB5 { @@ -140,7 +142,7 @@ module C387_Impl0_Height goto BB7 } BB7 { - [#"../387.rs" 19 29 19 70] _0 <- ([#"../387.rs" 19 29 19 70] _4 + (1 : uint64)); + [#"../387.rs" 19 29 19 70] _0 <- ([#"../387.rs" 19 29 19 70] _4 + ([#"../387.rs" 19 69 19 70] (1 : uint64))); _4 <- any uint64; goto BB8 } diff --git a/creusot/tests/should_succeed/bug/395.mlcfg b/creusot/tests/should_succeed/bug/395.mlcfg index 997c4c4fe2..631cc017ea 100644 --- a/creusot/tests/should_succeed/bug/395.mlcfg +++ b/creusot/tests/should_succeed/bug/395.mlcfg @@ -19,17 +19,17 @@ module C395_SignedDivision goto BB0 } BB0 { - [#"../395.rs" 4 12 4 14] x <- ([#"../395.rs" 4 12 4 14] (10 : int32)); - [#"../395.rs" 5 12 5 13] y <- ([#"../395.rs" 5 12 5 13] (1 : int32)); + [#"../395.rs" 4 12 4 14] x <- ([#"../395.rs" 4 12 4 14] [#"../395.rs" 4 12 4 14] (10 : int32)); + [#"../395.rs" 5 12 5 13] y <- ([#"../395.rs" 5 12 5 13] [#"../395.rs" 5 12 5 13] (1 : int32)); [#"../395.rs" 7 12 7 13] _6 <- ([#"../395.rs" 7 12 7 13] x); [#"../395.rs" 7 16 7 17] _7 <- ([#"../395.rs" 7 16 7 17] y); - [#"../395.rs" 7 12 7 17] _8 <- ([#"../395.rs" 7 12 7 17] _7 = (0 : int32)); + [#"../395.rs" 7 12 7 17] _8 <- ([#"../395.rs" 7 12 7 17] _7 = ([#"../395.rs" 7 12 7 17] (0 : int32))); assert { [@expl:division by zero] [#"../395.rs" 7 12 7 17] not _8 }; goto BB1 } BB1 { - [#"../395.rs" 7 12 7 17] _9 <- ([#"../395.rs" 7 12 7 17] _7 = (-1 : int32)); - [#"../395.rs" 7 12 7 17] _10 <- ([#"../395.rs" 7 12 7 17] _6 = (-2147483648 : int32)); + [#"../395.rs" 7 12 7 17] _9 <- ([#"../395.rs" 7 12 7 17] _7 = ([#"../395.rs" 7 12 7 17] (-1 : int32))); + [#"../395.rs" 7 12 7 17] _10 <- ([#"../395.rs" 7 12 7 17] _6 = ([#"../395.rs" 7 12 7 17] (-2147483648 : int32))); [#"../395.rs" 7 12 7 17] _11 <- ([#"../395.rs" 7 12 7 17] _9 && _10); _9 <- any bool; _10 <- any bool; @@ -40,7 +40,7 @@ module C395_SignedDivision [#"../395.rs" 7 12 7 17] _5 <- ([#"../395.rs" 7 12 7 17] _6 / _7); _6 <- any int32; _7 <- any int32; - [#"../395.rs" 7 12 7 23] _4 <- ([#"../395.rs" 7 12 7 23] _5 = (10 : int32)); + [#"../395.rs" 7 12 7 23] _4 <- ([#"../395.rs" 7 12 7 23] _5 = ([#"../395.rs" 7 21 7 23] (10 : int32))); _5 <- any int32; switch (_4) | False -> goto BB4 @@ -48,7 +48,7 @@ module C395_SignedDivision end } BB3 { - [#"../395.rs" 3 25 8 1] _0 <- ([#"../395.rs" 3 25 8 1] ()); + [#"../395.rs" 3 25 8 1] _0 <- ([#"../395.rs" 3 25 8 1] [#"../395.rs" 3 25 8 1] ()); return _0 } BB4 { diff --git a/creusot/tests/should_succeed/bug/463.mlcfg b/creusot/tests/should_succeed/bug/463.mlcfg index 1d867edcc7..ef92830735 100644 --- a/creusot/tests/should_succeed/bug/463.mlcfg +++ b/creusot/tests/should_succeed/bug/463.mlcfg @@ -26,7 +26,7 @@ module C463_Test_Closure0 goto BB0 } BB0 { - [#"../463.rs" 7 19 7 24] res1 <- ([#"../463.rs" 7 19 7 24] x + (1 : usize)); + [#"../463.rs" 7 19 7 24] res1 <- ([#"../463.rs" 7 19 7 24] x + ([#"../463.rs" 7 23 7 24] (1 : usize))); [#"../463.rs" 5 8 5 30] res <- ([#"../463.rs" 5 8 5 30] res1); [#"../463.rs" 6 8 6 37] _0 <- ([#"../463.rs" 6 8 6 37] res); return _0 @@ -57,7 +57,7 @@ module C463_Test } BB0 { [#"../463.rs" 6 8 6 37] c <- ([#"../463.rs" 6 8 6 37] C463_Test_Closure0.C463_Test_Closure0); - [#"../463.rs" 9 12 9 16] _4 <- ([#"../463.rs" 9 12 9 16] ((2 : usize))); + [#"../463.rs" 9 12 9 16] _4 <- ([#"../463.rs" 9 12 9 16] (([#"../463.rs" 9 14 9 15] (2 : usize)))); [#"../463.rs" 9 12 9 16] y <- ([#"../463.rs" 9 12 9 16] let (a) = _4 in closure00 c a); _4 <- any usize; goto BB1 @@ -65,7 +65,7 @@ module C463_Test BB1 { assume { resolve0 c }; assert { [@expl:assertion] [#"../463.rs" 10 18 10 25] UIntSize.to_int y = 3 }; - [#"../463.rs" 10 4 10 26] _0 <- ([#"../463.rs" 10 4 10 26] ()); + [#"../463.rs" 10 4 10 26] _0 <- ([#"../463.rs" 10 4 10 26] [#"../463.rs" 10 4 10 26] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/464.mlcfg b/creusot/tests/should_succeed/bug/464.mlcfg index c30857ff70..05e57fe6c4 100644 --- a/creusot/tests/should_succeed/bug/464.mlcfg +++ b/creusot/tests/should_succeed/bug/464.mlcfg @@ -21,7 +21,7 @@ module C464_Impl1_Invariant_Impl constant assoc : C464_AssocStruct_Type.t_assocstruct predicate invariant' [#"../464.rs" 34 4 34 50] (self : C464_Struct_Type.t_struct) (assoc : C464_AssocStruct_Type.t_assocstruct) - goal vc_invariant' : [#"../464.rs" 33 4 33 44] true -> invariant0 assoc + goal vc_invariant' : [#"../464.rs" 33 4 33 44] true -> invariant0 assoc end module C464_Impl0 @@ -54,5 +54,6 @@ module C464_Impl1 val invariant0 [#"../464.rs" 23 4 23 30] (self : C464_AssocStruct_Type.t_assocstruct) : bool ensures { result = invariant0 self } - goal invariant'_refn : [#"../464.rs" 34 4 34 50] forall self : C464_Struct_Type.t_struct . forall assoc : C464_AssocStruct_Type.t_assocstruct . inv0 assoc /\ inv1 self -> (forall result : bool . result -> invariant0 assoc -> result -> invariant0 assoc) + goal invariant'_refn : [#"../464.rs" 34 4 34 50] forall self : C464_Struct_Type.t_struct . forall assoc : C464_AssocStruct_Type.t_assocstruct . inv0 assoc /\ inv1 self + -> (forall result : bool . result -> invariant0 assoc -> result -> invariant0 assoc) end diff --git a/creusot/tests/should_succeed/bug/486.mlcfg b/creusot/tests/should_succeed/bug/486.mlcfg index 086796c83b..46947df410 100644 --- a/creusot/tests/should_succeed/bug/486.mlcfg +++ b/creusot/tests/should_succeed/bug/486.mlcfg @@ -25,8 +25,8 @@ module C486_Test goto BB0 } BB0 { - [#"../486.rs" 8 4 8 12] x <- (let C486_HasMutRef_Type.C_HasMutRef x0 = x in C486_HasMutRef_Type.C_HasMutRef ({ (C486_HasMutRef_Type.hasmutref_0 x) with current = ([#"../486.rs" 8 4 8 12] (5 : uint32)) ; })); - [#"../486.rs" 8 4 8 12] _0 <- ([#"../486.rs" 8 4 8 12] ()); + [#"../486.rs" 8 4 8 12] x <- (let C486_HasMutRef_Type.C_HasMutRef x0 = x in C486_HasMutRef_Type.C_HasMutRef ({ (C486_HasMutRef_Type.hasmutref_0 x) with current = ([#"../486.rs" 8 4 8 12] [#"../486.rs" 8 11 8 12] (5 : uint32)) ; })); + [#"../486.rs" 8 4 8 12] _0 <- ([#"../486.rs" 8 4 8 12] [#"../486.rs" 8 4 8 12] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/510.mlcfg b/creusot/tests/should_succeed/bug/510.mlcfg index 9a9062e921..ec0642925c 100644 --- a/creusot/tests/should_succeed/bug/510.mlcfg +++ b/creusot/tests/should_succeed/bug/510.mlcfg @@ -13,7 +13,7 @@ module C510_TestBool } BB0 { [#"../510.rs" 4 16 4 25] _bing <- ([#"../510.rs" 4 16 4 25] UInt8.of_int (Bool.to_int inp)); - [#"../510.rs" 3 28 5 1] _0 <- ([#"../510.rs" 3 28 5 1] ()); + [#"../510.rs" 3 28 5 1] _0 <- ([#"../510.rs" 3 28 5 1] [#"../510.rs" 3 28 5 1] ()); return _0 } @@ -30,8 +30,8 @@ module C510_TestChar goto BB0 } BB0 { - [#"../510.rs" 8 4 8 14] _1 <- ([#"../510.rs" 8 4 8 14] Char.chr (UInt8.to_int (22 : uint8))); - [#"../510.rs" 7 19 9 1] _0 <- ([#"../510.rs" 7 19 9 1] ()); + [#"../510.rs" 8 4 8 14] _1 <- ([#"../510.rs" 8 4 8 14] Char.chr (UInt8.to_int ([#"../510.rs" 8 4 8 6] (22 : uint8)))); + [#"../510.rs" 7 19 9 1] _0 <- ([#"../510.rs" 7 19 9 1] [#"../510.rs" 7 19 9 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/511.mlcfg b/creusot/tests/should_succeed/bug/511.mlcfg index ad7981a790..be539a3f29 100644 --- a/creusot/tests/should_succeed/bug/511.mlcfg +++ b/creusot/tests/should_succeed/bug/511.mlcfg @@ -13,7 +13,7 @@ module C511_TestU8 } BB0 { [#"../511.rs" 4 16 4 28] _bing <- ([#"../511.rs" 4 16 4 28] UIntSize.of_int (UInt8.to_int inp)); - [#"../511.rs" 3 24 5 1] _0 <- ([#"../511.rs" 3 24 5 1] ()); + [#"../511.rs" 3 24 5 1] _0 <- ([#"../511.rs" 3 24 5 1] [#"../511.rs" 3 24 5 1] ()); return _0 } @@ -32,7 +32,7 @@ module C511_TestU16 } BB0 { [#"../511.rs" 8 16 8 28] _bing <- ([#"../511.rs" 8 16 8 28] UIntSize.of_int (UInt16.to_int inp)); - [#"../511.rs" 7 26 9 1] _0 <- ([#"../511.rs" 7 26 9 1] ()); + [#"../511.rs" 7 26 9 1] _0 <- ([#"../511.rs" 7 26 9 1] [#"../511.rs" 7 26 9 1] ()); return _0 } @@ -51,7 +51,7 @@ module C511_TestU128 } BB0 { [#"../511.rs" 12 16 12 28] _bing <- ([#"../511.rs" 12 16 12 28] UIntSize.of_int (UInt128.to_int inp)); - [#"../511.rs" 11 28 13 1] _0 <- ([#"../511.rs" 11 28 13 1] ()); + [#"../511.rs" 11 28 13 1] _0 <- ([#"../511.rs" 11 28 13 1] [#"../511.rs" 11 28 13 1] ()); return _0 } @@ -70,7 +70,7 @@ module C511_TestI8 } BB0 { [#"../511.rs" 16 16 16 28] _bing <- ([#"../511.rs" 16 16 16 28] UIntSize.of_int (Int8.to_int inp)); - [#"../511.rs" 15 24 17 1] _0 <- ([#"../511.rs" 15 24 17 1] ()); + [#"../511.rs" 15 24 17 1] _0 <- ([#"../511.rs" 15 24 17 1] [#"../511.rs" 15 24 17 1] ()); return _0 } @@ -89,7 +89,7 @@ module C511_TestI16 } BB0 { [#"../511.rs" 20 16 20 28] _bing <- ([#"../511.rs" 20 16 20 28] UIntSize.of_int (Int16.to_int inp)); - [#"../511.rs" 19 26 21 1] _0 <- ([#"../511.rs" 19 26 21 1] ()); + [#"../511.rs" 19 26 21 1] _0 <- ([#"../511.rs" 19 26 21 1] [#"../511.rs" 19 26 21 1] ()); return _0 } @@ -108,7 +108,7 @@ module C511_TestI128 } BB0 { [#"../511.rs" 24 16 24 28] _bing <- ([#"../511.rs" 24 16 24 28] UIntSize.of_int (Int128.to_int inp)); - [#"../511.rs" 23 28 25 1] _0 <- ([#"../511.rs" 23 28 25 1] ()); + [#"../511.rs" 23 28 25 1] _0 <- ([#"../511.rs" 23 28 25 1] [#"../511.rs" 23 28 25 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/545.mlcfg b/creusot/tests/should_succeed/bug/545.mlcfg index 7df3e0458e..23677ff4f7 100644 --- a/creusot/tests/should_succeed/bug/545.mlcfg +++ b/creusot/tests/should_succeed/bug/545.mlcfg @@ -10,7 +10,7 @@ module C545_NegativeIsNegative } BB0 { assert { [@expl:assertion] [#"../545.rs" 5 18 5 32] (0 : int32) > (-100 : int32) }; - [#"../545.rs" 4 30 6 1] _0 <- ([#"../545.rs" 4 30 6 1] ()); + [#"../545.rs" 4 30 6 1] _0 <- ([#"../545.rs" 4 30 6 1] [#"../545.rs" 4 30 6 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/552.mlcfg b/creusot/tests/should_succeed/bug/552.mlcfg index af756ed851..4e77aeaf09 100644 --- a/creusot/tests/should_succeed/bug/552.mlcfg +++ b/creusot/tests/should_succeed/bug/552.mlcfg @@ -66,7 +66,7 @@ module C552_Impl0_Step } BB1 { assume { resolve0 self }; - [#"../552.rs" 25 8 25 13] _0 <- ([#"../552.rs" 25 8 25 13] false); + [#"../552.rs" 25 8 25 13] _0 <- ([#"../552.rs" 25 8 25 13] [#"../552.rs" 25 8 25 13] false); return _0 } @@ -89,5 +89,6 @@ module C552_Impl0 val invariants0 [#"../552.rs" 18 4 18 31] (self : C552_Machine_Type.t_machine) : bool ensures { result = invariants0 self } - goal step_refn : [#"../552.rs" 23 4 23 30] forall self : borrowed (C552_Machine_Type.t_machine) . inv0 self /\ invariants0 ( * self) -> invariants0 ( * self) /\ (forall result : bool . invariants0 ( ^ self) -> invariants0 ( ^ self)) + goal step_refn : [#"../552.rs" 23 4 23 30] forall self : borrowed (C552_Machine_Type.t_machine) . inv0 self /\ invariants0 ( * self) + -> invariants0 ( * self) /\ (forall result : bool . invariants0 ( ^ self) -> invariants0 ( ^ self)) end diff --git a/creusot/tests/should_succeed/bug/570.mlcfg b/creusot/tests/should_succeed/bug/570.mlcfg index 1306d8bdf8..9647f01c42 100644 --- a/creusot/tests/should_succeed/bug/570.mlcfg +++ b/creusot/tests/should_succeed/bug/570.mlcfg @@ -31,7 +31,7 @@ module C570_TestProgram goto BB0 } BB0 { - [#"../570.rs" 12 27 14 1] _0 <- ([#"../570.rs" 12 27 14 1] ()); + [#"../570.rs" 12 27 14 1] _0 <- ([#"../570.rs" 12 27 14 1] [#"../570.rs" 12 27 14 1] ()); return _0 } @@ -50,8 +50,8 @@ module C570_TestAssign goto BB0 } BB0 { - [#"../570.rs" 17 4 17 14] s <- (let C570_S2_Type.C_S2 x0 = s in C570_S2_Type.C_S2 (let C570_S1_Type.C_S1 x0 = C570_S2_Type.s2_s1 s in C570_S1_Type.C_S1 ([#"../570.rs" 17 4 17 14] (2 : int32)))); - [#"../570.rs" 16 30 18 1] _0 <- ([#"../570.rs" 16 30 18 1] ()); + [#"../570.rs" 17 4 17 14] s <- (let C570_S2_Type.C_S2 x0 = s in C570_S2_Type.C_S2 (let C570_S1_Type.C_S1 x0 = C570_S2_Type.s2_s1 s in C570_S1_Type.C_S1 ([#"../570.rs" 17 4 17 14] [#"../570.rs" 17 13 17 14] (2 : int32)))); + [#"../570.rs" 16 30 18 1] _0 <- ([#"../570.rs" 16 30 18 1] [#"../570.rs" 16 30 18 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/594.mlcfg b/creusot/tests/should_succeed/bug/594.mlcfg index 0e34c01bc4..123639733d 100644 --- a/creusot/tests/should_succeed/bug/594.mlcfg +++ b/creusot/tests/should_succeed/bug/594.mlcfg @@ -164,8 +164,8 @@ module C594_TestClosure BB0 { [#"../594.rs" 16 14 16 37] cl1 <- ([#"../594.rs" 16 14 16 37] C594_TestClosure_Closure0.C594_TestClosure_Closure0); [#"../594.rs" 18 14 18 37] cl2 <- ([#"../594.rs" 18 14 18 37] C594_TestClosure_Closure1.C594_TestClosure_Closure1); - [#"../594.rs" 20 22 20 28] _6 <- ([#"../594.rs" 20 22 20 28] ((0 : int32), (3 : int32))); - [#"../594.rs" 20 13 20 29] _5 <- ([#"../594.rs" 20 13 20 29] ((4 : int32), _6)); + [#"../594.rs" 20 22 20 28] _6 <- ([#"../594.rs" 20 22 20 28] (([#"../594.rs" 20 23 20 24] (0 : int32)), ([#"../594.rs" 20 26 20 27] (3 : int32)))); + [#"../594.rs" 20 13 20 29] _5 <- ([#"../594.rs" 20 13 20 29] (([#"../594.rs" 20 19 20 20] (4 : int32)), _6)); _6 <- any (int32, int32); [#"../594.rs" 20 13 20 29] _a <- ([#"../594.rs" 20 13 20 29] let (a, b) = _5 in closure00 cl1 a b); _5 <- any (int32, (int32, int32)); @@ -173,7 +173,7 @@ module C594_TestClosure } BB1 { assume { resolve0 cl1 }; - [#"../594.rs" 21 19 21 25] _10 <- ([#"../594.rs" 21 19 21 25] ((0 : int32), (4 : int32))); + [#"../594.rs" 21 19 21 25] _10 <- ([#"../594.rs" 21 19 21 25] (([#"../594.rs" 21 20 21 21] (0 : int32)), ([#"../594.rs" 21 23 21 24] (4 : int32)))); [#"../594.rs" 21 13 21 26] _9 <- ([#"../594.rs" 21 13 21 26] (_10)); _10 <- any (int32, int32); [#"../594.rs" 21 13 21 26] _b <- ([#"../594.rs" 21 13 21 26] let (a) = _9 in closure10 cl2 a); @@ -182,7 +182,7 @@ module C594_TestClosure } BB2 { assume { resolve1 cl2 }; - [#"../594.rs" 15 22 22 1] _0 <- ([#"../594.rs" 15 22 22 1] ()); + [#"../594.rs" 15 22 22 1] _0 <- ([#"../594.rs" 15 22 22 1] [#"../594.rs" 15 22 22 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/641.mlcfg b/creusot/tests/should_succeed/bug/641.mlcfg index 99b5272429..c3eeffd50d 100644 --- a/creusot/tests/should_succeed/bug/641.mlcfg +++ b/creusot/tests/should_succeed/bug/641.mlcfg @@ -15,7 +15,7 @@ module C641_TestMaintains goto BB0 } BB0 { - [#"../641.rs" 16 24 16 26] _0 <- ([#"../641.rs" 16 24 16 26] ()); + [#"../641.rs" 16 24 16 26] _0 <- ([#"../641.rs" 16 24 16 26] [#"../641.rs" 16 24 16 26] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/682.mlcfg b/creusot/tests/should_succeed/bug/682.mlcfg index 488137d7b9..a486542f6f 100644 --- a/creusot/tests/should_succeed/bug/682.mlcfg +++ b/creusot/tests/should_succeed/bug/682.mlcfg @@ -21,9 +21,9 @@ module C682_AddSome goto BB0 } BB0 { - [#"../682.rs" 7 4 7 11] a <- { a with current = ([#"../682.rs" 7 4 7 11] * a + (1 : uint64)) ; }; + [#"../682.rs" 7 4 7 11] a <- { a with current = ([#"../682.rs" 7 4 7 11] * a + ([#"../682.rs" 7 10 7 11] (1 : uint64))) ; }; assume { resolve0 a }; - [#"../682.rs" 6 25 8 1] _0 <- ([#"../682.rs" 6 25 8 1] ()); + [#"../682.rs" 6 25 8 1] _0 <- ([#"../682.rs" 6 25 8 1] [#"../682.rs" 6 25 8 1] ()); return _0 } @@ -73,7 +73,7 @@ module C682_Foo BB2 { assume { resolve0 a }; assert { [@expl:assertion] [#"../682.rs" 15 18 15 27] * a > Snapshot.inner a_p }; - [#"../682.rs" 12 24 16 1] _0 <- ([#"../682.rs" 12 24 16 1] ()); + [#"../682.rs" 12 24 16 1] _0 <- ([#"../682.rs" 12 24 16 1] [#"../682.rs" 12 24 16 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/691.mlcfg b/creusot/tests/should_succeed/bug/691.mlcfg index ef2abb420e..bdeccc4419 100644 --- a/creusot/tests/should_succeed/bug/691.mlcfg +++ b/creusot/tests/should_succeed/bug/691.mlcfg @@ -65,10 +65,10 @@ module C691_Example goto BB0 } BB0 { - [#"../691.rs" 9 12 9 29] c <- ([#"../691.rs" 9 12 9 29] C691_Foo_Type.C_Foo (2 : uint32)); + [#"../691.rs" 9 12 9 29] c <- ([#"../691.rs" 9 12 9 29] C691_Foo_Type.C_Foo ([#"../691.rs" 9 23 9 27] (2 : uint32))); [#"../691.rs" 10 12 10 39] _2 <- ([#"../691.rs" 10 12 10 39] C691_Example_Closure0.C691_Example_Closure0 c); assume { resolve0 _2 }; - [#"../691.rs" 8 17 12 1] _0 <- ([#"../691.rs" 8 17 12 1] ()); + [#"../691.rs" 8 17 12 1] _0 <- ([#"../691.rs" 8 17 12 1] [#"../691.rs" 8 17 12 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/693.mlcfg b/creusot/tests/should_succeed/bug/693.mlcfg index 43a517f18b..40582b400a 100644 --- a/creusot/tests/should_succeed/bug/693.mlcfg +++ b/creusot/tests/should_succeed/bug/693.mlcfg @@ -24,7 +24,7 @@ module C693_F goto BB0 } BB0 { - [#"../693.rs" 3 22 3 24] _0 <- ([#"../693.rs" 3 22 3 24] ()); + [#"../693.rs" 3 22 3 24] _0 <- ([#"../693.rs" 3 22 3 24] [#"../693.rs" 3 22 3 24] ()); assert { [@expl:type invariant] inv0 _1 }; assume { resolve0 _1 }; goto BB1 @@ -57,7 +57,7 @@ module C693_G goto BB0 } BB0 { - [#"../693.rs" 6 4 6 8] _0 <- ([#"../693.rs" 6 4 6 8] f0 (0 : int32)); + [#"../693.rs" 6 4 6 8] _0 <- ([#"../693.rs" 6 4 6 8] f0 ([#"../693.rs" 6 6 6 7] (0 : int32))); goto BB1 } BB1 { diff --git a/creusot/tests/should_succeed/bug/789.mlcfg b/creusot/tests/should_succeed/bug/789.mlcfg index 18928f3795..582e83e6ea 100644 --- a/creusot/tests/should_succeed/bug/789.mlcfg +++ b/creusot/tests/should_succeed/bug/789.mlcfg @@ -9,7 +9,7 @@ module C789_Meta goto BB0 } BB0 { - [#"../789.rs" 3 23 3 25] _0 <- ([#"../789.rs" 3 23 3 25] ()); + [#"../789.rs" 3 23 3 25] _0 <- ([#"../789.rs" 3 23 3 25] [#"../789.rs" 3 23 3 25] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/791.mlcfg b/creusot/tests/should_succeed/bug/791.mlcfg index b0383fbf44..ec8305f0e0 100644 --- a/creusot/tests/should_succeed/bug/791.mlcfg +++ b/creusot/tests/should_succeed/bug/791.mlcfg @@ -7,7 +7,7 @@ module C791_ILoveFloats goto BB0 } BB0 { - [#"../791.rs" 3 23 6 1] _0 <- ([#"../791.rs" 3 23 6 1] ()); + [#"../791.rs" 3 23 6 1] _0 <- ([#"../791.rs" 3 23 6 1] [#"../791.rs" 3 23 6 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/874.mlcfg b/creusot/tests/should_succeed/bug/874.mlcfg index 76a9249439..e0ccd86ee7 100644 --- a/creusot/tests/should_succeed/bug/874.mlcfg +++ b/creusot/tests/should_succeed/bug/874.mlcfg @@ -111,7 +111,14 @@ module C874_CanExtend requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv5 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq int32, b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq int32, c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv5 a) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq int32, b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq int32, c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv5 a) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv3 ab) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv5 b) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv3 bc) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv5 c) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global)) : () @@ -121,7 +128,8 @@ module C874_CanExtend requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv5 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self) predicate invariant5 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant5 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -173,7 +181,8 @@ module C874_CanExtend requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self) val invariant1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -205,7 +214,8 @@ module C874_CanExtend ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve1 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve1 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -261,7 +271,8 @@ module C874_CanExtend requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : slice int32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv3 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : slice int32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv3 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) function shallow_model1 (self : slice int32) : Seq.seq int32 = [#"../../../../../creusot-contracts/src/std/boxed.rs" 20 8 20 31] shallow_model4 self val shallow_model1 (self : slice int32) : Seq.seq int32 @@ -287,7 +298,7 @@ module C874_CanExtend goto BB0 } BB0 { - [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _4 <- ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = (1 : int32)}; assume {Seq.get (__arr_temp.elts) 1 = (2 : int32)}; assume {Seq.get (__arr_temp.elts) 2 = (3 : int32)}; assume {Slice.length __arr_temp = 3}; __arr_temp); + [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _4 <- ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 5 21 5 22] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 5 24 5 25] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 5 27 5 28] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp); goto BB1 } BB1 { @@ -299,7 +310,7 @@ module C874_CanExtend goto BB3 } BB3 { - [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _8 <- ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = (4 : int32)}; assume {Seq.get (__arr_temp.elts) 1 = (5 : int32)}; assume {Seq.get (__arr_temp.elts) 2 = (6 : int32)}; assume {Slice.length __arr_temp = 3}; __arr_temp); + [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _8 <- ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 6 17 6 18] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 6 20 6 21] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 6 23 6 24] (6 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp); goto BB4 } BB4 { @@ -320,7 +331,7 @@ module C874_CanExtend } BB7 { assume { resolve0 v }; - [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _15 <- ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = (1 : int32)}; assume {Seq.get (__arr_temp.elts) 1 = (2 : int32)}; assume {Seq.get (__arr_temp.elts) 2 = (3 : int32)}; assume {Seq.get (__arr_temp.elts) 3 = (4 : int32)}; assume {Seq.get (__arr_temp.elts) 4 = (5 : int32)}; assume {Seq.get (__arr_temp.elts) 5 = (6 : int32)}; assume {Slice.length __arr_temp = 6}; __arr_temp); + [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _15 <- ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 9 17 9 18] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 9 20 9 21] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 9 23 9 24] (3 : int32))}; assume {Seq.get (__arr_temp.elts) 3 = ([#"../874.rs" 9 26 9 27] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 4 = ([#"../874.rs" 9 29 9 30] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 5 = ([#"../874.rs" 9 32 9 33] (6 : int32))}; assume {Slice.length __arr_temp = 6}; __arr_temp); goto BB8 } BB8 { @@ -337,7 +348,7 @@ module C874_CanExtend goto BB11 } BB11 { - [#"../874.rs" 4 20 11 1] _0 <- ([#"../874.rs" 4 20 11 1] ()); + [#"../874.rs" 4 20 11 1] _0 <- ([#"../874.rs" 4 20 11 1] [#"../874.rs" 4 20 11 1] ()); goto BB12 } BB12 { diff --git a/creusot/tests/should_succeed/bug/949.mlcfg b/creusot/tests/should_succeed/bug/949.mlcfg index 837e58198d..0cacf416bb 100644 --- a/creusot/tests/should_succeed/bug/949.mlcfg +++ b/creusot/tests/should_succeed/bug/949.mlcfg @@ -141,7 +141,8 @@ module C949_Main requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv1 self} ensures { result = view0 self } - axiom view0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv1 self) -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 28 4 28 35] inv4 (view0 self)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 27 14 27 38] mk0 (view0 self) = self) + axiom view0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv1 self) + -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 28 4 28 35] inv4 (view0 self)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 27 14 27 38] mk0 (view0 self) = self) function get0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : Core_Option_Option_Type.t_option int32 = @@ -161,7 +162,8 @@ module C949_Main requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv1 self} ensures { result = len0 self } - axiom len0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv1 self) -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len0 self >= 0) + axiom len0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv1 self) + -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len0 self >= 0) use map.Map function remove0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 @@ -170,7 +172,9 @@ module C949_Main requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv2 k} ensures { result = remove0 self k } - axiom remove0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 18 47 22] inv1 self) -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv2 k) -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 4 47 37] inv1 (remove0 self k)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 46 14 46 84] len0 (remove0 self k) = (if contains0 self k then + axiom remove0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 18 47 22] inv1 self) + -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv2 k) + -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 4 47 37] inv1 (remove0 self k)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 46 14 46 84] len0 (remove0 self k) = (if contains0 self k then len0 self - 1 else len0 self @@ -180,14 +184,17 @@ module C949_Main requires {[#"../../../../../creusot-contracts/src/util.rs" 24 11 24 16] false} ensures { result = unreachable0 _1 } - axiom unreachable0_spec : forall _1 : () . ([#"../../../../../creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../../creusot-contracts/src/util.rs" 27 0 27 28] inv0 (unreachable0 _1)) && ([#"../../../../../creusot-contracts/src/util.rs" 25 10 25 15] false) + axiom unreachable0_spec : forall _1 : () . ([#"../../../../../creusot-contracts/src/util.rs" 24 11 24 16] false) + -> ([#"../../../../../creusot-contracts/src/util.rs" 27 0 27 28] inv0 (unreachable0 _1)) && ([#"../../../../../creusot-contracts/src/util.rs" 25 10 25 15] false) function unwrap0 (op : Core_Option_Option_Type.t_option int32) : int32 val unwrap0 (op : Core_Option_Option_Type.t_option int32) : int32 requires {[#"../../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} requires {[#"../../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv6 op} ensures { result = unwrap0 op } - axiom unwrap0_spec : forall op : Core_Option_Option_Type.t_option int32 . ([#"../../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv6 op) -> ([#"../../../../../creusot-contracts/src/util.rs" 35 0 35 36] inv0 (unwrap0 op)) && ([#"../../../../../creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap0 op) = op) + axiom unwrap0_spec : forall op : Core_Option_Option_Type.t_option int32 . ([#"../../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) + -> ([#"../../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv6 op) + -> ([#"../../../../../creusot-contracts/src/util.rs" 35 0 35 36] inv0 (unwrap0 op)) && ([#"../../../../../creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap0 op) = op) function lookup_unsized0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : int32 = @@ -212,7 +219,8 @@ module C949_Main requires {[#"../../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv5 self} ensures { result = make_sized0 self } - axiom make_sized0_spec : forall self : int32 . ([#"../../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/util.rs" 16 4 16 40] inv0 (make_sized0 self)) && ([#"../../../../../creusot-contracts/src/util.rs" 15 14 15 30] make_sized0 self = self) + axiom make_sized0_spec : forall self : int32 . ([#"../../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv5 self) + -> ([#"../../../../../creusot-contracts/src/util.rs" 16 4 16 40] inv0 (make_sized0 self)) && ([#"../../../../../creusot-contracts/src/util.rs" 15 14 15 30] make_sized0 self = self) function insert0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) (v : int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 val insert0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) (v : int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 @@ -221,7 +229,12 @@ module C949_Main requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv3 v} ensures { result = insert0 self k v } - axiom insert0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr, v : int32 . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 18 38 22] inv1 self) -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 24 38 25] inv2 k) -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv3 v) -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 4 38 43] inv1 (insert0 self k v)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not contains0 self k -> len0 (insert0 self k v) = len0 self + 1) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 36 4 36 63] contains0 self k -> len0 (insert0 self k v) = len0 self) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 35 14 35 71] view0 (insert0 self k v) = Map.set (view0 self) k (Core_Option_Option_Type.C_Some (make_sized0 v))) + axiom insert0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr, v : int32 . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 18 38 22] inv1 self) + -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 24 38 25] inv2 k) + -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv3 v) + -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 4 38 43] inv1 (insert0 self k v)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not contains0 self k + -> len0 (insert0 self k v) = len0 self + 1) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 36 4 36 63] contains0 self k + -> len0 (insert0 self k v) = len0 self) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 35 14 35 71] view0 (insert0 self k v) = Map.set (view0 self) k (Core_Option_Option_Type.C_Some (make_sized0 v))) val ptr_from_box0 (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32)) (val' : int32) : opaque_ptr requires {[#"../../../../../creusot-contracts/src/ghost_ptr.rs" 71 35 71 38] inv0 val'} ensures { [#"../../../../../creusot-contracts/src/ghost_ptr.rs" 67 4 67 42] not contains0 (shallow_model0 ( * self)) result } @@ -249,11 +262,11 @@ module C949_Main goto BB0 } BB0 { - [#"../949.rs" 5 18 5 38] tok <- ([#"../949.rs" 5 18 5 38] new0 ()); + [#"../949.rs" 5 18 5 38] tok <- ([#"../949.rs" 5 18 5 38] new0 ([#"../949.rs" 5 18 5 38] ())); goto BB1 } BB1 { - [#"../949.rs" 6 12 6 23] b <- ([#"../949.rs" 6 12 6 23] (1 : int32)); + [#"../949.rs" 6 12 6 23] b <- ([#"../949.rs" 6 12 6 23] [#"../949.rs" 6 21 6 22] (1 : int32)); goto BB2 } BB2 { @@ -272,9 +285,9 @@ module C949_Main goto BB4 } BB4 { - [#"../949.rs" 9 4 9 11] r <- ([#"../949.rs" 9 4 9 11] r + (5 : int32)); + [#"../949.rs" 9 4 9 11] r <- ([#"../949.rs" 9 4 9 11] r + ([#"../949.rs" 9 10 9 11] (5 : int32))); assume { resolve0 r }; - [#"../949.rs" 4 14 10 1] _0 <- ([#"../949.rs" 4 14 10 1] ()); + [#"../949.rs" 4 14 10 1] _0 <- ([#"../949.rs" 4 14 10 1] [#"../949.rs" 4 14 10 1] ()); goto BB5 } BB5 { diff --git a/creusot/tests/should_succeed/bug/final_borrows.mlcfg b/creusot/tests/should_succeed/bug/final_borrows.mlcfg index fb1ab311ec..cf7120e40d 100644 --- a/creusot/tests/should_succeed/bug/final_borrows.mlcfg +++ b/creusot/tests/should_succeed/bug/final_borrows.mlcfg @@ -569,9 +569,9 @@ module FinalBorrows_Set7 goto BB0 } BB0 { - [#"../final_borrows.rs" 49 4 49 10] r <- { r with current = ([#"../final_borrows.rs" 49 4 49 10] (7 : int32)) ; }; + [#"../final_borrows.rs" 49 4 49 10] r <- { r with current = ([#"../final_borrows.rs" 49 4 49 10] [#"../final_borrows.rs" 49 9 49 10] (7 : int32)) ; }; assume { resolve0 r }; - [#"../final_borrows.rs" 48 22 50 1] _0 <- ([#"../final_borrows.rs" 48 22 50 1] ()); + [#"../final_borrows.rs" 48 22 50 1] _0 <- ([#"../final_borrows.rs" 48 22 50 1] [#"../final_borrows.rs" 48 22 50 1] ()); return _0 } @@ -604,7 +604,7 @@ module FinalBorrows_NotFinalBorrowWorks goto BB0 } BB0 { - [#"../final_borrows.rs" 54 16 54 20] x <- ([#"../final_borrows.rs" 54 16 54 20] (1 : int32)); + [#"../final_borrows.rs" 54 16 54 20] x <- ([#"../final_borrows.rs" 54 16 54 20] [#"../final_borrows.rs" 54 16 54 20] (1 : int32)); [#"../final_borrows.rs" 55 12 55 18] r <- Borrow.borrow_mut x; [#"../final_borrows.rs" 55 12 55 18] x <- ^ r; [#"../final_borrows.rs" 56 13 56 20] r1 <- Borrow.borrow_final ( * r) (Borrow.get_id r); @@ -618,7 +618,7 @@ module FinalBorrows_NotFinalBorrowWorks BB1 { assume { resolve0 r1 }; [#"../final_borrows.rs" 58 12 58 14] y <- ([#"../final_borrows.rs" 58 12 58 14] * r); - [#"../final_borrows.rs" 59 4 59 10] r <- { r with current = ([#"../final_borrows.rs" 59 4 59 10] (2 : int32)) ; }; + [#"../final_borrows.rs" 59 4 59 10] r <- { r with current = ([#"../final_borrows.rs" 59 4 59 10] [#"../final_borrows.rs" 59 9 59 10] (2 : int32)) ; }; assume { resolve0 r }; [#"../final_borrows.rs" 60 11 60 16] _0 <- ([#"../final_borrows.rs" 60 11 60 16] x + y); return _0 @@ -653,7 +653,7 @@ module FinalBorrows_Branching goto BB0 } BB0 { - [#"../final_borrows.rs" 65 16 65 17] x <- ([#"../final_borrows.rs" 65 16 65 17] (3 : int32)); + [#"../final_borrows.rs" 65 16 65 17] x <- ([#"../final_borrows.rs" 65 16 65 17] [#"../final_borrows.rs" 65 16 65 17] (3 : int32)); [#"../final_borrows.rs" 67 17 67 23] r1 <- Borrow.borrow_mut x; [#"../final_borrows.rs" 67 17 67 23] x <- ^ r1; [#"../final_borrows.rs" 69 13 69 21] r2 <- Borrow.borrow_mut ( * r1); @@ -676,7 +676,7 @@ module FinalBorrows_Branching assume { resolve0 _11 }; assume { resolve0 r1 }; [#"../final_borrows.rs" 74 8 74 15] y <- ([#"../final_borrows.rs" 74 8 74 15] * r1); - [#"../final_borrows.rs" 71 9 75 5] _8 <- ([#"../final_borrows.rs" 71 9 75 5] ()); + [#"../final_borrows.rs" 71 9 75 5] _8 <- ([#"../final_borrows.rs" 71 9 75 5] [#"../final_borrows.rs" 71 9 75 5] ()); goto BB3 } BB2 { @@ -685,7 +685,7 @@ module FinalBorrows_Branching assume { resolve0 r21 }; [#"../final_borrows.rs" 78 8 78 15] y <- ([#"../final_borrows.rs" 78 8 78 15] * r21); assume { resolve0 r1 }; - [#"../final_borrows.rs" 75 11 79 5] _8 <- ([#"../final_borrows.rs" 75 11 79 5] ()); + [#"../final_borrows.rs" 75 11 79 5] _8 <- ([#"../final_borrows.rs" 75 11 79 5] [#"../final_borrows.rs" 75 11 79 5] ()); goto BB3 } BB3 { @@ -927,7 +927,7 @@ module FinalBorrows_BoxReborrowDirect goto BB1 } BB1 { - [#"../final_borrows.rs" 101 4 103 5] _0 <- ([#"../final_borrows.rs" 101 4 103 5] ()); + [#"../final_borrows.rs" 101 4 103 5] _0 <- ([#"../final_borrows.rs" 101 4 103 5] [#"../final_borrows.rs" 101 4 103 5] ()); goto BB2 } BB2 { @@ -1297,7 +1297,7 @@ module FinalBorrows_SharedBorrowNoGen assert { [@expl:type invariant] inv1 bor }; assume { resolve0 bor }; assert { [@expl:assertion] [#"../final_borrows.rs" 152 18 152 27] b1 = bor }; - [#"../final_borrows.rs" 149 44 153 1] _0 <- ([#"../final_borrows.rs" 149 44 153 1] ()); + [#"../final_borrows.rs" 149 44 153 1] _0 <- ([#"../final_borrows.rs" 149 44 153 1] [#"../final_borrows.rs" 149 44 153 1] ()); return _0 } @@ -1371,12 +1371,12 @@ module FinalBorrows_InspectNoGen end } BB5 { - [#"../final_borrows.rs" 159 8 159 14] _0 <- ([#"../final_borrows.rs" 159 8 159 14] ()); + [#"../final_borrows.rs" 159 8 159 14] _0 <- ([#"../final_borrows.rs" 159 8 159 14] [#"../final_borrows.rs" 159 8 159 14] ()); goto BB7 } BB6 { assert { [@expl:assertion] [#"../final_borrows.rs" 161 18 161 24] r = x }; - [#"../final_borrows.rs" 155 44 162 1] _0 <- ([#"../final_borrows.rs" 155 44 162 1] ()); + [#"../final_borrows.rs" 155 44 162 1] _0 <- ([#"../final_borrows.rs" 155 44 162 1] [#"../final_borrows.rs" 155 44 162 1] ()); goto BB7 } BB7 { @@ -1430,7 +1430,7 @@ module FinalBorrows_PlaceMentionNoGen assert { [@expl:type invariant] inv1 x }; assume { resolve0 x }; assert { [@expl:assertion] [#"../final_borrows.rs" 167 18 167 25] _r = x }; - [#"../final_borrows.rs" 164 50 168 1] _0 <- ([#"../final_borrows.rs" 164 50 168 1] ()); + [#"../final_borrows.rs" 164 50 168 1] _0 <- ([#"../final_borrows.rs" 164 50 168 1] [#"../final_borrows.rs" 164 50 168 1] ()); return _0 } @@ -1467,7 +1467,7 @@ module FinalBorrows_ShallowBorrowNoGen end } BB1 { - [#"../final_borrows.rs" 177 13 177 15] _0 <- ([#"../final_borrows.rs" 177 13 177 15] ()); + [#"../final_borrows.rs" 177 13 177 15] _0 <- ([#"../final_borrows.rs" 177 13 177 15] [#"../final_borrows.rs" 177 13 177 15] ()); goto BB6 } BB2 { @@ -1476,7 +1476,7 @@ module FinalBorrows_ShallowBorrowNoGen BB3 { [#"../final_borrows.rs" 174 13 174 22] inner <- ([#"../final_borrows.rs" 174 13 174 22] Core_Option_Option_Type.some_0 ( * x)); [#"../final_borrows.rs" 174 13 174 22] inner1 <- ([#"../final_borrows.rs" 174 13 174 22] inner); - [#"../final_borrows.rs" 174 27 174 38] _8 <- ([#"../final_borrows.rs" 174 27 174 38] inner1 = (2 : int32)); + [#"../final_borrows.rs" 174 27 174 38] _8 <- ([#"../final_borrows.rs" 174 27 174 38] inner1 = ([#"../final_borrows.rs" 174 37 174 38] (2 : int32))); switch (_8) | False -> goto BB5 | True -> goto BB4 @@ -1485,7 +1485,7 @@ module FinalBorrows_ShallowBorrowNoGen BB4 { assume { resolve0 x }; assert { [@expl:assertion] [#"../final_borrows.rs" 175 26 175 33] _r = x }; - [#"../final_borrows.rs" 174 42 176 9] _0 <- ([#"../final_borrows.rs" 174 42 176 9] ()); + [#"../final_borrows.rs" 174 42 176 9] _0 <- ([#"../final_borrows.rs" 174 42 176 9] [#"../final_borrows.rs" 174 42 176 9] ()); goto BB6 } BB5 { diff --git a/creusot/tests/should_succeed/bug/minus_assoc.mlcfg b/creusot/tests/should_succeed/bug/minus_assoc.mlcfg index be93d0ef42..397bfc7dc5 100644 --- a/creusot/tests/should_succeed/bug/minus_assoc.mlcfg +++ b/creusot/tests/should_succeed/bug/minus_assoc.mlcfg @@ -10,7 +10,7 @@ module MinusAssoc_F goto BB0 } BB0 { - [#"../minus_assoc.rs" 6 11 6 13] _0 <- ([#"../minus_assoc.rs" 6 11 6 13] ()); + [#"../minus_assoc.rs" 6 11 6 13] _0 <- ([#"../minus_assoc.rs" 6 11 6 13] [#"../minus_assoc.rs" 6 11 6 13] ()); return _0 } diff --git a/creusot/tests/should_succeed/bug/two_phase.mlcfg b/creusot/tests/should_succeed/bug/two_phase.mlcfg index 925a87c903..4f55c628db 100644 --- a/creusot/tests/should_succeed/bug/two_phase.mlcfg +++ b/creusot/tests/should_succeed/bug/two_phase.mlcfg @@ -67,7 +67,8 @@ module TwoPhase_Test requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model3 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -166,7 +167,7 @@ module TwoPhase_Test } BB2 { assume { resolve0 v }; - [#"../two_phase.rs" 6 32 8 1] _0 <- ([#"../two_phase.rs" 6 32 8 1] ()); + [#"../two_phase.rs" 6 32 8 1] _0 <- ([#"../two_phase.rs" 6 32 8 1] [#"../two_phase.rs" 6 32 8 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/cell/01.mlcfg b/creusot/tests/should_succeed/cell/01.mlcfg index 1a0d454d08..9029454c1c 100644 --- a/creusot/tests/should_succeed/cell/01.mlcfg +++ b/creusot/tests/should_succeed/cell/01.mlcfg @@ -86,28 +86,28 @@ module C01_AddsTwo goto BB1 } BB1 { - [#"../01.rs" 43 7 43 17] _4 <- ([#"../01.rs" 43 7 43 17] v < (100000 : uint32)); + [#"../01.rs" 43 7 43 17] _4 <- ([#"../01.rs" 43 7 43 17] v < ([#"../01.rs" 43 11 43 17] (100000 : uint32))); switch (_4) | False -> goto BB4 | True -> goto BB2 end } BB2 { - [#"../01.rs" 44 14 44 19] _8 <- ([#"../01.rs" 44 14 44 19] v + (2 : uint32)); + [#"../01.rs" 44 14 44 19] _8 <- ([#"../01.rs" 44 14 44 19] v + ([#"../01.rs" 44 18 44 19] (2 : uint32))); [#"../01.rs" 44 8 44 20] _6 <- ([#"../01.rs" 44 8 44 20] set0 c _8); _8 <- any uint32; goto BB3 } BB3 { - [#"../01.rs" 43 18 45 5] _0 <- ([#"../01.rs" 43 18 45 5] ()); + [#"../01.rs" 43 18 45 5] _0 <- ([#"../01.rs" 43 18 45 5] [#"../01.rs" 43 18 45 5] ()); goto BB6 } BB4 { - [#"../01.rs" 46 8 46 16] _10 <- ([#"../01.rs" 46 8 46 16] set0 c (0 : uint32)); + [#"../01.rs" 46 8 46 16] _10 <- ([#"../01.rs" 46 8 46 16] set0 c ([#"../01.rs" 46 14 46 15] (0 : uint32))); goto BB5 } BB5 { - [#"../01.rs" 45 11 47 5] _0 <- ([#"../01.rs" 45 11 47 5] ()); + [#"../01.rs" 45 11 47 5] _0 <- ([#"../01.rs" 45 11 47 5] [#"../01.rs" 45 11 47 5] ()); goto BB6 } BB6 { diff --git a/creusot/tests/should_succeed/cell/02.mlcfg b/creusot/tests/should_succeed/cell/02.mlcfg index 817b08adf8..29baa985e3 100644 --- a/creusot/tests/should_succeed/cell/02.mlcfg +++ b/creusot/tests/should_succeed/cell/02.mlcfg @@ -46,11 +46,14 @@ module C02_LemmaFibBound_Impl constant i : int function lemma_fib_bound [#"../02.rs" 47 0 47 30] (i : int) : () - goal vc_lemma_fib_bound : ([#"../02.rs" 44 11 44 17] 0 <= i) -> match i = 0 with + goal vc_lemma_fib_bound : ([#"../02.rs" 44 11 44 17] 0 <= i) + -> match i = 0 with | True -> [#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i | False -> match i = 1 with | True -> [#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i - | False -> (([#"../02.rs" 44 11 44 17] 0 <= i - 2) /\ 0 <= ([#"../02.rs" 46 10 46 11] i) /\ ([#"../02.rs" 46 10 46 11] i - 2) < ([#"../02.rs" 46 10 46 11] i)) /\ (([#"../02.rs" 45 10 45 28] fib0 (i - 2) <= Power.power 2 (i - 2)) -> (let _ = lemma_fib_bound (i - 2) in (([#"../02.rs" 44 11 44 17] 0 <= i - 1) /\ 0 <= ([#"../02.rs" 46 10 46 11] i) /\ ([#"../02.rs" 46 10 46 11] i - 1) < ([#"../02.rs" 46 10 46 11] i)) /\ (([#"../02.rs" 45 10 45 28] fib0 (i - 1) <= Power.power 2 (i - 1)) -> ([#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i)))) + | False -> (([#"../02.rs" 44 11 44 17] 0 <= i - 2) /\ 0 <= ([#"../02.rs" 46 10 46 11] i) /\ ([#"../02.rs" 46 10 46 11] i - 2) < ([#"../02.rs" 46 10 46 11] i)) /\ (([#"../02.rs" 45 10 45 28] fib0 (i - 2) <= Power.power 2 (i - 2)) + -> (let _ = lemma_fib_bound (i - 2) in (([#"../02.rs" 44 11 44 17] 0 <= i - 1) /\ 0 <= ([#"../02.rs" 46 10 46 11] i) /\ ([#"../02.rs" 46 10 46 11] i - 1) < ([#"../02.rs" 46 10 46 11] i)) /\ (([#"../02.rs" 45 10 45 28] fib0 (i - 1) <= Power.power 2 (i - 1)) + -> ([#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i)))) end end end @@ -151,7 +154,8 @@ module C02_FibMemo requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib)) (Alloc_Alloc_Global_Type.t_global)) = @@ -261,7 +265,8 @@ module C02_FibMemo requires {[#"../02.rs" 44 11 44 17] 0 <= i} ensures { result = lemma_fib_bound0 i } - axiom lemma_fib_bound0_spec : forall i : int . ([#"../02.rs" 44 11 44 17] 0 <= i) -> ([#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i) + axiom lemma_fib_bound0_spec : forall i : int . ([#"../02.rs" 44 11 44 17] 0 <= i) + -> ([#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i) use prelude.Snapshot function lemma_max_int0 [#"../02.rs" 62 0 62 22] (_1 : ()) : () = [#"../02.rs" 60 0 60 8] () @@ -339,7 +344,7 @@ module C02_FibMemo end } BB3 { - [#"../02.rs" 99 27 99 33] _15 <- ([#"../02.rs" 99 27 99 33] i = (0 : usize)); + [#"../02.rs" 99 27 99 33] _15 <- ([#"../02.rs" 99 27 99 33] i = ([#"../02.rs" 99 32 99 33] (0 : usize))); switch (_15) | False -> goto BB8 | True -> goto BB7 @@ -358,18 +363,18 @@ module C02_FibMemo goto BB19 } BB7 { - [#"../02.rs" 100 16 100 17] fib_i <- ([#"../02.rs" 100 16 100 17] (0 : usize)); + [#"../02.rs" 100 16 100 17] fib_i <- ([#"../02.rs" 100 16 100 17] [#"../02.rs" 100 16 100 17] (0 : usize)); goto BB16 } BB8 { - [#"../02.rs" 101 22 101 28] _17 <- ([#"../02.rs" 101 22 101 28] i = (1 : usize)); + [#"../02.rs" 101 22 101 28] _17 <- ([#"../02.rs" 101 22 101 28] i = ([#"../02.rs" 101 27 101 28] (1 : usize))); switch (_17) | False -> goto BB10 | True -> goto BB9 end } BB9 { - [#"../02.rs" 102 16 102 17] fib_i <- ([#"../02.rs" 102 16 102 17] (1 : usize)); + [#"../02.rs" 102 16 102 17] fib_i <- ([#"../02.rs" 102 16 102 17] [#"../02.rs" 102 16 102 17] (1 : usize)); goto BB15 } BB10 { @@ -381,13 +386,13 @@ module C02_FibMemo goto BB12 } BB12 { - [#"../02.rs" 106 30 106 35] _25 <- ([#"../02.rs" 106 30 106 35] i - (1 : usize)); + [#"../02.rs" 106 30 106 35] _25 <- ([#"../02.rs" 106 30 106 35] i - ([#"../02.rs" 106 34 106 35] (1 : usize))); [#"../02.rs" 106 16 106 36] _23 <- ([#"../02.rs" 106 16 106 36] fib_memo mem _25); _25 <- any usize; goto BB13 } BB13 { - [#"../02.rs" 106 53 106 58] _29 <- ([#"../02.rs" 106 53 106 58] i - (2 : usize)); + [#"../02.rs" 106 53 106 58] _29 <- ([#"../02.rs" 106 53 106 58] i - ([#"../02.rs" 106 57 106 58] (2 : usize))); [#"../02.rs" 106 39 106 59] _27 <- ([#"../02.rs" 106 39 106 59] fib_memo mem _29); _29 <- any usize; goto BB14 diff --git a/creusot/tests/should_succeed/checked_ops.mlcfg b/creusot/tests/should_succeed/checked_ops.mlcfg index 9125f4b762..3b574e107b 100644 --- a/creusot/tests/should_succeed/checked_ops.mlcfg +++ b/creusot/tests/should_succeed/checked_ops.mlcfg @@ -68,21 +68,30 @@ module CheckedOps_TestU8AddExample use prelude.UInt8 val overflowing_add0 (self : uint8) (rhs : uint8) : (uint8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) } val saturating_add0 (self : uint8) (rhs : uint8) : uint8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 + -> UInt8.to_int result = UInt8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int max0 } val wrapping_add0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option uint8) : bool @@ -97,7 +106,8 @@ module CheckedOps_TestU8AddExample val checked_add0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs } let rec cfg test_u8_add_example [#"../checked_ops.rs" 5 0 5 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -126,7 +136,7 @@ module CheckedOps_TestU8AddExample goto BB0 } BB0 { - [#"../checked_ops.rs" 6 12 6 31] _4 <- ([#"../checked_ops.rs" 6 12 6 31] checked_add0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 6 12 6 31] _4 <- ([#"../checked_ops.rs" 6 12 6 31] checked_add0 ([#"../checked_ops.rs" 6 12 6 15] (5 : uint8)) ([#"../checked_ops.rs" 6 28 6 30] (10 : uint8))); goto BB1 } BB1 { @@ -135,7 +145,7 @@ module CheckedOps_TestU8AddExample goto BB2 } BB2 { - [#"../checked_ops.rs" 6 12 6 46] _2 <- ([#"../checked_ops.rs" 6 12 6 46] _3 = (15 : uint8)); + [#"../checked_ops.rs" 6 12 6 46] _2 <- ([#"../checked_ops.rs" 6 12 6 46] _3 = ([#"../checked_ops.rs" 6 44 6 46] (15 : uint8))); _3 <- any uint8; switch (_2) | False -> goto BB4 @@ -143,7 +153,7 @@ module CheckedOps_TestU8AddExample end } BB3 { - [#"../checked_ops.rs" 7 12 7 33] _9 <- ([#"../checked_ops.rs" 7 12 7 33] checked_add0 (250 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 7 12 7 33] _9 <- ([#"../checked_ops.rs" 7 12 7 33] checked_add0 ([#"../checked_ops.rs" 7 12 7 17] (250 : uint8)) ([#"../checked_ops.rs" 7 30 7 32] (10 : uint8))); goto BB5 } BB4 { @@ -161,7 +171,7 @@ module CheckedOps_TestU8AddExample end } BB7 { - [#"../checked_ops.rs" 9 12 9 32] _13 <- ([#"../checked_ops.rs" 9 12 9 32] wrapping_add0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 9 12 9 32] _13 <- ([#"../checked_ops.rs" 9 12 9 32] wrapping_add0 ([#"../checked_ops.rs" 9 12 9 15] (5 : uint8)) ([#"../checked_ops.rs" 9 29 9 31] (10 : uint8))); goto BB9 } BB8 { @@ -169,7 +179,7 @@ module CheckedOps_TestU8AddExample absurd } BB9 { - [#"../checked_ops.rs" 9 12 9 38] _12 <- ([#"../checked_ops.rs" 9 12 9 38] _13 = (15 : uint8)); + [#"../checked_ops.rs" 9 12 9 38] _12 <- ([#"../checked_ops.rs" 9 12 9 38] _13 = ([#"../checked_ops.rs" 9 36 9 38] (15 : uint8))); _13 <- any uint8; switch (_12) | False -> goto BB11 @@ -177,7 +187,7 @@ module CheckedOps_TestU8AddExample end } BB10 { - [#"../checked_ops.rs" 10 12 10 34] _17 <- ([#"../checked_ops.rs" 10 12 10 34] wrapping_add0 (250 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 10 12 10 34] _17 <- ([#"../checked_ops.rs" 10 12 10 34] wrapping_add0 ([#"../checked_ops.rs" 10 12 10 17] (250 : uint8)) ([#"../checked_ops.rs" 10 31 10 33] (10 : uint8))); goto BB12 } BB11 { @@ -185,7 +195,7 @@ module CheckedOps_TestU8AddExample absurd } BB12 { - [#"../checked_ops.rs" 10 12 10 39] _16 <- ([#"../checked_ops.rs" 10 12 10 39] _17 = (4 : uint8)); + [#"../checked_ops.rs" 10 12 10 39] _16 <- ([#"../checked_ops.rs" 10 12 10 39] _17 = ([#"../checked_ops.rs" 10 38 10 39] (4 : uint8))); _17 <- any uint8; switch (_16) | False -> goto BB14 @@ -193,7 +203,7 @@ module CheckedOps_TestU8AddExample end } BB13 { - [#"../checked_ops.rs" 12 12 12 34] _21 <- ([#"../checked_ops.rs" 12 12 12 34] saturating_add0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 12 12 12 34] _21 <- ([#"../checked_ops.rs" 12 12 12 34] saturating_add0 ([#"../checked_ops.rs" 12 12 12 15] (5 : uint8)) ([#"../checked_ops.rs" 12 31 12 33] (10 : uint8))); goto BB15 } BB14 { @@ -201,7 +211,7 @@ module CheckedOps_TestU8AddExample absurd } BB15 { - [#"../checked_ops.rs" 12 12 12 40] _20 <- ([#"../checked_ops.rs" 12 12 12 40] _21 = (15 : uint8)); + [#"../checked_ops.rs" 12 12 12 40] _20 <- ([#"../checked_ops.rs" 12 12 12 40] _21 = ([#"../checked_ops.rs" 12 38 12 40] (15 : uint8))); _21 <- any uint8; switch (_20) | False -> goto BB17 @@ -209,7 +219,7 @@ module CheckedOps_TestU8AddExample end } BB16 { - [#"../checked_ops.rs" 13 12 13 36] _25 <- ([#"../checked_ops.rs" 13 12 13 36] saturating_add0 (250 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 13 12 13 36] _25 <- ([#"../checked_ops.rs" 13 12 13 36] saturating_add0 ([#"../checked_ops.rs" 13 12 13 17] (250 : uint8)) ([#"../checked_ops.rs" 13 33 13 35] (10 : uint8))); goto BB18 } BB17 { @@ -217,7 +227,7 @@ module CheckedOps_TestU8AddExample absurd } BB18 { - [#"../checked_ops.rs" 13 12 13 43] _24 <- ([#"../checked_ops.rs" 13 12 13 43] _25 = (255 : uint8)); + [#"../checked_ops.rs" 13 12 13 43] _24 <- ([#"../checked_ops.rs" 13 12 13 43] _25 = ([#"../checked_ops.rs" 13 40 13 43] (255 : uint8))); _25 <- any uint8; switch (_24) | False -> goto BB20 @@ -225,7 +235,7 @@ module CheckedOps_TestU8AddExample end } BB19 { - [#"../checked_ops.rs" 15 14 15 37] res <- ([#"../checked_ops.rs" 15 14 15 37] overflowing_add0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 15 14 15 37] res <- ([#"../checked_ops.rs" 15 14 15 37] overflowing_add0 ([#"../checked_ops.rs" 15 14 15 17] (5 : uint8)) ([#"../checked_ops.rs" 15 34 15 36] (10 : uint8))); goto BB21 } BB20 { @@ -233,7 +243,7 @@ module CheckedOps_TestU8AddExample absurd } BB21 { - [#"../checked_ops.rs" 16 12 16 23] _29 <- ([#"../checked_ops.rs" 16 12 16 23] (let (a, _) = res in a) = (15 : uint8)); + [#"../checked_ops.rs" 16 12 16 23] _29 <- ([#"../checked_ops.rs" 16 12 16 23] (let (a, _) = res in a) = ([#"../checked_ops.rs" 16 21 16 23] (15 : uint8))); switch (_29) | False -> goto BB25 | True -> goto BB22 @@ -241,14 +251,14 @@ module CheckedOps_TestU8AddExample } BB22 { assume { resolve0 res }; - [#"../checked_ops.rs" 16 27 16 41] _31 <- ([#"../checked_ops.rs" 16 27 16 41] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 16 27 16 41] _31 <- ([#"../checked_ops.rs" 16 27 16 41] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 16 36 16 41] false)); switch (_31) | False -> goto BB24 | True -> goto BB23 end } BB23 { - [#"../checked_ops.rs" 17 14 17 39] res1 <- ([#"../checked_ops.rs" 17 14 17 39] overflowing_add0 (250 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 17 14 17 39] res1 <- ([#"../checked_ops.rs" 17 14 17 39] overflowing_add0 ([#"../checked_ops.rs" 17 14 17 19] (250 : uint8)) ([#"../checked_ops.rs" 17 36 17 38] (10 : uint8))); goto BB27 } BB24 { @@ -263,7 +273,7 @@ module CheckedOps_TestU8AddExample absurd } BB27 { - [#"../checked_ops.rs" 18 12 18 22] _36 <- ([#"../checked_ops.rs" 18 12 18 22] (let (a, _) = res1 in a) = (4 : uint8)); + [#"../checked_ops.rs" 18 12 18 22] _36 <- ([#"../checked_ops.rs" 18 12 18 22] (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 18 21 18 22] (4 : uint8))); switch (_36) | False -> goto BB31 | True -> goto BB28 @@ -271,14 +281,14 @@ module CheckedOps_TestU8AddExample } BB28 { assume { resolve0 res1 }; - [#"../checked_ops.rs" 18 26 18 39] _38 <- ([#"../checked_ops.rs" 18 26 18 39] Bool.eqb (let (_, a) = res1 in a) true); + [#"../checked_ops.rs" 18 26 18 39] _38 <- ([#"../checked_ops.rs" 18 26 18 39] Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 18 35 18 39] true)); switch (_38) | False -> goto BB30 | True -> goto BB29 end } BB29 { - [#"../checked_ops.rs" 5 29 19 1] _0 <- ([#"../checked_ops.rs" 5 29 19 1] ()); + [#"../checked_ops.rs" 5 29 19 1] _0 <- ([#"../checked_ops.rs" 5 29 19 1] [#"../checked_ops.rs" 5 29 19 1] ()); return _0 } BB30 { @@ -337,21 +347,30 @@ module CheckedOps_TestU8AddOverflow (8 : uint32) val overflowing_add0 (self : uint8) (rhs : uint8) : (uint8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) } val saturating_add0 (self : uint8) (rhs : uint8) : uint8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 + -> UInt8.to_int result = UInt8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int max0 } val wrapping_add0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option uint8) : bool @@ -360,7 +379,8 @@ module CheckedOps_TestU8AddOverflow val checked_add0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs } let rec cfg test_u8_add_overflow [#"../checked_ops.rs" 23 0 23 34] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) : () requires {[#"../checked_ops.rs" 22 11 22 18] UInt8.to_int a <> 0} @@ -383,7 +403,7 @@ module CheckedOps_TestU8AddOverflow goto BB0 } BB0 { - [#"../checked_ops.rs" 24 12 24 32] _6 <- ([#"../checked_ops.rs" 24 12 24 32] checked_add0 (255 : uint8) a); + [#"../checked_ops.rs" 24 12 24 32] _6 <- ([#"../checked_ops.rs" 24 12 24 32] checked_add0 ([#"../checked_ops.rs" 24 12 24 17] (255 : uint8)) a); goto BB1 } BB1 { @@ -397,7 +417,7 @@ module CheckedOps_TestU8AddOverflow end } BB3 { - [#"../checked_ops.rs" 25 12 25 33] _11 <- ([#"../checked_ops.rs" 25 12 25 33] wrapping_add0 (255 : uint8) a); + [#"../checked_ops.rs" 25 12 25 33] _11 <- ([#"../checked_ops.rs" 25 12 25 33] wrapping_add0 ([#"../checked_ops.rs" 25 12 25 17] (255 : uint8)) a); goto BB5 } BB4 { @@ -405,7 +425,7 @@ module CheckedOps_TestU8AddOverflow absurd } BB5 { - [#"../checked_ops.rs" 25 37 25 42] _13 <- ([#"../checked_ops.rs" 25 37 25 42] a - (1 : uint8)); + [#"../checked_ops.rs" 25 37 25 42] _13 <- ([#"../checked_ops.rs" 25 37 25 42] a - ([#"../checked_ops.rs" 25 41 25 42] (1 : uint8))); [#"../checked_ops.rs" 25 12 25 42] _10 <- ([#"../checked_ops.rs" 25 12 25 42] _11 = _13); _11 <- any uint8; _13 <- any uint8; @@ -415,7 +435,7 @@ module CheckedOps_TestU8AddOverflow end } BB6 { - [#"../checked_ops.rs" 26 12 26 35] _18 <- ([#"../checked_ops.rs" 26 12 26 35] saturating_add0 (255 : uint8) a); + [#"../checked_ops.rs" 26 12 26 35] _18 <- ([#"../checked_ops.rs" 26 12 26 35] saturating_add0 ([#"../checked_ops.rs" 26 12 26 17] (255 : uint8)) a); goto BB8 } BB7 { @@ -423,7 +443,7 @@ module CheckedOps_TestU8AddOverflow absurd } BB8 { - [#"../checked_ops.rs" 26 12 26 42] _17 <- ([#"../checked_ops.rs" 26 12 26 42] _18 = (255 : uint8)); + [#"../checked_ops.rs" 26 12 26 42] _17 <- ([#"../checked_ops.rs" 26 12 26 42] _18 = ([#"../checked_ops.rs" 26 39 26 42] (255 : uint8))); _18 <- any uint8; switch (_17) | False -> goto BB10 @@ -431,7 +451,7 @@ module CheckedOps_TestU8AddOverflow end } BB9 { - [#"../checked_ops.rs" 27 14 27 38] res <- ([#"../checked_ops.rs" 27 14 27 38] overflowing_add0 (255 : uint8) a); + [#"../checked_ops.rs" 27 14 27 38] res <- ([#"../checked_ops.rs" 27 14 27 38] overflowing_add0 ([#"../checked_ops.rs" 27 14 27 19] (255 : uint8)) a); goto BB11 } BB10 { @@ -439,7 +459,7 @@ module CheckedOps_TestU8AddOverflow absurd } BB11 { - [#"../checked_ops.rs" 28 21 28 26] _26 <- ([#"../checked_ops.rs" 28 21 28 26] a - (1 : uint8)); + [#"../checked_ops.rs" 28 21 28 26] _26 <- ([#"../checked_ops.rs" 28 21 28 26] a - ([#"../checked_ops.rs" 28 25 28 26] (1 : uint8))); [#"../checked_ops.rs" 28 12 28 26] _24 <- ([#"../checked_ops.rs" 28 12 28 26] (let (a, _) = res in a) = _26); _26 <- any uint8; switch (_24) @@ -449,14 +469,14 @@ module CheckedOps_TestU8AddOverflow } BB12 { assume { resolve0 res }; - [#"../checked_ops.rs" 28 30 28 43] _28 <- ([#"../checked_ops.rs" 28 30 28 43] Bool.eqb (let (_, a) = res in a) true); + [#"../checked_ops.rs" 28 30 28 43] _28 <- ([#"../checked_ops.rs" 28 30 28 43] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 28 39 28 43] true)); switch (_28) | False -> goto BB14 | True -> goto BB13 end } BB13 { - [#"../checked_ops.rs" 23 35 29 1] _0 <- ([#"../checked_ops.rs" 23 35 29 1] ()); + [#"../checked_ops.rs" 23 35 29 1] _0 <- ([#"../checked_ops.rs" 23 35 29 1] [#"../checked_ops.rs" 23 35 29 1] ()); return _0 } BB14 { @@ -488,9 +508,12 @@ module CheckedOps_TestU8WrappingAdd (8 : uint32) val wrapping_add0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } let rec cfg test_u8_wrapping_add [#"../checked_ops.rs" 34 0 34 47] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : uint8 ensures { [#"../checked_ops.rs" 33 10 33 56] UInt8.to_int result = UInt8.to_int a + UInt8.to_int b \/ UInt8.to_int result = UInt8.to_int a + UInt8.to_int b - 256 } @@ -538,7 +561,8 @@ module CheckedOps_TestU8OverflowingAdd use prelude.UInt8 val checked_add0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs } use prelude.UInt32 use int.EuclideanDivision @@ -548,9 +572,12 @@ module CheckedOps_TestU8OverflowingAdd (8 : uint32) val wrapping_add0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } predicate resolve2 (self : bool) = [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true @@ -569,9 +596,12 @@ module CheckedOps_TestU8OverflowingAdd val overflowing_add0 (self : uint8) (rhs : uint8) : (uint8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) } let rec cfg test_u8_overflowing_add [#"../checked_ops.rs" 39 0 39 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : () @@ -633,7 +663,7 @@ module CheckedOps_TestU8OverflowingAdd end } BB8 { - [#"../checked_ops.rs" 39 45 42 1] _0 <- ([#"../checked_ops.rs" 39 45 42 1] ()); + [#"../checked_ops.rs" 39 45 42 1] _0 <- ([#"../checked_ops.rs" 39 45 42 1] [#"../checked_ops.rs" 39 45 42 1] ()); return _0 } BB9 { @@ -705,21 +735,30 @@ module CheckedOps_TestU8SubExample use prelude.UInt8 val overflowing_sub0 (self : uint8) (rhs : uint8) : (uint8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) } val saturating_sub0 (self : uint8) (rhs : uint8) : uint8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 + -> UInt8.to_int result = UInt8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int max0 } val wrapping_sub0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } val unwrap0 (self : Core_Option_Option_Type.t_option uint8) : uint8 requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None} @@ -734,7 +773,8 @@ module CheckedOps_TestU8SubExample val checked_sub0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs } let rec cfg test_u8_sub_example [#"../checked_ops.rs" 45 0 45 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -763,7 +803,7 @@ module CheckedOps_TestU8SubExample goto BB0 } BB0 { - [#"../checked_ops.rs" 46 12 46 31] _4 <- ([#"../checked_ops.rs" 46 12 46 31] checked_sub0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 46 12 46 31] _4 <- ([#"../checked_ops.rs" 46 12 46 31] checked_sub0 ([#"../checked_ops.rs" 46 12 46 15] (5 : uint8)) ([#"../checked_ops.rs" 46 28 46 30] (10 : uint8))); goto BB1 } BB1 { @@ -777,7 +817,7 @@ module CheckedOps_TestU8SubExample end } BB3 { - [#"../checked_ops.rs" 47 12 47 33] _9 <- ([#"../checked_ops.rs" 47 12 47 33] checked_sub0 (250 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 47 12 47 33] _9 <- ([#"../checked_ops.rs" 47 12 47 33] checked_sub0 ([#"../checked_ops.rs" 47 12 47 17] (250 : uint8)) ([#"../checked_ops.rs" 47 30 47 32] (10 : uint8))); goto BB5 } BB4 { @@ -790,7 +830,7 @@ module CheckedOps_TestU8SubExample goto BB6 } BB6 { - [#"../checked_ops.rs" 47 12 47 49] _7 <- ([#"../checked_ops.rs" 47 12 47 49] _8 = (240 : uint8)); + [#"../checked_ops.rs" 47 12 47 49] _7 <- ([#"../checked_ops.rs" 47 12 47 49] _8 = ([#"../checked_ops.rs" 47 46 47 49] (240 : uint8))); _8 <- any uint8; switch (_7) | False -> goto BB8 @@ -798,7 +838,7 @@ module CheckedOps_TestU8SubExample end } BB7 { - [#"../checked_ops.rs" 49 12 49 32] _13 <- ([#"../checked_ops.rs" 49 12 49 32] wrapping_sub0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 49 12 49 32] _13 <- ([#"../checked_ops.rs" 49 12 49 32] wrapping_sub0 ([#"../checked_ops.rs" 49 12 49 15] (5 : uint8)) ([#"../checked_ops.rs" 49 29 49 31] (10 : uint8))); goto BB9 } BB8 { @@ -806,7 +846,7 @@ module CheckedOps_TestU8SubExample absurd } BB9 { - [#"../checked_ops.rs" 49 12 49 39] _12 <- ([#"../checked_ops.rs" 49 12 49 39] _13 = (251 : uint8)); + [#"../checked_ops.rs" 49 12 49 39] _12 <- ([#"../checked_ops.rs" 49 12 49 39] _13 = ([#"../checked_ops.rs" 49 36 49 39] (251 : uint8))); _13 <- any uint8; switch (_12) | False -> goto BB11 @@ -814,7 +854,7 @@ module CheckedOps_TestU8SubExample end } BB10 { - [#"../checked_ops.rs" 50 12 50 34] _17 <- ([#"../checked_ops.rs" 50 12 50 34] wrapping_sub0 (250 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 50 12 50 34] _17 <- ([#"../checked_ops.rs" 50 12 50 34] wrapping_sub0 ([#"../checked_ops.rs" 50 12 50 17] (250 : uint8)) ([#"../checked_ops.rs" 50 31 50 33] (10 : uint8))); goto BB12 } BB11 { @@ -822,7 +862,7 @@ module CheckedOps_TestU8SubExample absurd } BB12 { - [#"../checked_ops.rs" 50 12 50 41] _16 <- ([#"../checked_ops.rs" 50 12 50 41] _17 = (240 : uint8)); + [#"../checked_ops.rs" 50 12 50 41] _16 <- ([#"../checked_ops.rs" 50 12 50 41] _17 = ([#"../checked_ops.rs" 50 38 50 41] (240 : uint8))); _17 <- any uint8; switch (_16) | False -> goto BB14 @@ -830,7 +870,7 @@ module CheckedOps_TestU8SubExample end } BB13 { - [#"../checked_ops.rs" 52 12 52 34] _21 <- ([#"../checked_ops.rs" 52 12 52 34] saturating_sub0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 52 12 52 34] _21 <- ([#"../checked_ops.rs" 52 12 52 34] saturating_sub0 ([#"../checked_ops.rs" 52 12 52 15] (5 : uint8)) ([#"../checked_ops.rs" 52 31 52 33] (10 : uint8))); goto BB15 } BB14 { @@ -838,7 +878,7 @@ module CheckedOps_TestU8SubExample absurd } BB15 { - [#"../checked_ops.rs" 52 12 52 39] _20 <- ([#"../checked_ops.rs" 52 12 52 39] _21 = (0 : uint8)); + [#"../checked_ops.rs" 52 12 52 39] _20 <- ([#"../checked_ops.rs" 52 12 52 39] _21 = ([#"../checked_ops.rs" 52 38 52 39] (0 : uint8))); _21 <- any uint8; switch (_20) | False -> goto BB17 @@ -846,7 +886,7 @@ module CheckedOps_TestU8SubExample end } BB16 { - [#"../checked_ops.rs" 53 12 53 36] _25 <- ([#"../checked_ops.rs" 53 12 53 36] saturating_sub0 (250 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 53 12 53 36] _25 <- ([#"../checked_ops.rs" 53 12 53 36] saturating_sub0 ([#"../checked_ops.rs" 53 12 53 17] (250 : uint8)) ([#"../checked_ops.rs" 53 33 53 35] (10 : uint8))); goto BB18 } BB17 { @@ -854,7 +894,7 @@ module CheckedOps_TestU8SubExample absurd } BB18 { - [#"../checked_ops.rs" 53 12 53 43] _24 <- ([#"../checked_ops.rs" 53 12 53 43] _25 = (240 : uint8)); + [#"../checked_ops.rs" 53 12 53 43] _24 <- ([#"../checked_ops.rs" 53 12 53 43] _25 = ([#"../checked_ops.rs" 53 40 53 43] (240 : uint8))); _25 <- any uint8; switch (_24) | False -> goto BB20 @@ -862,7 +902,7 @@ module CheckedOps_TestU8SubExample end } BB19 { - [#"../checked_ops.rs" 55 14 55 37] res <- ([#"../checked_ops.rs" 55 14 55 37] overflowing_sub0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 55 14 55 37] res <- ([#"../checked_ops.rs" 55 14 55 37] overflowing_sub0 ([#"../checked_ops.rs" 55 14 55 17] (5 : uint8)) ([#"../checked_ops.rs" 55 34 55 36] (10 : uint8))); goto BB21 } BB20 { @@ -870,7 +910,7 @@ module CheckedOps_TestU8SubExample absurd } BB21 { - [#"../checked_ops.rs" 56 12 56 24] _29 <- ([#"../checked_ops.rs" 56 12 56 24] (let (a, _) = res in a) = (251 : uint8)); + [#"../checked_ops.rs" 56 12 56 24] _29 <- ([#"../checked_ops.rs" 56 12 56 24] (let (a, _) = res in a) = ([#"../checked_ops.rs" 56 21 56 24] (251 : uint8))); switch (_29) | False -> goto BB25 | True -> goto BB22 @@ -878,14 +918,14 @@ module CheckedOps_TestU8SubExample } BB22 { assume { resolve0 res }; - [#"../checked_ops.rs" 56 28 56 41] _31 <- ([#"../checked_ops.rs" 56 28 56 41] Bool.eqb (let (_, a) = res in a) true); + [#"../checked_ops.rs" 56 28 56 41] _31 <- ([#"../checked_ops.rs" 56 28 56 41] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 56 37 56 41] true)); switch (_31) | False -> goto BB24 | True -> goto BB23 end } BB23 { - [#"../checked_ops.rs" 57 14 57 39] res1 <- ([#"../checked_ops.rs" 57 14 57 39] overflowing_sub0 (250 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 57 14 57 39] res1 <- ([#"../checked_ops.rs" 57 14 57 39] overflowing_sub0 ([#"../checked_ops.rs" 57 14 57 19] (250 : uint8)) ([#"../checked_ops.rs" 57 36 57 38] (10 : uint8))); goto BB27 } BB24 { @@ -900,7 +940,7 @@ module CheckedOps_TestU8SubExample absurd } BB27 { - [#"../checked_ops.rs" 58 12 58 24] _36 <- ([#"../checked_ops.rs" 58 12 58 24] (let (a, _) = res1 in a) = (240 : uint8)); + [#"../checked_ops.rs" 58 12 58 24] _36 <- ([#"../checked_ops.rs" 58 12 58 24] (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 58 21 58 24] (240 : uint8))); switch (_36) | False -> goto BB31 | True -> goto BB28 @@ -908,14 +948,14 @@ module CheckedOps_TestU8SubExample } BB28 { assume { resolve0 res1 }; - [#"../checked_ops.rs" 58 28 58 42] _38 <- ([#"../checked_ops.rs" 58 28 58 42] Bool.eqb (let (_, a) = res1 in a) false); + [#"../checked_ops.rs" 58 28 58 42] _38 <- ([#"../checked_ops.rs" 58 28 58 42] Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 58 37 58 42] false)); switch (_38) | False -> goto BB30 | True -> goto BB29 end } BB29 { - [#"../checked_ops.rs" 45 29 59 1] _0 <- ([#"../checked_ops.rs" 45 29 59 1] ()); + [#"../checked_ops.rs" 45 29 59 1] _0 <- ([#"../checked_ops.rs" 45 29 59 1] [#"../checked_ops.rs" 45 29 59 1] ()); return _0 } BB30 { @@ -974,21 +1014,30 @@ module CheckedOps_TestU8SubOverflow (8 : uint32) val overflowing_sub0 (self : uint8) (rhs : uint8) : (uint8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) } val saturating_sub0 (self : uint8) (rhs : uint8) : uint8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 + -> UInt8.to_int result = UInt8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int max0 } val wrapping_sub0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option uint8) : bool @@ -997,7 +1046,8 @@ module CheckedOps_TestU8SubOverflow val checked_sub0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs } let rec cfg test_u8_sub_overflow [#"../checked_ops.rs" 63 0 63 34] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) : () requires {[#"../checked_ops.rs" 62 11 62 18] UInt8.to_int a <> 0} @@ -1022,7 +1072,7 @@ module CheckedOps_TestU8SubOverflow goto BB0 } BB0 { - [#"../checked_ops.rs" 64 12 64 30] _6 <- ([#"../checked_ops.rs" 64 12 64 30] checked_sub0 (0 : uint8) a); + [#"../checked_ops.rs" 64 12 64 30] _6 <- ([#"../checked_ops.rs" 64 12 64 30] checked_sub0 ([#"../checked_ops.rs" 64 12 64 15] (0 : uint8)) a); goto BB1 } BB1 { @@ -1036,7 +1086,7 @@ module CheckedOps_TestU8SubOverflow end } BB3 { - [#"../checked_ops.rs" 65 12 65 31] _11 <- ([#"../checked_ops.rs" 65 12 65 31] wrapping_sub0 (0 : uint8) a); + [#"../checked_ops.rs" 65 12 65 31] _11 <- ([#"../checked_ops.rs" 65 12 65 31] wrapping_sub0 ([#"../checked_ops.rs" 65 12 65 15] (0 : uint8)) a); goto BB5 } BB4 { @@ -1044,8 +1094,8 @@ module CheckedOps_TestU8SubOverflow absurd } BB5 { - [#"../checked_ops.rs" 65 35 65 42] _14 <- ([#"../checked_ops.rs" 65 35 65 42] (255 : uint8) - a); - [#"../checked_ops.rs" 65 35 65 46] _13 <- ([#"../checked_ops.rs" 65 35 65 46] _14 + (1 : uint8)); + [#"../checked_ops.rs" 65 35 65 42] _14 <- ([#"../checked_ops.rs" 65 35 65 42] ([#"../checked_ops.rs" 65 35 65 38] (255 : uint8)) - a); + [#"../checked_ops.rs" 65 35 65 46] _13 <- ([#"../checked_ops.rs" 65 35 65 46] _14 + ([#"../checked_ops.rs" 65 45 65 46] (1 : uint8))); _14 <- any uint8; [#"../checked_ops.rs" 65 12 65 46] _10 <- ([#"../checked_ops.rs" 65 12 65 46] _11 = _13); _11 <- any uint8; @@ -1056,7 +1106,7 @@ module CheckedOps_TestU8SubOverflow end } BB6 { - [#"../checked_ops.rs" 66 12 66 33] _19 <- ([#"../checked_ops.rs" 66 12 66 33] saturating_sub0 (0 : uint8) a); + [#"../checked_ops.rs" 66 12 66 33] _19 <- ([#"../checked_ops.rs" 66 12 66 33] saturating_sub0 ([#"../checked_ops.rs" 66 12 66 15] (0 : uint8)) a); goto BB8 } BB7 { @@ -1064,7 +1114,7 @@ module CheckedOps_TestU8SubOverflow absurd } BB8 { - [#"../checked_ops.rs" 66 12 66 38] _18 <- ([#"../checked_ops.rs" 66 12 66 38] _19 = (0 : uint8)); + [#"../checked_ops.rs" 66 12 66 38] _18 <- ([#"../checked_ops.rs" 66 12 66 38] _19 = ([#"../checked_ops.rs" 66 37 66 38] (0 : uint8))); _19 <- any uint8; switch (_18) | False -> goto BB10 @@ -1072,7 +1122,7 @@ module CheckedOps_TestU8SubOverflow end } BB9 { - [#"../checked_ops.rs" 67 14 67 36] res <- ([#"../checked_ops.rs" 67 14 67 36] overflowing_sub0 (0 : uint8) a); + [#"../checked_ops.rs" 67 14 67 36] res <- ([#"../checked_ops.rs" 67 14 67 36] overflowing_sub0 ([#"../checked_ops.rs" 67 14 67 17] (0 : uint8)) a); goto BB11 } BB10 { @@ -1080,8 +1130,8 @@ module CheckedOps_TestU8SubOverflow absurd } BB11 { - [#"../checked_ops.rs" 68 21 68 28] _28 <- ([#"../checked_ops.rs" 68 21 68 28] (255 : uint8) - a); - [#"../checked_ops.rs" 68 21 68 32] _27 <- ([#"../checked_ops.rs" 68 21 68 32] _28 + (1 : uint8)); + [#"../checked_ops.rs" 68 21 68 28] _28 <- ([#"../checked_ops.rs" 68 21 68 28] ([#"../checked_ops.rs" 68 21 68 24] (255 : uint8)) - a); + [#"../checked_ops.rs" 68 21 68 32] _27 <- ([#"../checked_ops.rs" 68 21 68 32] _28 + ([#"../checked_ops.rs" 68 31 68 32] (1 : uint8))); _28 <- any uint8; [#"../checked_ops.rs" 68 12 68 32] _25 <- ([#"../checked_ops.rs" 68 12 68 32] (let (a, _) = res in a) = _27); _27 <- any uint8; @@ -1092,14 +1142,14 @@ module CheckedOps_TestU8SubOverflow } BB12 { assume { resolve0 res }; - [#"../checked_ops.rs" 68 36 68 49] _30 <- ([#"../checked_ops.rs" 68 36 68 49] Bool.eqb (let (_, a) = res in a) true); + [#"../checked_ops.rs" 68 36 68 49] _30 <- ([#"../checked_ops.rs" 68 36 68 49] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 68 45 68 49] true)); switch (_30) | False -> goto BB14 | True -> goto BB13 end } BB13 { - [#"../checked_ops.rs" 63 35 69 1] _0 <- ([#"../checked_ops.rs" 63 35 69 1] ()); + [#"../checked_ops.rs" 63 35 69 1] _0 <- ([#"../checked_ops.rs" 63 35 69 1] [#"../checked_ops.rs" 63 35 69 1] ()); return _0 } BB14 { @@ -1131,9 +1181,12 @@ module CheckedOps_TestU8WrappingSub (8 : uint32) val wrapping_sub0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } let rec cfg test_u8_wrapping_sub [#"../checked_ops.rs" 74 0 74 47] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : uint8 ensures { [#"../checked_ops.rs" 73 10 73 56] UInt8.to_int result = UInt8.to_int a - UInt8.to_int b \/ UInt8.to_int result = UInt8.to_int a - UInt8.to_int b + 256 } @@ -1181,7 +1234,8 @@ module CheckedOps_TestU8OverflowingSub use prelude.UInt8 val checked_sub0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs } use prelude.UInt32 use int.EuclideanDivision @@ -1191,9 +1245,12 @@ module CheckedOps_TestU8OverflowingSub (8 : uint32) val wrapping_sub0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } predicate resolve2 (self : bool) = [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true @@ -1212,9 +1269,12 @@ module CheckedOps_TestU8OverflowingSub val overflowing_sub0 (self : uint8) (rhs : uint8) : (uint8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) } let rec cfg test_u8_overflowing_sub [#"../checked_ops.rs" 79 0 79 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : () @@ -1276,7 +1336,7 @@ module CheckedOps_TestU8OverflowingSub end } BB8 { - [#"../checked_ops.rs" 79 45 82 1] _0 <- ([#"../checked_ops.rs" 79 45 82 1] ()); + [#"../checked_ops.rs" 79 45 82 1] _0 <- ([#"../checked_ops.rs" 79 45 82 1] [#"../checked_ops.rs" 79 45 82 1] ()); return _0 } BB9 { @@ -1348,21 +1408,30 @@ module CheckedOps_TestU8MulExample use prelude.UInt8 val overflowing_mul0 (self : uint8) (rhs : uint8) : (uint8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) } val saturating_mul0 (self : uint8) (rhs : uint8) : uint8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 + -> UInt8.to_int result = UInt8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int max0 } val wrapping_mul0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option uint8) : bool @@ -1377,7 +1446,8 @@ module CheckedOps_TestU8MulExample val checked_mul0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs } let rec cfg test_u8_mul_example [#"../checked_ops.rs" 85 0 85 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -1406,7 +1476,7 @@ module CheckedOps_TestU8MulExample goto BB0 } BB0 { - [#"../checked_ops.rs" 86 12 86 31] _4 <- ([#"../checked_ops.rs" 86 12 86 31] checked_mul0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 86 12 86 31] _4 <- ([#"../checked_ops.rs" 86 12 86 31] checked_mul0 ([#"../checked_ops.rs" 86 12 86 15] (5 : uint8)) ([#"../checked_ops.rs" 86 28 86 30] (10 : uint8))); goto BB1 } BB1 { @@ -1415,7 +1485,7 @@ module CheckedOps_TestU8MulExample goto BB2 } BB2 { - [#"../checked_ops.rs" 86 12 86 46] _2 <- ([#"../checked_ops.rs" 86 12 86 46] _3 = (50 : uint8)); + [#"../checked_ops.rs" 86 12 86 46] _2 <- ([#"../checked_ops.rs" 86 12 86 46] _3 = ([#"../checked_ops.rs" 86 44 86 46] (50 : uint8))); _3 <- any uint8; switch (_2) | False -> goto BB4 @@ -1423,7 +1493,7 @@ module CheckedOps_TestU8MulExample end } BB3 { - [#"../checked_ops.rs" 87 12 87 32] _9 <- ([#"../checked_ops.rs" 87 12 87 32] checked_mul0 (50 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 87 12 87 32] _9 <- ([#"../checked_ops.rs" 87 12 87 32] checked_mul0 ([#"../checked_ops.rs" 87 12 87 16] (50 : uint8)) ([#"../checked_ops.rs" 87 29 87 31] (10 : uint8))); goto BB5 } BB4 { @@ -1441,7 +1511,7 @@ module CheckedOps_TestU8MulExample end } BB7 { - [#"../checked_ops.rs" 89 12 89 32] _13 <- ([#"../checked_ops.rs" 89 12 89 32] wrapping_mul0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 89 12 89 32] _13 <- ([#"../checked_ops.rs" 89 12 89 32] wrapping_mul0 ([#"../checked_ops.rs" 89 12 89 15] (5 : uint8)) ([#"../checked_ops.rs" 89 29 89 31] (10 : uint8))); goto BB9 } BB8 { @@ -1449,7 +1519,7 @@ module CheckedOps_TestU8MulExample absurd } BB9 { - [#"../checked_ops.rs" 89 12 89 38] _12 <- ([#"../checked_ops.rs" 89 12 89 38] _13 = (50 : uint8)); + [#"../checked_ops.rs" 89 12 89 38] _12 <- ([#"../checked_ops.rs" 89 12 89 38] _13 = ([#"../checked_ops.rs" 89 36 89 38] (50 : uint8))); _13 <- any uint8; switch (_12) | False -> goto BB11 @@ -1457,7 +1527,7 @@ module CheckedOps_TestU8MulExample end } BB10 { - [#"../checked_ops.rs" 90 12 90 33] _17 <- ([#"../checked_ops.rs" 90 12 90 33] wrapping_mul0 (50 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 90 12 90 33] _17 <- ([#"../checked_ops.rs" 90 12 90 33] wrapping_mul0 ([#"../checked_ops.rs" 90 12 90 16] (50 : uint8)) ([#"../checked_ops.rs" 90 30 90 32] (10 : uint8))); goto BB12 } BB11 { @@ -1465,7 +1535,7 @@ module CheckedOps_TestU8MulExample absurd } BB12 { - [#"../checked_ops.rs" 90 12 90 40] _16 <- ([#"../checked_ops.rs" 90 12 90 40] _17 = (244 : uint8)); + [#"../checked_ops.rs" 90 12 90 40] _16 <- ([#"../checked_ops.rs" 90 12 90 40] _17 = ([#"../checked_ops.rs" 90 37 90 40] (244 : uint8))); _17 <- any uint8; switch (_16) | False -> goto BB14 @@ -1473,7 +1543,7 @@ module CheckedOps_TestU8MulExample end } BB13 { - [#"../checked_ops.rs" 92 12 92 34] _21 <- ([#"../checked_ops.rs" 92 12 92 34] saturating_mul0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 92 12 92 34] _21 <- ([#"../checked_ops.rs" 92 12 92 34] saturating_mul0 ([#"../checked_ops.rs" 92 12 92 15] (5 : uint8)) ([#"../checked_ops.rs" 92 31 92 33] (10 : uint8))); goto BB15 } BB14 { @@ -1481,7 +1551,7 @@ module CheckedOps_TestU8MulExample absurd } BB15 { - [#"../checked_ops.rs" 92 12 92 40] _20 <- ([#"../checked_ops.rs" 92 12 92 40] _21 = (50 : uint8)); + [#"../checked_ops.rs" 92 12 92 40] _20 <- ([#"../checked_ops.rs" 92 12 92 40] _21 = ([#"../checked_ops.rs" 92 38 92 40] (50 : uint8))); _21 <- any uint8; switch (_20) | False -> goto BB17 @@ -1489,7 +1559,7 @@ module CheckedOps_TestU8MulExample end } BB16 { - [#"../checked_ops.rs" 93 12 93 35] _25 <- ([#"../checked_ops.rs" 93 12 93 35] saturating_mul0 (50 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 93 12 93 35] _25 <- ([#"../checked_ops.rs" 93 12 93 35] saturating_mul0 ([#"../checked_ops.rs" 93 12 93 16] (50 : uint8)) ([#"../checked_ops.rs" 93 32 93 34] (10 : uint8))); goto BB18 } BB17 { @@ -1497,7 +1567,7 @@ module CheckedOps_TestU8MulExample absurd } BB18 { - [#"../checked_ops.rs" 93 12 93 42] _24 <- ([#"../checked_ops.rs" 93 12 93 42] _25 = (255 : uint8)); + [#"../checked_ops.rs" 93 12 93 42] _24 <- ([#"../checked_ops.rs" 93 12 93 42] _25 = ([#"../checked_ops.rs" 93 39 93 42] (255 : uint8))); _25 <- any uint8; switch (_24) | False -> goto BB20 @@ -1505,7 +1575,7 @@ module CheckedOps_TestU8MulExample end } BB19 { - [#"../checked_ops.rs" 95 14 95 37] res <- ([#"../checked_ops.rs" 95 14 95 37] overflowing_mul0 (5 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 95 14 95 37] res <- ([#"../checked_ops.rs" 95 14 95 37] overflowing_mul0 ([#"../checked_ops.rs" 95 14 95 17] (5 : uint8)) ([#"../checked_ops.rs" 95 34 95 36] (10 : uint8))); goto BB21 } BB20 { @@ -1513,7 +1583,7 @@ module CheckedOps_TestU8MulExample absurd } BB21 { - [#"../checked_ops.rs" 96 12 96 23] _29 <- ([#"../checked_ops.rs" 96 12 96 23] (let (a, _) = res in a) = (50 : uint8)); + [#"../checked_ops.rs" 96 12 96 23] _29 <- ([#"../checked_ops.rs" 96 12 96 23] (let (a, _) = res in a) = ([#"../checked_ops.rs" 96 21 96 23] (50 : uint8))); switch (_29) | False -> goto BB25 | True -> goto BB22 @@ -1521,14 +1591,14 @@ module CheckedOps_TestU8MulExample } BB22 { assume { resolve0 res }; - [#"../checked_ops.rs" 96 27 96 41] _31 <- ([#"../checked_ops.rs" 96 27 96 41] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 96 27 96 41] _31 <- ([#"../checked_ops.rs" 96 27 96 41] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 96 36 96 41] false)); switch (_31) | False -> goto BB24 | True -> goto BB23 end } BB23 { - [#"../checked_ops.rs" 97 14 97 38] res1 <- ([#"../checked_ops.rs" 97 14 97 38] overflowing_mul0 (50 : uint8) (10 : uint8)); + [#"../checked_ops.rs" 97 14 97 38] res1 <- ([#"../checked_ops.rs" 97 14 97 38] overflowing_mul0 ([#"../checked_ops.rs" 97 14 97 18] (50 : uint8)) ([#"../checked_ops.rs" 97 35 97 37] (10 : uint8))); goto BB27 } BB24 { @@ -1543,7 +1613,7 @@ module CheckedOps_TestU8MulExample absurd } BB27 { - [#"../checked_ops.rs" 98 12 98 24] _36 <- ([#"../checked_ops.rs" 98 12 98 24] (let (a, _) = res1 in a) = (244 : uint8)); + [#"../checked_ops.rs" 98 12 98 24] _36 <- ([#"../checked_ops.rs" 98 12 98 24] (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 98 21 98 24] (244 : uint8))); switch (_36) | False -> goto BB31 | True -> goto BB28 @@ -1551,14 +1621,14 @@ module CheckedOps_TestU8MulExample } BB28 { assume { resolve0 res1 }; - [#"../checked_ops.rs" 98 28 98 41] _38 <- ([#"../checked_ops.rs" 98 28 98 41] Bool.eqb (let (_, a) = res1 in a) true); + [#"../checked_ops.rs" 98 28 98 41] _38 <- ([#"../checked_ops.rs" 98 28 98 41] Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 98 37 98 41] true)); switch (_38) | False -> goto BB30 | True -> goto BB29 end } BB29 { - [#"../checked_ops.rs" 85 29 99 1] _0 <- ([#"../checked_ops.rs" 85 29 99 1] ()); + [#"../checked_ops.rs" 85 29 99 1] _0 <- ([#"../checked_ops.rs" 85 29 99 1] [#"../checked_ops.rs" 85 29 99 1] ()); return _0 } BB30 { @@ -1627,21 +1697,30 @@ module CheckedOps_TestU8MulZero use prelude.UInt8 val overflowing_mul0 (self : uint8) (rhs : uint8) : (uint8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) } val saturating_mul0 (self : uint8) (rhs : uint8) : uint8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 + -> UInt8.to_int result = UInt8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int max0 } val wrapping_mul0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } val unwrap0 (self : Core_Option_Option_Type.t_option uint8) : uint8 requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None} @@ -1651,7 +1730,8 @@ module CheckedOps_TestU8MulZero val checked_mul0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs } let rec cfg test_u8_mul_zero [#"../checked_ops.rs" 102 0 102 30] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) : () @@ -1672,7 +1752,7 @@ module CheckedOps_TestU8MulZero goto BB0 } BB0 { - [#"../checked_ops.rs" 103 12 103 30] _5 <- ([#"../checked_ops.rs" 103 12 103 30] checked_mul0 (0 : uint8) a); + [#"../checked_ops.rs" 103 12 103 30] _5 <- ([#"../checked_ops.rs" 103 12 103 30] checked_mul0 ([#"../checked_ops.rs" 103 12 103 15] (0 : uint8)) a); goto BB1 } BB1 { @@ -1681,7 +1761,7 @@ module CheckedOps_TestU8MulZero goto BB2 } BB2 { - [#"../checked_ops.rs" 103 12 103 44] _3 <- ([#"../checked_ops.rs" 103 12 103 44] _4 = (0 : uint8)); + [#"../checked_ops.rs" 103 12 103 44] _3 <- ([#"../checked_ops.rs" 103 12 103 44] _4 = ([#"../checked_ops.rs" 103 43 103 44] (0 : uint8))); _4 <- any uint8; switch (_3) | False -> goto BB4 @@ -1689,7 +1769,7 @@ module CheckedOps_TestU8MulZero end } BB3 { - [#"../checked_ops.rs" 104 12 104 31] _10 <- ([#"../checked_ops.rs" 104 12 104 31] wrapping_mul0 (0 : uint8) a); + [#"../checked_ops.rs" 104 12 104 31] _10 <- ([#"../checked_ops.rs" 104 12 104 31] wrapping_mul0 ([#"../checked_ops.rs" 104 12 104 15] (0 : uint8)) a); goto BB5 } BB4 { @@ -1697,7 +1777,7 @@ module CheckedOps_TestU8MulZero absurd } BB5 { - [#"../checked_ops.rs" 104 12 104 36] _9 <- ([#"../checked_ops.rs" 104 12 104 36] _10 = (0 : uint8)); + [#"../checked_ops.rs" 104 12 104 36] _9 <- ([#"../checked_ops.rs" 104 12 104 36] _10 = ([#"../checked_ops.rs" 104 35 104 36] (0 : uint8))); _10 <- any uint8; switch (_9) | False -> goto BB7 @@ -1705,7 +1785,7 @@ module CheckedOps_TestU8MulZero end } BB6 { - [#"../checked_ops.rs" 105 12 105 33] _15 <- ([#"../checked_ops.rs" 105 12 105 33] saturating_mul0 (0 : uint8) a); + [#"../checked_ops.rs" 105 12 105 33] _15 <- ([#"../checked_ops.rs" 105 12 105 33] saturating_mul0 ([#"../checked_ops.rs" 105 12 105 15] (0 : uint8)) a); goto BB8 } BB7 { @@ -1713,7 +1793,7 @@ module CheckedOps_TestU8MulZero absurd } BB8 { - [#"../checked_ops.rs" 105 12 105 38] _14 <- ([#"../checked_ops.rs" 105 12 105 38] _15 = (0 : uint8)); + [#"../checked_ops.rs" 105 12 105 38] _14 <- ([#"../checked_ops.rs" 105 12 105 38] _15 = ([#"../checked_ops.rs" 105 37 105 38] (0 : uint8))); _15 <- any uint8; switch (_14) | False -> goto BB10 @@ -1721,7 +1801,7 @@ module CheckedOps_TestU8MulZero end } BB9 { - [#"../checked_ops.rs" 106 14 106 36] res <- ([#"../checked_ops.rs" 106 14 106 36] overflowing_mul0 (0 : uint8) a); + [#"../checked_ops.rs" 106 14 106 36] res <- ([#"../checked_ops.rs" 106 14 106 36] overflowing_mul0 ([#"../checked_ops.rs" 106 14 106 17] (0 : uint8)) a); goto BB11 } BB10 { @@ -1729,7 +1809,7 @@ module CheckedOps_TestU8MulZero absurd } BB11 { - [#"../checked_ops.rs" 107 12 107 22] _21 <- ([#"../checked_ops.rs" 107 12 107 22] (let (a, _) = res in a) = (0 : uint8)); + [#"../checked_ops.rs" 107 12 107 22] _21 <- ([#"../checked_ops.rs" 107 12 107 22] (let (a, _) = res in a) = ([#"../checked_ops.rs" 107 21 107 22] (0 : uint8))); switch (_21) | False -> goto BB15 | True -> goto BB12 @@ -1737,14 +1817,14 @@ module CheckedOps_TestU8MulZero } BB12 { assume { resolve0 res }; - [#"../checked_ops.rs" 107 26 107 40] _23 <- ([#"../checked_ops.rs" 107 26 107 40] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 107 26 107 40] _23 <- ([#"../checked_ops.rs" 107 26 107 40] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 107 35 107 40] false)); switch (_23) | False -> goto BB14 | True -> goto BB13 end } BB13 { - [#"../checked_ops.rs" 102 31 108 1] _0 <- ([#"../checked_ops.rs" 102 31 108 1] ()); + [#"../checked_ops.rs" 102 31 108 1] _0 <- ([#"../checked_ops.rs" 102 31 108 1] [#"../checked_ops.rs" 102 31 108 1] ()); return _0 } BB14 { @@ -1787,7 +1867,8 @@ module CheckedOps_TestU8OverflowingMul use prelude.UInt8 val checked_mul0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs } use prelude.UInt32 use int.EuclideanDivision @@ -1797,9 +1878,12 @@ module CheckedOps_TestU8OverflowingMul (8 : uint32) val wrapping_mul0 (self : uint8) (rhs : uint8) : uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } predicate resolve2 (self : bool) = [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true @@ -1818,9 +1902,12 @@ module CheckedOps_TestU8OverflowingMul val overflowing_mul0 (self : uint8) (rhs : uint8) : (uint8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 + -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) } let rec cfg test_u8_overflowing_mul [#"../checked_ops.rs" 111 0 111 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : () @@ -1882,7 +1969,7 @@ module CheckedOps_TestU8OverflowingMul end } BB8 { - [#"../checked_ops.rs" 111 45 114 1] _0 <- ([#"../checked_ops.rs" 111 45 114 1] ()); + [#"../checked_ops.rs" 111 45 114 1] _0 <- ([#"../checked_ops.rs" 111 45 114 1] [#"../checked_ops.rs" 111 45 114 1] ()); return _0 } BB9 { @@ -1946,18 +2033,21 @@ module CheckedOps_TestU8DivExample use prelude.UInt8 val overflowing_div0 (self : uint8) (rhs : uint8) : (uint8, bool) requires {[#"../../../../creusot-contracts/src/std/num.rs" 91 27 91 36] UInt8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 95 26 95 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int (let (a, _) = result in a) = div (UInt8.to_int self) (UInt8.to_int rhs) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 97 26 97 74] (let (_, a) = result in a) = (UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) } val saturating_div0 (self : uint8) (rhs : uint8) : uint8 requires {[#"../../../../creusot-contracts/src/std/num.rs" 82 27 82 36] UInt8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int result = UInt8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 + -> UInt8.to_int result = UInt8.to_int min0 } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 86 26 86 89] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int result = div (UInt8.to_int self) (UInt8.to_int rhs) } val wrapping_div0 (self : uint8) (rhs : uint8) : uint8 requires {[#"../../../../creusot-contracts/src/std/num.rs" 73 27 73 36] UInt8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int result = UInt8.to_int self } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 + -> UInt8.to_int result = UInt8.to_int self } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 77 26 77 89] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int result = div (UInt8.to_int self) (UInt8.to_int rhs) } val unwrap0 (self : Core_Option_Option_Type.t_option uint8) : uint8 @@ -1973,7 +2063,8 @@ module CheckedOps_TestU8DivExample val checked_div0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int rhs = 0 \/ UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) } let rec cfg test_u8_div_example [#"../checked_ops.rs" 117 0 117 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -1995,7 +2086,7 @@ module CheckedOps_TestU8DivExample goto BB0 } BB0 { - [#"../checked_ops.rs" 118 12 118 30] _4 <- ([#"../checked_ops.rs" 118 12 118 30] checked_div0 (5 : uint8) (0 : uint8)); + [#"../checked_ops.rs" 118 12 118 30] _4 <- ([#"../checked_ops.rs" 118 12 118 30] checked_div0 ([#"../checked_ops.rs" 118 12 118 15] (5 : uint8)) ([#"../checked_ops.rs" 118 28 118 29] (0 : uint8))); goto BB1 } BB1 { @@ -2009,7 +2100,7 @@ module CheckedOps_TestU8DivExample end } BB3 { - [#"../checked_ops.rs" 119 12 119 30] _9 <- ([#"../checked_ops.rs" 119 12 119 30] checked_div0 (5 : uint8) (2 : uint8)); + [#"../checked_ops.rs" 119 12 119 30] _9 <- ([#"../checked_ops.rs" 119 12 119 30] checked_div0 ([#"../checked_ops.rs" 119 12 119 15] (5 : uint8)) ([#"../checked_ops.rs" 119 28 119 29] (2 : uint8))); goto BB5 } BB4 { @@ -2022,7 +2113,7 @@ module CheckedOps_TestU8DivExample goto BB6 } BB6 { - [#"../checked_ops.rs" 119 12 119 44] _7 <- ([#"../checked_ops.rs" 119 12 119 44] _8 = (2 : uint8)); + [#"../checked_ops.rs" 119 12 119 44] _7 <- ([#"../checked_ops.rs" 119 12 119 44] _8 = ([#"../checked_ops.rs" 119 43 119 44] (2 : uint8))); _8 <- any uint8; switch (_7) | False -> goto BB8 @@ -2030,7 +2121,7 @@ module CheckedOps_TestU8DivExample end } BB7 { - [#"../checked_ops.rs" 120 12 120 31] _13 <- ([#"../checked_ops.rs" 120 12 120 31] wrapping_div0 (5 : uint8) (2 : uint8)); + [#"../checked_ops.rs" 120 12 120 31] _13 <- ([#"../checked_ops.rs" 120 12 120 31] wrapping_div0 ([#"../checked_ops.rs" 120 12 120 15] (5 : uint8)) ([#"../checked_ops.rs" 120 29 120 30] (2 : uint8))); goto BB9 } BB8 { @@ -2038,7 +2129,7 @@ module CheckedOps_TestU8DivExample absurd } BB9 { - [#"../checked_ops.rs" 120 12 120 36] _12 <- ([#"../checked_ops.rs" 120 12 120 36] _13 = (2 : uint8)); + [#"../checked_ops.rs" 120 12 120 36] _12 <- ([#"../checked_ops.rs" 120 12 120 36] _13 = ([#"../checked_ops.rs" 120 35 120 36] (2 : uint8))); _13 <- any uint8; switch (_12) | False -> goto BB11 @@ -2046,7 +2137,7 @@ module CheckedOps_TestU8DivExample end } BB10 { - [#"../checked_ops.rs" 121 12 121 33] _17 <- ([#"../checked_ops.rs" 121 12 121 33] saturating_div0 (5 : uint8) (2 : uint8)); + [#"../checked_ops.rs" 121 12 121 33] _17 <- ([#"../checked_ops.rs" 121 12 121 33] saturating_div0 ([#"../checked_ops.rs" 121 12 121 15] (5 : uint8)) ([#"../checked_ops.rs" 121 31 121 32] (2 : uint8))); goto BB12 } BB11 { @@ -2054,7 +2145,7 @@ module CheckedOps_TestU8DivExample absurd } BB12 { - [#"../checked_ops.rs" 121 12 121 38] _16 <- ([#"../checked_ops.rs" 121 12 121 38] _17 = (2 : uint8)); + [#"../checked_ops.rs" 121 12 121 38] _16 <- ([#"../checked_ops.rs" 121 12 121 38] _17 = ([#"../checked_ops.rs" 121 37 121 38] (2 : uint8))); _17 <- any uint8; switch (_16) | False -> goto BB14 @@ -2062,7 +2153,7 @@ module CheckedOps_TestU8DivExample end } BB13 { - [#"../checked_ops.rs" 122 14 122 36] res <- ([#"../checked_ops.rs" 122 14 122 36] overflowing_div0 (5 : uint8) (2 : uint8)); + [#"../checked_ops.rs" 122 14 122 36] res <- ([#"../checked_ops.rs" 122 14 122 36] overflowing_div0 ([#"../checked_ops.rs" 122 14 122 17] (5 : uint8)) ([#"../checked_ops.rs" 122 34 122 35] (2 : uint8))); goto BB15 } BB14 { @@ -2070,7 +2161,7 @@ module CheckedOps_TestU8DivExample absurd } BB15 { - [#"../checked_ops.rs" 123 12 123 22] _21 <- ([#"../checked_ops.rs" 123 12 123 22] (let (a, _) = res in a) = (2 : uint8)); + [#"../checked_ops.rs" 123 12 123 22] _21 <- ([#"../checked_ops.rs" 123 12 123 22] (let (a, _) = res in a) = ([#"../checked_ops.rs" 123 21 123 22] (2 : uint8))); switch (_21) | False -> goto BB19 | True -> goto BB16 @@ -2078,14 +2169,14 @@ module CheckedOps_TestU8DivExample } BB16 { assume { resolve0 res }; - [#"../checked_ops.rs" 123 26 123 40] _23 <- ([#"../checked_ops.rs" 123 26 123 40] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 123 26 123 40] _23 <- ([#"../checked_ops.rs" 123 26 123 40] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 123 35 123 40] false)); switch (_23) | False -> goto BB18 | True -> goto BB17 end } BB17 { - [#"../checked_ops.rs" 117 29 124 1] _0 <- ([#"../checked_ops.rs" 117 29 124 1] ()); + [#"../checked_ops.rs" 117 29 124 1] _0 <- ([#"../checked_ops.rs" 117 29 124 1] [#"../checked_ops.rs" 117 29 124 1] ()); return _0 } BB18 { @@ -2146,18 +2237,21 @@ module CheckedOps_TestU8DivNoOverflow (0 : uint8) val overflowing_div0 (self : uint8) (rhs : uint8) : (uint8, bool) requires {[#"../../../../creusot-contracts/src/std/num.rs" 91 27 91 36] UInt8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 + -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 95 26 95 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int (let (a, _) = result in a) = div (UInt8.to_int self) (UInt8.to_int rhs) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 97 26 97 74] (let (_, a) = result in a) = (UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) } val saturating_div0 (self : uint8) (rhs : uint8) : uint8 requires {[#"../../../../creusot-contracts/src/std/num.rs" 82 27 82 36] UInt8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int result = UInt8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 + -> UInt8.to_int result = UInt8.to_int min0 } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 86 26 86 89] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int result = div (UInt8.to_int self) (UInt8.to_int rhs) } val wrapping_div0 (self : uint8) (rhs : uint8) : uint8 requires {[#"../../../../creusot-contracts/src/std/num.rs" 73 27 73 36] UInt8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int result = UInt8.to_int self } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 + -> UInt8.to_int result = UInt8.to_int self } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 77 26 77 89] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int result = div (UInt8.to_int self) (UInt8.to_int rhs) } val unwrap0 (self : Core_Option_Option_Type.t_option uint8) : uint8 @@ -2168,7 +2262,8 @@ module CheckedOps_TestU8DivNoOverflow val checked_div0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int rhs = 0 \/ UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) } let rec cfg test_u8_div_no_overflow [#"../checked_ops.rs" 128 0 128 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : () requires {[#"../checked_ops.rs" 127 11 127 18] UInt8.to_int b <> 0} @@ -2213,7 +2308,7 @@ module CheckedOps_TestU8DivNoOverflow } BB2 { [#"../checked_ops.rs" 129 45 129 46] _12 <- ([#"../checked_ops.rs" 129 45 129 46] b); - [#"../checked_ops.rs" 129 41 129 46] _13 <- ([#"../checked_ops.rs" 129 41 129 46] _12 = (0 : uint8)); + [#"../checked_ops.rs" 129 41 129 46] _13 <- ([#"../checked_ops.rs" 129 41 129 46] _12 = ([#"../checked_ops.rs" 129 41 129 46] (0 : uint8))); assert { [@expl:division by zero] [#"../checked_ops.rs" 129 41 129 46] not _13 }; goto BB3 } @@ -2238,7 +2333,7 @@ module CheckedOps_TestU8DivNoOverflow } BB6 { [#"../checked_ops.rs" 130 37 130 38] _22 <- ([#"../checked_ops.rs" 130 37 130 38] b); - [#"../checked_ops.rs" 130 33 130 38] _23 <- ([#"../checked_ops.rs" 130 33 130 38] _22 = (0 : uint8)); + [#"../checked_ops.rs" 130 33 130 38] _23 <- ([#"../checked_ops.rs" 130 33 130 38] _22 = ([#"../checked_ops.rs" 130 33 130 38] (0 : uint8))); assert { [@expl:division by zero] [#"../checked_ops.rs" 130 33 130 38] not _23 }; goto BB7 } @@ -2263,7 +2358,7 @@ module CheckedOps_TestU8DivNoOverflow } BB10 { [#"../checked_ops.rs" 131 39 131 40] _32 <- ([#"../checked_ops.rs" 131 39 131 40] b); - [#"../checked_ops.rs" 131 35 131 40] _33 <- ([#"../checked_ops.rs" 131 35 131 40] _32 = (0 : uint8)); + [#"../checked_ops.rs" 131 35 131 40] _33 <- ([#"../checked_ops.rs" 131 35 131 40] _32 = ([#"../checked_ops.rs" 131 35 131 40] (0 : uint8))); assert { [@expl:division by zero] [#"../checked_ops.rs" 131 35 131 40] not _33 }; goto BB11 } @@ -2288,7 +2383,7 @@ module CheckedOps_TestU8DivNoOverflow } BB14 { [#"../checked_ops.rs" 133 25 133 26] _43 <- ([#"../checked_ops.rs" 133 25 133 26] b); - [#"../checked_ops.rs" 133 21 133 26] _44 <- ([#"../checked_ops.rs" 133 21 133 26] _43 = (0 : uint8)); + [#"../checked_ops.rs" 133 21 133 26] _44 <- ([#"../checked_ops.rs" 133 21 133 26] _43 = ([#"../checked_ops.rs" 133 21 133 26] (0 : uint8))); assert { [@expl:division by zero] [#"../checked_ops.rs" 133 21 133 26] not _44 }; goto BB15 } @@ -2304,14 +2399,14 @@ module CheckedOps_TestU8DivNoOverflow } BB16 { assume { resolve0 res }; - [#"../checked_ops.rs" 133 30 133 44] _45 <- ([#"../checked_ops.rs" 133 30 133 44] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 133 30 133 44] _45 <- ([#"../checked_ops.rs" 133 30 133 44] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 133 39 133 44] false)); switch (_45) | False -> goto BB18 | True -> goto BB17 end } BB17 { - [#"../checked_ops.rs" 128 45 134 1] _0 <- ([#"../checked_ops.rs" 128 45 134 1] ()); + [#"../checked_ops.rs" 128 45 134 1] _0 <- ([#"../checked_ops.rs" 128 45 134 1] [#"../checked_ops.rs" 128 45 134 1] ()); return _0 } BB18 { @@ -2351,7 +2446,8 @@ module CheckedOps_TestU8DivZero use prelude.UInt8 val checked_div0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int rhs = 0 \/ UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r + -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) } let rec cfg test_u8_div_zero [#"../checked_ops.rs" 137 0 137 30] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) : () @@ -2364,7 +2460,7 @@ module CheckedOps_TestU8DivZero goto BB0 } BB0 { - [#"../checked_ops.rs" 138 12 138 28] _5 <- ([#"../checked_ops.rs" 138 12 138 28] checked_div0 a (0 : uint8)); + [#"../checked_ops.rs" 138 12 138 28] _5 <- ([#"../checked_ops.rs" 138 12 138 28] checked_div0 a ([#"../checked_ops.rs" 138 26 138 27] (0 : uint8))); goto BB1 } BB1 { @@ -2378,7 +2474,7 @@ module CheckedOps_TestU8DivZero end } BB3 { - [#"../checked_ops.rs" 137 31 139 1] _0 <- ([#"../checked_ops.rs" 137 31 139 1] ()); + [#"../checked_ops.rs" 137 31 139 1] _0 <- ([#"../checked_ops.rs" 137 31 139 1] [#"../checked_ops.rs" 137 31 139 1] ()); return _0 } BB4 { @@ -2450,21 +2546,30 @@ module CheckedOps_TestI8AddExample use prelude.Int8 val overflowing_add0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) } val saturating_add0 (self : int8) (rhs : int8) : int8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> Int8.to_int result = Int8.to_int max0 } val wrapping_add0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool @@ -2479,7 +2584,8 @@ module CheckedOps_TestI8AddExample val checked_add0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs } let rec cfg test_i8_add_example [#"../checked_ops.rs" 142 0 142 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -2517,7 +2623,7 @@ module CheckedOps_TestI8AddExample goto BB0 } BB0 { - [#"../checked_ops.rs" 143 12 143 31] _4 <- ([#"../checked_ops.rs" 143 12 143 31] checked_add0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 143 12 143 31] _4 <- ([#"../checked_ops.rs" 143 12 143 31] checked_add0 ([#"../checked_ops.rs" 143 12 143 15] (5 : int8)) ([#"../checked_ops.rs" 143 28 143 30] (10 : int8))); goto BB1 } BB1 { @@ -2526,7 +2632,7 @@ module CheckedOps_TestI8AddExample goto BB2 } BB2 { - [#"../checked_ops.rs" 143 12 143 46] _2 <- ([#"../checked_ops.rs" 143 12 143 46] _3 = (15 : int8)); + [#"../checked_ops.rs" 143 12 143 46] _2 <- ([#"../checked_ops.rs" 143 12 143 46] _3 = ([#"../checked_ops.rs" 143 44 143 46] (15 : int8))); _3 <- any int8; switch (_2) | False -> goto BB4 @@ -2534,7 +2640,7 @@ module CheckedOps_TestI8AddExample end } BB3 { - [#"../checked_ops.rs" 144 12 144 33] _9 <- ([#"../checked_ops.rs" 144 12 144 33] checked_add0 (120 : int8) (10 : int8)); + [#"../checked_ops.rs" 144 12 144 33] _9 <- ([#"../checked_ops.rs" 144 12 144 33] checked_add0 ([#"../checked_ops.rs" 144 12 144 17] (120 : int8)) ([#"../checked_ops.rs" 144 30 144 32] (10 : int8))); goto BB5 } BB4 { @@ -2552,7 +2658,7 @@ module CheckedOps_TestI8AddExample end } BB7 { - [#"../checked_ops.rs" 145 12 145 37] _14 <- ([#"../checked_ops.rs" 145 12 145 37] checked_add0 (-120 : int8) (-10 : int8)); + [#"../checked_ops.rs" 145 12 145 37] _14 <- ([#"../checked_ops.rs" 145 12 145 37] checked_add0 ([#"../checked_ops.rs" 145 12 145 20] (-120 : int8)) ([#"../checked_ops.rs" 145 33 145 36] (-10 : int8))); goto BB9 } BB8 { @@ -2570,7 +2676,7 @@ module CheckedOps_TestI8AddExample end } BB11 { - [#"../checked_ops.rs" 147 12 147 32] _18 <- ([#"../checked_ops.rs" 147 12 147 32] wrapping_add0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 147 12 147 32] _18 <- ([#"../checked_ops.rs" 147 12 147 32] wrapping_add0 ([#"../checked_ops.rs" 147 12 147 15] (5 : int8)) ([#"../checked_ops.rs" 147 29 147 31] (10 : int8))); goto BB13 } BB12 { @@ -2578,7 +2684,7 @@ module CheckedOps_TestI8AddExample absurd } BB13 { - [#"../checked_ops.rs" 147 12 147 38] _17 <- ([#"../checked_ops.rs" 147 12 147 38] _18 = (15 : int8)); + [#"../checked_ops.rs" 147 12 147 38] _17 <- ([#"../checked_ops.rs" 147 12 147 38] _18 = ([#"../checked_ops.rs" 147 36 147 38] (15 : int8))); _18 <- any int8; switch (_17) | False -> goto BB15 @@ -2586,7 +2692,7 @@ module CheckedOps_TestI8AddExample end } BB14 { - [#"../checked_ops.rs" 148 12 148 34] _22 <- ([#"../checked_ops.rs" 148 12 148 34] wrapping_add0 (120 : int8) (10 : int8)); + [#"../checked_ops.rs" 148 12 148 34] _22 <- ([#"../checked_ops.rs" 148 12 148 34] wrapping_add0 ([#"../checked_ops.rs" 148 12 148 17] (120 : int8)) ([#"../checked_ops.rs" 148 31 148 33] (10 : int8))); goto BB16 } BB15 { @@ -2594,7 +2700,7 @@ module CheckedOps_TestI8AddExample absurd } BB16 { - [#"../checked_ops.rs" 148 12 148 42] _21 <- ([#"../checked_ops.rs" 148 12 148 42] _22 = (-126 : int8)); + [#"../checked_ops.rs" 148 12 148 42] _21 <- ([#"../checked_ops.rs" 148 12 148 42] _22 = ([#"../checked_ops.rs" 148 38 148 42] (-126 : int8))); _22 <- any int8; switch (_21) | False -> goto BB18 @@ -2602,7 +2708,7 @@ module CheckedOps_TestI8AddExample end } BB17 { - [#"../checked_ops.rs" 149 12 149 38] _26 <- ([#"../checked_ops.rs" 149 12 149 38] wrapping_add0 (-120 : int8) (-10 : int8)); + [#"../checked_ops.rs" 149 12 149 38] _26 <- ([#"../checked_ops.rs" 149 12 149 38] wrapping_add0 ([#"../checked_ops.rs" 149 12 149 20] (-120 : int8)) ([#"../checked_ops.rs" 149 34 149 37] (-10 : int8))); goto BB19 } BB18 { @@ -2610,7 +2716,7 @@ module CheckedOps_TestI8AddExample absurd } BB19 { - [#"../checked_ops.rs" 149 12 149 45] _25 <- ([#"../checked_ops.rs" 149 12 149 45] _26 = (126 : int8)); + [#"../checked_ops.rs" 149 12 149 45] _25 <- ([#"../checked_ops.rs" 149 12 149 45] _26 = ([#"../checked_ops.rs" 149 42 149 45] (126 : int8))); _26 <- any int8; switch (_25) | False -> goto BB21 @@ -2618,7 +2724,7 @@ module CheckedOps_TestI8AddExample end } BB20 { - [#"../checked_ops.rs" 151 12 151 34] _30 <- ([#"../checked_ops.rs" 151 12 151 34] saturating_add0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 151 12 151 34] _30 <- ([#"../checked_ops.rs" 151 12 151 34] saturating_add0 ([#"../checked_ops.rs" 151 12 151 15] (5 : int8)) ([#"../checked_ops.rs" 151 31 151 33] (10 : int8))); goto BB22 } BB21 { @@ -2626,7 +2732,7 @@ module CheckedOps_TestI8AddExample absurd } BB22 { - [#"../checked_ops.rs" 151 12 151 40] _29 <- ([#"../checked_ops.rs" 151 12 151 40] _30 = (15 : int8)); + [#"../checked_ops.rs" 151 12 151 40] _29 <- ([#"../checked_ops.rs" 151 12 151 40] _30 = ([#"../checked_ops.rs" 151 38 151 40] (15 : int8))); _30 <- any int8; switch (_29) | False -> goto BB24 @@ -2634,7 +2740,7 @@ module CheckedOps_TestI8AddExample end } BB23 { - [#"../checked_ops.rs" 152 12 152 36] _34 <- ([#"../checked_ops.rs" 152 12 152 36] saturating_add0 (120 : int8) (10 : int8)); + [#"../checked_ops.rs" 152 12 152 36] _34 <- ([#"../checked_ops.rs" 152 12 152 36] saturating_add0 ([#"../checked_ops.rs" 152 12 152 17] (120 : int8)) ([#"../checked_ops.rs" 152 33 152 35] (10 : int8))); goto BB25 } BB24 { @@ -2642,7 +2748,7 @@ module CheckedOps_TestI8AddExample absurd } BB25 { - [#"../checked_ops.rs" 152 12 152 43] _33 <- ([#"../checked_ops.rs" 152 12 152 43] _34 = (127 : int8)); + [#"../checked_ops.rs" 152 12 152 43] _33 <- ([#"../checked_ops.rs" 152 12 152 43] _34 = ([#"../checked_ops.rs" 152 40 152 43] (127 : int8))); _34 <- any int8; switch (_33) | False -> goto BB27 @@ -2650,7 +2756,7 @@ module CheckedOps_TestI8AddExample end } BB26 { - [#"../checked_ops.rs" 153 12 153 40] _38 <- ([#"../checked_ops.rs" 153 12 153 40] saturating_add0 (-120 : int8) (-10 : int8)); + [#"../checked_ops.rs" 153 12 153 40] _38 <- ([#"../checked_ops.rs" 153 12 153 40] saturating_add0 ([#"../checked_ops.rs" 153 12 153 20] (-120 : int8)) ([#"../checked_ops.rs" 153 36 153 39] (-10 : int8))); goto BB28 } BB27 { @@ -2658,7 +2764,7 @@ module CheckedOps_TestI8AddExample absurd } BB28 { - [#"../checked_ops.rs" 153 12 153 48] _37 <- ([#"../checked_ops.rs" 153 12 153 48] _38 = (-128 : int8)); + [#"../checked_ops.rs" 153 12 153 48] _37 <- ([#"../checked_ops.rs" 153 12 153 48] _38 = ([#"../checked_ops.rs" 153 44 153 48] (-128 : int8))); _38 <- any int8; switch (_37) | False -> goto BB30 @@ -2666,7 +2772,7 @@ module CheckedOps_TestI8AddExample end } BB29 { - [#"../checked_ops.rs" 155 14 155 37] res <- ([#"../checked_ops.rs" 155 14 155 37] overflowing_add0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 155 14 155 37] res <- ([#"../checked_ops.rs" 155 14 155 37] overflowing_add0 ([#"../checked_ops.rs" 155 14 155 17] (5 : int8)) ([#"../checked_ops.rs" 155 34 155 36] (10 : int8))); goto BB31 } BB30 { @@ -2674,7 +2780,7 @@ module CheckedOps_TestI8AddExample absurd } BB31 { - [#"../checked_ops.rs" 156 12 156 23] _42 <- ([#"../checked_ops.rs" 156 12 156 23] (let (a, _) = res in a) = (15 : int8)); + [#"../checked_ops.rs" 156 12 156 23] _42 <- ([#"../checked_ops.rs" 156 12 156 23] (let (a, _) = res in a) = ([#"../checked_ops.rs" 156 21 156 23] (15 : int8))); switch (_42) | False -> goto BB35 | True -> goto BB32 @@ -2682,14 +2788,14 @@ module CheckedOps_TestI8AddExample } BB32 { assume { resolve0 res }; - [#"../checked_ops.rs" 156 27 156 41] _44 <- ([#"../checked_ops.rs" 156 27 156 41] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 156 27 156 41] _44 <- ([#"../checked_ops.rs" 156 27 156 41] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 156 36 156 41] false)); switch (_44) | False -> goto BB34 | True -> goto BB33 end } BB33 { - [#"../checked_ops.rs" 157 14 157 39] res1 <- ([#"../checked_ops.rs" 157 14 157 39] overflowing_add0 (120 : int8) (10 : int8)); + [#"../checked_ops.rs" 157 14 157 39] res1 <- ([#"../checked_ops.rs" 157 14 157 39] overflowing_add0 ([#"../checked_ops.rs" 157 14 157 19] (120 : int8)) ([#"../checked_ops.rs" 157 36 157 38] (10 : int8))); goto BB37 } BB34 { @@ -2704,7 +2810,7 @@ module CheckedOps_TestI8AddExample absurd } BB37 { - [#"../checked_ops.rs" 158 12 158 25] _49 <- ([#"../checked_ops.rs" 158 12 158 25] (let (a, _) = res1 in a) = (-126 : int8)); + [#"../checked_ops.rs" 158 12 158 25] _49 <- ([#"../checked_ops.rs" 158 12 158 25] (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 158 21 158 25] (-126 : int8))); switch (_49) | False -> goto BB41 | True -> goto BB38 @@ -2712,14 +2818,14 @@ module CheckedOps_TestI8AddExample } BB38 { assume { resolve0 res1 }; - [#"../checked_ops.rs" 158 29 158 42] _51 <- ([#"../checked_ops.rs" 158 29 158 42] Bool.eqb (let (_, a) = res1 in a) true); + [#"../checked_ops.rs" 158 29 158 42] _51 <- ([#"../checked_ops.rs" 158 29 158 42] Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 158 38 158 42] true)); switch (_51) | False -> goto BB40 | True -> goto BB39 end } BB39 { - [#"../checked_ops.rs" 159 14 159 43] res2 <- ([#"../checked_ops.rs" 159 14 159 43] overflowing_add0 (-120 : int8) (-10 : int8)); + [#"../checked_ops.rs" 159 14 159 43] res2 <- ([#"../checked_ops.rs" 159 14 159 43] overflowing_add0 ([#"../checked_ops.rs" 159 14 159 22] (-120 : int8)) ([#"../checked_ops.rs" 159 39 159 42] (-10 : int8))); goto BB43 } BB40 { @@ -2734,7 +2840,7 @@ module CheckedOps_TestI8AddExample absurd } BB43 { - [#"../checked_ops.rs" 160 12 160 24] _56 <- ([#"../checked_ops.rs" 160 12 160 24] (let (a, _) = res2 in a) = (126 : int8)); + [#"../checked_ops.rs" 160 12 160 24] _56 <- ([#"../checked_ops.rs" 160 12 160 24] (let (a, _) = res2 in a) = ([#"../checked_ops.rs" 160 21 160 24] (126 : int8))); switch (_56) | False -> goto BB47 | True -> goto BB44 @@ -2742,14 +2848,14 @@ module CheckedOps_TestI8AddExample } BB44 { assume { resolve0 res2 }; - [#"../checked_ops.rs" 160 28 160 41] _58 <- ([#"../checked_ops.rs" 160 28 160 41] Bool.eqb (let (_, a) = res2 in a) true); + [#"../checked_ops.rs" 160 28 160 41] _58 <- ([#"../checked_ops.rs" 160 28 160 41] Bool.eqb (let (_, a) = res2 in a) ([#"../checked_ops.rs" 160 37 160 41] true)); switch (_58) | False -> goto BB46 | True -> goto BB45 end } BB45 { - [#"../checked_ops.rs" 142 29 161 1] _0 <- ([#"../checked_ops.rs" 142 29 161 1] ()); + [#"../checked_ops.rs" 142 29 161 1] _0 <- ([#"../checked_ops.rs" 142 29 161 1] [#"../checked_ops.rs" 142 29 161 1] ()); return _0 } BB46 { @@ -2808,21 +2914,30 @@ module CheckedOps_TestI8AddOverflowPos (8 : uint32) val overflowing_add0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) } val saturating_add0 (self : int8) (rhs : int8) : int8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> Int8.to_int result = Int8.to_int max0 } val wrapping_add0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool @@ -2831,7 +2946,8 @@ module CheckedOps_TestI8AddOverflowPos val checked_add0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs } let rec cfg test_i8_add_overflow_pos [#"../checked_ops.rs" 165 0 165 38] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : () requires {[#"../checked_ops.rs" 164 11 164 17] Int8.to_int a > 0} @@ -2856,7 +2972,7 @@ module CheckedOps_TestI8AddOverflowPos goto BB0 } BB0 { - [#"../checked_ops.rs" 166 12 166 32] _6 <- ([#"../checked_ops.rs" 166 12 166 32] checked_add0 (127 : int8) a); + [#"../checked_ops.rs" 166 12 166 32] _6 <- ([#"../checked_ops.rs" 166 12 166 32] checked_add0 ([#"../checked_ops.rs" 166 12 166 17] (127 : int8)) a); goto BB1 } BB1 { @@ -2870,7 +2986,7 @@ module CheckedOps_TestI8AddOverflowPos end } BB3 { - [#"../checked_ops.rs" 167 12 167 33] _11 <- ([#"../checked_ops.rs" 167 12 167 33] wrapping_add0 (127 : int8) a); + [#"../checked_ops.rs" 167 12 167 33] _11 <- ([#"../checked_ops.rs" 167 12 167 33] wrapping_add0 ([#"../checked_ops.rs" 167 12 167 17] (127 : int8)) a); goto BB5 } BB4 { @@ -2878,8 +2994,8 @@ module CheckedOps_TestI8AddOverflowPos absurd } BB5 { - [#"../checked_ops.rs" 167 37 167 44] _14 <- ([#"../checked_ops.rs" 167 37 167 44] a - (127 : int8)); - [#"../checked_ops.rs" 167 37 167 48] _13 <- ([#"../checked_ops.rs" 167 37 167 48] _14 - (2 : int8)); + [#"../checked_ops.rs" 167 37 167 44] _14 <- ([#"../checked_ops.rs" 167 37 167 44] a - ([#"../checked_ops.rs" 167 41 167 44] (127 : int8))); + [#"../checked_ops.rs" 167 37 167 48] _13 <- ([#"../checked_ops.rs" 167 37 167 48] _14 - ([#"../checked_ops.rs" 167 47 167 48] (2 : int8))); _14 <- any int8; [#"../checked_ops.rs" 167 12 167 48] _10 <- ([#"../checked_ops.rs" 167 12 167 48] _11 = _13); _11 <- any int8; @@ -2890,7 +3006,7 @@ module CheckedOps_TestI8AddOverflowPos end } BB6 { - [#"../checked_ops.rs" 168 12 168 35] _19 <- ([#"../checked_ops.rs" 168 12 168 35] saturating_add0 (127 : int8) a); + [#"../checked_ops.rs" 168 12 168 35] _19 <- ([#"../checked_ops.rs" 168 12 168 35] saturating_add0 ([#"../checked_ops.rs" 168 12 168 17] (127 : int8)) a); goto BB8 } BB7 { @@ -2898,7 +3014,7 @@ module CheckedOps_TestI8AddOverflowPos absurd } BB8 { - [#"../checked_ops.rs" 168 12 168 42] _18 <- ([#"../checked_ops.rs" 168 12 168 42] _19 = (127 : int8)); + [#"../checked_ops.rs" 168 12 168 42] _18 <- ([#"../checked_ops.rs" 168 12 168 42] _19 = ([#"../checked_ops.rs" 168 39 168 42] (127 : int8))); _19 <- any int8; switch (_18) | False -> goto BB10 @@ -2906,7 +3022,7 @@ module CheckedOps_TestI8AddOverflowPos end } BB9 { - [#"../checked_ops.rs" 169 14 169 38] res <- ([#"../checked_ops.rs" 169 14 169 38] overflowing_add0 (127 : int8) a); + [#"../checked_ops.rs" 169 14 169 38] res <- ([#"../checked_ops.rs" 169 14 169 38] overflowing_add0 ([#"../checked_ops.rs" 169 14 169 19] (127 : int8)) a); goto BB11 } BB10 { @@ -2914,8 +3030,8 @@ module CheckedOps_TestI8AddOverflowPos absurd } BB11 { - [#"../checked_ops.rs" 170 21 170 28] _28 <- ([#"../checked_ops.rs" 170 21 170 28] a - (127 : int8)); - [#"../checked_ops.rs" 170 21 170 32] _27 <- ([#"../checked_ops.rs" 170 21 170 32] _28 - (2 : int8)); + [#"../checked_ops.rs" 170 21 170 28] _28 <- ([#"../checked_ops.rs" 170 21 170 28] a - ([#"../checked_ops.rs" 170 25 170 28] (127 : int8))); + [#"../checked_ops.rs" 170 21 170 32] _27 <- ([#"../checked_ops.rs" 170 21 170 32] _28 - ([#"../checked_ops.rs" 170 31 170 32] (2 : int8))); _28 <- any int8; [#"../checked_ops.rs" 170 12 170 32] _25 <- ([#"../checked_ops.rs" 170 12 170 32] (let (a, _) = res in a) = _27); _27 <- any int8; @@ -2926,14 +3042,14 @@ module CheckedOps_TestI8AddOverflowPos } BB12 { assume { resolve0 res }; - [#"../checked_ops.rs" 170 36 170 49] _30 <- ([#"../checked_ops.rs" 170 36 170 49] Bool.eqb (let (_, a) = res in a) true); + [#"../checked_ops.rs" 170 36 170 49] _30 <- ([#"../checked_ops.rs" 170 36 170 49] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 170 45 170 49] true)); switch (_30) | False -> goto BB14 | True -> goto BB13 end } BB13 { - [#"../checked_ops.rs" 165 39 171 1] _0 <- ([#"../checked_ops.rs" 165 39 171 1] ()); + [#"../checked_ops.rs" 165 39 171 1] _0 <- ([#"../checked_ops.rs" 165 39 171 1] [#"../checked_ops.rs" 165 39 171 1] ()); return _0 } BB14 { @@ -2992,21 +3108,30 @@ module CheckedOps_TestI8AddOverflowNeg (8 : uint32) val overflowing_add0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) } val saturating_add0 (self : int8) (rhs : int8) : int8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> Int8.to_int result = Int8.to_int max0 } val wrapping_add0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool @@ -3015,7 +3140,8 @@ module CheckedOps_TestI8AddOverflowNeg val checked_add0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs } let rec cfg test_i8_add_overflow_neg [#"../checked_ops.rs" 175 0 175 38] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : () requires {[#"../checked_ops.rs" 174 11 174 17] Int8.to_int a < 0} @@ -3040,7 +3166,7 @@ module CheckedOps_TestI8AddOverflowNeg goto BB0 } BB0 { - [#"../checked_ops.rs" 176 12 176 35] _6 <- ([#"../checked_ops.rs" 176 12 176 35] checked_add0 (-128 : int8) a); + [#"../checked_ops.rs" 176 12 176 35] _6 <- ([#"../checked_ops.rs" 176 12 176 35] checked_add0 ([#"../checked_ops.rs" 176 12 176 20] (-128 : int8)) a); goto BB1 } BB1 { @@ -3054,7 +3180,7 @@ module CheckedOps_TestI8AddOverflowNeg end } BB3 { - [#"../checked_ops.rs" 177 12 177 36] _11 <- ([#"../checked_ops.rs" 177 12 177 36] wrapping_add0 (-128 : int8) a); + [#"../checked_ops.rs" 177 12 177 36] _11 <- ([#"../checked_ops.rs" 177 12 177 36] wrapping_add0 ([#"../checked_ops.rs" 177 12 177 20] (-128 : int8)) a); goto BB5 } BB4 { @@ -3062,8 +3188,8 @@ module CheckedOps_TestI8AddOverflowNeg absurd } BB5 { - [#"../checked_ops.rs" 177 40 177 47] _14 <- ([#"../checked_ops.rs" 177 40 177 47] a + (127 : int8)); - [#"../checked_ops.rs" 177 40 177 51] _13 <- ([#"../checked_ops.rs" 177 40 177 51] _14 + (1 : int8)); + [#"../checked_ops.rs" 177 40 177 47] _14 <- ([#"../checked_ops.rs" 177 40 177 47] a + ([#"../checked_ops.rs" 177 44 177 47] (127 : int8))); + [#"../checked_ops.rs" 177 40 177 51] _13 <- ([#"../checked_ops.rs" 177 40 177 51] _14 + ([#"../checked_ops.rs" 177 50 177 51] (1 : int8))); _14 <- any int8; [#"../checked_ops.rs" 177 12 177 51] _10 <- ([#"../checked_ops.rs" 177 12 177 51] _11 = _13); _11 <- any int8; @@ -3074,7 +3200,7 @@ module CheckedOps_TestI8AddOverflowNeg end } BB6 { - [#"../checked_ops.rs" 178 12 178 38] _19 <- ([#"../checked_ops.rs" 178 12 178 38] saturating_add0 (-128 : int8) a); + [#"../checked_ops.rs" 178 12 178 38] _19 <- ([#"../checked_ops.rs" 178 12 178 38] saturating_add0 ([#"../checked_ops.rs" 178 12 178 20] (-128 : int8)) a); goto BB8 } BB7 { @@ -3082,7 +3208,7 @@ module CheckedOps_TestI8AddOverflowNeg absurd } BB8 { - [#"../checked_ops.rs" 178 12 178 46] _18 <- ([#"../checked_ops.rs" 178 12 178 46] _19 = (-128 : int8)); + [#"../checked_ops.rs" 178 12 178 46] _18 <- ([#"../checked_ops.rs" 178 12 178 46] _19 = ([#"../checked_ops.rs" 178 42 178 46] (-128 : int8))); _19 <- any int8; switch (_18) | False -> goto BB10 @@ -3090,7 +3216,7 @@ module CheckedOps_TestI8AddOverflowNeg end } BB9 { - [#"../checked_ops.rs" 179 14 179 41] res <- ([#"../checked_ops.rs" 179 14 179 41] overflowing_add0 (-128 : int8) a); + [#"../checked_ops.rs" 179 14 179 41] res <- ([#"../checked_ops.rs" 179 14 179 41] overflowing_add0 ([#"../checked_ops.rs" 179 14 179 22] (-128 : int8)) a); goto BB11 } BB10 { @@ -3098,8 +3224,8 @@ module CheckedOps_TestI8AddOverflowNeg absurd } BB11 { - [#"../checked_ops.rs" 180 21 180 28] _28 <- ([#"../checked_ops.rs" 180 21 180 28] a + (127 : int8)); - [#"../checked_ops.rs" 180 21 180 32] _27 <- ([#"../checked_ops.rs" 180 21 180 32] _28 + (1 : int8)); + [#"../checked_ops.rs" 180 21 180 28] _28 <- ([#"../checked_ops.rs" 180 21 180 28] a + ([#"../checked_ops.rs" 180 25 180 28] (127 : int8))); + [#"../checked_ops.rs" 180 21 180 32] _27 <- ([#"../checked_ops.rs" 180 21 180 32] _28 + ([#"../checked_ops.rs" 180 31 180 32] (1 : int8))); _28 <- any int8; [#"../checked_ops.rs" 180 12 180 32] _25 <- ([#"../checked_ops.rs" 180 12 180 32] (let (a, _) = res in a) = _27); _27 <- any int8; @@ -3110,14 +3236,14 @@ module CheckedOps_TestI8AddOverflowNeg } BB12 { assume { resolve0 res }; - [#"../checked_ops.rs" 180 36 180 49] _30 <- ([#"../checked_ops.rs" 180 36 180 49] Bool.eqb (let (_, a) = res in a) true); + [#"../checked_ops.rs" 180 36 180 49] _30 <- ([#"../checked_ops.rs" 180 36 180 49] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 180 45 180 49] true)); switch (_30) | False -> goto BB14 | True -> goto BB13 end } BB13 { - [#"../checked_ops.rs" 175 39 181 1] _0 <- ([#"../checked_ops.rs" 175 39 181 1] ()); + [#"../checked_ops.rs" 175 39 181 1] _0 <- ([#"../checked_ops.rs" 175 39 181 1] [#"../checked_ops.rs" 175 39 181 1] ()); return _0 } BB14 { @@ -3149,9 +3275,12 @@ module CheckedOps_TestI8WrappingAdd (8 : uint32) val wrapping_add0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } let rec cfg test_i8_wrapping_add [#"../checked_ops.rs" 186 0 186 47] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : int8 ensures { [#"../checked_ops.rs" 185 10 185 84] Int8.to_int result = Int8.to_int a + Int8.to_int b \/ Int8.to_int result = Int8.to_int a + Int8.to_int b - 256 \/ Int8.to_int result = Int8.to_int a + Int8.to_int b + 256 } @@ -3199,7 +3328,8 @@ module CheckedOps_TestI8OverflowingAdd use prelude.Int8 val checked_add0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs } use prelude.UInt32 use int.EuclideanDivision @@ -3209,9 +3339,12 @@ module CheckedOps_TestI8OverflowingAdd (8 : uint32) val wrapping_add0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } predicate resolve2 (self : bool) = [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true @@ -3230,9 +3363,12 @@ module CheckedOps_TestI8OverflowingAdd val overflowing_add0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) } let rec cfg test_i8_overflowing_add [#"../checked_ops.rs" 191 0 191 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : () @@ -3294,7 +3430,7 @@ module CheckedOps_TestI8OverflowingAdd end } BB8 { - [#"../checked_ops.rs" 191 45 194 1] _0 <- ([#"../checked_ops.rs" 191 45 194 1] ()); + [#"../checked_ops.rs" 191 45 194 1] _0 <- ([#"../checked_ops.rs" 191 45 194 1] [#"../checked_ops.rs" 191 45 194 1] ()); return _0 } BB9 { @@ -3366,21 +3502,30 @@ module CheckedOps_TestI8SubExample use prelude.Int8 val overflowing_sub0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) } val saturating_sub0 (self : int8) (rhs : int8) : int8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> Int8.to_int result = Int8.to_int max0 } val wrapping_sub0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool @@ -3395,7 +3540,8 @@ module CheckedOps_TestI8SubExample val checked_sub0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs } let rec cfg test_i8_sub_example [#"../checked_ops.rs" 197 0 197 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -3434,7 +3580,7 @@ module CheckedOps_TestI8SubExample goto BB0 } BB0 { - [#"../checked_ops.rs" 198 12 198 31] _4 <- ([#"../checked_ops.rs" 198 12 198 31] checked_sub0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 198 12 198 31] _4 <- ([#"../checked_ops.rs" 198 12 198 31] checked_sub0 ([#"../checked_ops.rs" 198 12 198 15] (5 : int8)) ([#"../checked_ops.rs" 198 28 198 30] (10 : int8))); goto BB1 } BB1 { @@ -3443,7 +3589,7 @@ module CheckedOps_TestI8SubExample goto BB2 } BB2 { - [#"../checked_ops.rs" 198 12 198 46] _2 <- ([#"../checked_ops.rs" 198 12 198 46] _3 = (-5 : int8)); + [#"../checked_ops.rs" 198 12 198 46] _2 <- ([#"../checked_ops.rs" 198 12 198 46] _3 = ([#"../checked_ops.rs" 198 44 198 46] (-5 : int8))); _3 <- any int8; switch (_2) | False -> goto BB4 @@ -3451,7 +3597,7 @@ module CheckedOps_TestI8SubExample end } BB3 { - [#"../checked_ops.rs" 199 12 199 33] _9 <- ([#"../checked_ops.rs" 199 12 199 33] checked_sub0 (120 : int8) (10 : int8)); + [#"../checked_ops.rs" 199 12 199 33] _9 <- ([#"../checked_ops.rs" 199 12 199 33] checked_sub0 ([#"../checked_ops.rs" 199 12 199 17] (120 : int8)) ([#"../checked_ops.rs" 199 30 199 32] (10 : int8))); goto BB5 } BB4 { @@ -3464,7 +3610,7 @@ module CheckedOps_TestI8SubExample goto BB6 } BB6 { - [#"../checked_ops.rs" 199 12 199 49] _7 <- ([#"../checked_ops.rs" 199 12 199 49] _8 = (110 : int8)); + [#"../checked_ops.rs" 199 12 199 49] _7 <- ([#"../checked_ops.rs" 199 12 199 49] _8 = ([#"../checked_ops.rs" 199 46 199 49] (110 : int8))); _8 <- any int8; switch (_7) | False -> goto BB8 @@ -3472,7 +3618,7 @@ module CheckedOps_TestI8SubExample end } BB7 { - [#"../checked_ops.rs" 200 12 200 36] _14 <- ([#"../checked_ops.rs" 200 12 200 36] checked_sub0 (-120 : int8) (10 : int8)); + [#"../checked_ops.rs" 200 12 200 36] _14 <- ([#"../checked_ops.rs" 200 12 200 36] checked_sub0 ([#"../checked_ops.rs" 200 12 200 20] (-120 : int8)) ([#"../checked_ops.rs" 200 33 200 35] (10 : int8))); goto BB9 } BB8 { @@ -3490,7 +3636,7 @@ module CheckedOps_TestI8SubExample end } BB11 { - [#"../checked_ops.rs" 202 12 202 32] _18 <- ([#"../checked_ops.rs" 202 12 202 32] wrapping_sub0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 202 12 202 32] _18 <- ([#"../checked_ops.rs" 202 12 202 32] wrapping_sub0 ([#"../checked_ops.rs" 202 12 202 15] (5 : int8)) ([#"../checked_ops.rs" 202 29 202 31] (10 : int8))); goto BB13 } BB12 { @@ -3498,7 +3644,7 @@ module CheckedOps_TestI8SubExample absurd } BB13 { - [#"../checked_ops.rs" 202 12 202 38] _17 <- ([#"../checked_ops.rs" 202 12 202 38] _18 = (-5 : int8)); + [#"../checked_ops.rs" 202 12 202 38] _17 <- ([#"../checked_ops.rs" 202 12 202 38] _18 = ([#"../checked_ops.rs" 202 36 202 38] (-5 : int8))); _18 <- any int8; switch (_17) | False -> goto BB15 @@ -3506,7 +3652,7 @@ module CheckedOps_TestI8SubExample end } BB14 { - [#"../checked_ops.rs" 203 12 203 34] _22 <- ([#"../checked_ops.rs" 203 12 203 34] wrapping_sub0 (120 : int8) (10 : int8)); + [#"../checked_ops.rs" 203 12 203 34] _22 <- ([#"../checked_ops.rs" 203 12 203 34] wrapping_sub0 ([#"../checked_ops.rs" 203 12 203 17] (120 : int8)) ([#"../checked_ops.rs" 203 31 203 33] (10 : int8))); goto BB16 } BB15 { @@ -3514,7 +3660,7 @@ module CheckedOps_TestI8SubExample absurd } BB16 { - [#"../checked_ops.rs" 203 12 203 41] _21 <- ([#"../checked_ops.rs" 203 12 203 41] _22 = (110 : int8)); + [#"../checked_ops.rs" 203 12 203 41] _21 <- ([#"../checked_ops.rs" 203 12 203 41] _22 = ([#"../checked_ops.rs" 203 38 203 41] (110 : int8))); _22 <- any int8; switch (_21) | False -> goto BB18 @@ -3522,7 +3668,7 @@ module CheckedOps_TestI8SubExample end } BB17 { - [#"../checked_ops.rs" 204 12 204 37] _26 <- ([#"../checked_ops.rs" 204 12 204 37] wrapping_sub0 (-120 : int8) (10 : int8)); + [#"../checked_ops.rs" 204 12 204 37] _26 <- ([#"../checked_ops.rs" 204 12 204 37] wrapping_sub0 ([#"../checked_ops.rs" 204 12 204 20] (-120 : int8)) ([#"../checked_ops.rs" 204 34 204 36] (10 : int8))); goto BB19 } BB18 { @@ -3530,7 +3676,7 @@ module CheckedOps_TestI8SubExample absurd } BB19 { - [#"../checked_ops.rs" 204 12 204 44] _25 <- ([#"../checked_ops.rs" 204 12 204 44] _26 = (126 : int8)); + [#"../checked_ops.rs" 204 12 204 44] _25 <- ([#"../checked_ops.rs" 204 12 204 44] _26 = ([#"../checked_ops.rs" 204 41 204 44] (126 : int8))); _26 <- any int8; switch (_25) | False -> goto BB21 @@ -3538,7 +3684,7 @@ module CheckedOps_TestI8SubExample end } BB20 { - [#"../checked_ops.rs" 206 12 206 34] _30 <- ([#"../checked_ops.rs" 206 12 206 34] saturating_sub0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 206 12 206 34] _30 <- ([#"../checked_ops.rs" 206 12 206 34] saturating_sub0 ([#"../checked_ops.rs" 206 12 206 15] (5 : int8)) ([#"../checked_ops.rs" 206 31 206 33] (10 : int8))); goto BB22 } BB21 { @@ -3546,7 +3692,7 @@ module CheckedOps_TestI8SubExample absurd } BB22 { - [#"../checked_ops.rs" 206 12 206 40] _29 <- ([#"../checked_ops.rs" 206 12 206 40] _30 = (-5 : int8)); + [#"../checked_ops.rs" 206 12 206 40] _29 <- ([#"../checked_ops.rs" 206 12 206 40] _30 = ([#"../checked_ops.rs" 206 38 206 40] (-5 : int8))); _30 <- any int8; switch (_29) | False -> goto BB24 @@ -3554,7 +3700,7 @@ module CheckedOps_TestI8SubExample end } BB23 { - [#"../checked_ops.rs" 207 12 207 36] _34 <- ([#"../checked_ops.rs" 207 12 207 36] saturating_sub0 (120 : int8) (10 : int8)); + [#"../checked_ops.rs" 207 12 207 36] _34 <- ([#"../checked_ops.rs" 207 12 207 36] saturating_sub0 ([#"../checked_ops.rs" 207 12 207 17] (120 : int8)) ([#"../checked_ops.rs" 207 33 207 35] (10 : int8))); goto BB25 } BB24 { @@ -3562,7 +3708,7 @@ module CheckedOps_TestI8SubExample absurd } BB25 { - [#"../checked_ops.rs" 207 12 207 43] _33 <- ([#"../checked_ops.rs" 207 12 207 43] _34 = (110 : int8)); + [#"../checked_ops.rs" 207 12 207 43] _33 <- ([#"../checked_ops.rs" 207 12 207 43] _34 = ([#"../checked_ops.rs" 207 40 207 43] (110 : int8))); _34 <- any int8; switch (_33) | False -> goto BB27 @@ -3570,7 +3716,7 @@ module CheckedOps_TestI8SubExample end } BB26 { - [#"../checked_ops.rs" 208 12 208 39] _38 <- ([#"../checked_ops.rs" 208 12 208 39] saturating_sub0 (-120 : int8) (10 : int8)); + [#"../checked_ops.rs" 208 12 208 39] _38 <- ([#"../checked_ops.rs" 208 12 208 39] saturating_sub0 ([#"../checked_ops.rs" 208 12 208 20] (-120 : int8)) ([#"../checked_ops.rs" 208 36 208 38] (10 : int8))); goto BB28 } BB27 { @@ -3578,7 +3724,7 @@ module CheckedOps_TestI8SubExample absurd } BB28 { - [#"../checked_ops.rs" 208 12 208 47] _37 <- ([#"../checked_ops.rs" 208 12 208 47] _38 = (-128 : int8)); + [#"../checked_ops.rs" 208 12 208 47] _37 <- ([#"../checked_ops.rs" 208 12 208 47] _38 = ([#"../checked_ops.rs" 208 43 208 47] (-128 : int8))); _38 <- any int8; switch (_37) | False -> goto BB30 @@ -3586,7 +3732,7 @@ module CheckedOps_TestI8SubExample end } BB29 { - [#"../checked_ops.rs" 210 14 210 37] res <- ([#"../checked_ops.rs" 210 14 210 37] overflowing_sub0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 210 14 210 37] res <- ([#"../checked_ops.rs" 210 14 210 37] overflowing_sub0 ([#"../checked_ops.rs" 210 14 210 17] (5 : int8)) ([#"../checked_ops.rs" 210 34 210 36] (10 : int8))); goto BB31 } BB30 { @@ -3594,7 +3740,7 @@ module CheckedOps_TestI8SubExample absurd } BB31 { - [#"../checked_ops.rs" 211 12 211 23] _42 <- ([#"../checked_ops.rs" 211 12 211 23] (let (a, _) = res in a) = (-5 : int8)); + [#"../checked_ops.rs" 211 12 211 23] _42 <- ([#"../checked_ops.rs" 211 12 211 23] (let (a, _) = res in a) = ([#"../checked_ops.rs" 211 21 211 23] (-5 : int8))); switch (_42) | False -> goto BB35 | True -> goto BB32 @@ -3602,14 +3748,14 @@ module CheckedOps_TestI8SubExample } BB32 { assume { resolve0 res }; - [#"../checked_ops.rs" 211 27 211 41] _44 <- ([#"../checked_ops.rs" 211 27 211 41] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 211 27 211 41] _44 <- ([#"../checked_ops.rs" 211 27 211 41] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 211 36 211 41] false)); switch (_44) | False -> goto BB34 | True -> goto BB33 end } BB33 { - [#"../checked_ops.rs" 212 14 212 39] res1 <- ([#"../checked_ops.rs" 212 14 212 39] overflowing_sub0 (120 : int8) (10 : int8)); + [#"../checked_ops.rs" 212 14 212 39] res1 <- ([#"../checked_ops.rs" 212 14 212 39] overflowing_sub0 ([#"../checked_ops.rs" 212 14 212 19] (120 : int8)) ([#"../checked_ops.rs" 212 36 212 38] (10 : int8))); goto BB37 } BB34 { @@ -3624,7 +3770,7 @@ module CheckedOps_TestI8SubExample absurd } BB37 { - [#"../checked_ops.rs" 213 12 213 24] _49 <- ([#"../checked_ops.rs" 213 12 213 24] (let (a, _) = res1 in a) = (110 : int8)); + [#"../checked_ops.rs" 213 12 213 24] _49 <- ([#"../checked_ops.rs" 213 12 213 24] (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 213 21 213 24] (110 : int8))); switch (_49) | False -> goto BB41 | True -> goto BB38 @@ -3632,14 +3778,14 @@ module CheckedOps_TestI8SubExample } BB38 { assume { resolve0 res1 }; - [#"../checked_ops.rs" 213 28 213 42] _51 <- ([#"../checked_ops.rs" 213 28 213 42] Bool.eqb (let (_, a) = res1 in a) false); + [#"../checked_ops.rs" 213 28 213 42] _51 <- ([#"../checked_ops.rs" 213 28 213 42] Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 213 37 213 42] false)); switch (_51) | False -> goto BB40 | True -> goto BB39 end } BB39 { - [#"../checked_ops.rs" 214 14 214 42] res2 <- ([#"../checked_ops.rs" 214 14 214 42] overflowing_sub0 (-120 : int8) (10 : int8)); + [#"../checked_ops.rs" 214 14 214 42] res2 <- ([#"../checked_ops.rs" 214 14 214 42] overflowing_sub0 ([#"../checked_ops.rs" 214 14 214 22] (-120 : int8)) ([#"../checked_ops.rs" 214 39 214 41] (10 : int8))); goto BB43 } BB40 { @@ -3654,7 +3800,7 @@ module CheckedOps_TestI8SubExample absurd } BB43 { - [#"../checked_ops.rs" 215 12 215 24] _56 <- ([#"../checked_ops.rs" 215 12 215 24] (let (a, _) = res2 in a) = (126 : int8)); + [#"../checked_ops.rs" 215 12 215 24] _56 <- ([#"../checked_ops.rs" 215 12 215 24] (let (a, _) = res2 in a) = ([#"../checked_ops.rs" 215 21 215 24] (126 : int8))); switch (_56) | False -> goto BB47 | True -> goto BB44 @@ -3662,14 +3808,14 @@ module CheckedOps_TestI8SubExample } BB44 { assume { resolve0 res2 }; - [#"../checked_ops.rs" 215 28 215 41] _58 <- ([#"../checked_ops.rs" 215 28 215 41] Bool.eqb (let (_, a) = res2 in a) true); + [#"../checked_ops.rs" 215 28 215 41] _58 <- ([#"../checked_ops.rs" 215 28 215 41] Bool.eqb (let (_, a) = res2 in a) ([#"../checked_ops.rs" 215 37 215 41] true)); switch (_58) | False -> goto BB46 | True -> goto BB45 end } BB45 { - [#"../checked_ops.rs" 197 29 216 1] _0 <- ([#"../checked_ops.rs" 197 29 216 1] ()); + [#"../checked_ops.rs" 197 29 216 1] _0 <- ([#"../checked_ops.rs" 197 29 216 1] [#"../checked_ops.rs" 197 29 216 1] ()); return _0 } BB46 { @@ -3728,21 +3874,30 @@ module CheckedOps_TestI8SubOverflowPos (8 : uint32) val overflowing_sub0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) } val saturating_sub0 (self : int8) (rhs : int8) : int8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> Int8.to_int result = Int8.to_int max0 } val wrapping_sub0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool @@ -3751,7 +3906,8 @@ module CheckedOps_TestI8SubOverflowPos val checked_sub0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs } let rec cfg test_i8_sub_overflow_pos [#"../checked_ops.rs" 220 0 220 38] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : () requires {[#"../checked_ops.rs" 219 11 219 17] Int8.to_int a > 0} @@ -3776,7 +3932,7 @@ module CheckedOps_TestI8SubOverflowPos goto BB0 } BB0 { - [#"../checked_ops.rs" 221 12 221 35] _6 <- ([#"../checked_ops.rs" 221 12 221 35] checked_sub0 (-128 : int8) a); + [#"../checked_ops.rs" 221 12 221 35] _6 <- ([#"../checked_ops.rs" 221 12 221 35] checked_sub0 ([#"../checked_ops.rs" 221 12 221 20] (-128 : int8)) a); goto BB1 } BB1 { @@ -3790,7 +3946,7 @@ module CheckedOps_TestI8SubOverflowPos end } BB3 { - [#"../checked_ops.rs" 222 12 222 36] _11 <- ([#"../checked_ops.rs" 222 12 222 36] wrapping_sub0 (-128 : int8) a); + [#"../checked_ops.rs" 222 12 222 36] _11 <- ([#"../checked_ops.rs" 222 12 222 36] wrapping_sub0 ([#"../checked_ops.rs" 222 12 222 20] (-128 : int8)) a); goto BB5 } BB4 { @@ -3798,8 +3954,8 @@ module CheckedOps_TestI8SubOverflowPos absurd } BB5 { - [#"../checked_ops.rs" 222 40 222 47] _14 <- ([#"../checked_ops.rs" 222 40 222 47] (127 : int8) - a); - [#"../checked_ops.rs" 222 40 222 51] _13 <- ([#"../checked_ops.rs" 222 40 222 51] _14 + (1 : int8)); + [#"../checked_ops.rs" 222 40 222 47] _14 <- ([#"../checked_ops.rs" 222 40 222 47] ([#"../checked_ops.rs" 222 40 222 43] (127 : int8)) - a); + [#"../checked_ops.rs" 222 40 222 51] _13 <- ([#"../checked_ops.rs" 222 40 222 51] _14 + ([#"../checked_ops.rs" 222 50 222 51] (1 : int8))); _14 <- any int8; [#"../checked_ops.rs" 222 12 222 51] _10 <- ([#"../checked_ops.rs" 222 12 222 51] _11 = _13); _11 <- any int8; @@ -3810,7 +3966,7 @@ module CheckedOps_TestI8SubOverflowPos end } BB6 { - [#"../checked_ops.rs" 223 12 223 38] _19 <- ([#"../checked_ops.rs" 223 12 223 38] saturating_sub0 (-128 : int8) a); + [#"../checked_ops.rs" 223 12 223 38] _19 <- ([#"../checked_ops.rs" 223 12 223 38] saturating_sub0 ([#"../checked_ops.rs" 223 12 223 20] (-128 : int8)) a); goto BB8 } BB7 { @@ -3818,7 +3974,7 @@ module CheckedOps_TestI8SubOverflowPos absurd } BB8 { - [#"../checked_ops.rs" 223 12 223 46] _18 <- ([#"../checked_ops.rs" 223 12 223 46] _19 = (-128 : int8)); + [#"../checked_ops.rs" 223 12 223 46] _18 <- ([#"../checked_ops.rs" 223 12 223 46] _19 = ([#"../checked_ops.rs" 223 42 223 46] (-128 : int8))); _19 <- any int8; switch (_18) | False -> goto BB10 @@ -3826,7 +3982,7 @@ module CheckedOps_TestI8SubOverflowPos end } BB9 { - [#"../checked_ops.rs" 224 14 224 41] res <- ([#"../checked_ops.rs" 224 14 224 41] overflowing_sub0 (-128 : int8) a); + [#"../checked_ops.rs" 224 14 224 41] res <- ([#"../checked_ops.rs" 224 14 224 41] overflowing_sub0 ([#"../checked_ops.rs" 224 14 224 22] (-128 : int8)) a); goto BB11 } BB10 { @@ -3834,8 +3990,8 @@ module CheckedOps_TestI8SubOverflowPos absurd } BB11 { - [#"../checked_ops.rs" 225 21 225 28] _28 <- ([#"../checked_ops.rs" 225 21 225 28] (127 : int8) - a); - [#"../checked_ops.rs" 225 21 225 32] _27 <- ([#"../checked_ops.rs" 225 21 225 32] _28 + (1 : int8)); + [#"../checked_ops.rs" 225 21 225 28] _28 <- ([#"../checked_ops.rs" 225 21 225 28] ([#"../checked_ops.rs" 225 21 225 24] (127 : int8)) - a); + [#"../checked_ops.rs" 225 21 225 32] _27 <- ([#"../checked_ops.rs" 225 21 225 32] _28 + ([#"../checked_ops.rs" 225 31 225 32] (1 : int8))); _28 <- any int8; [#"../checked_ops.rs" 225 12 225 32] _25 <- ([#"../checked_ops.rs" 225 12 225 32] (let (a, _) = res in a) = _27); _27 <- any int8; @@ -3846,14 +4002,14 @@ module CheckedOps_TestI8SubOverflowPos } BB12 { assume { resolve0 res }; - [#"../checked_ops.rs" 225 36 225 49] _30 <- ([#"../checked_ops.rs" 225 36 225 49] Bool.eqb (let (_, a) = res in a) true); + [#"../checked_ops.rs" 225 36 225 49] _30 <- ([#"../checked_ops.rs" 225 36 225 49] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 225 45 225 49] true)); switch (_30) | False -> goto BB14 | True -> goto BB13 end } BB13 { - [#"../checked_ops.rs" 220 39 226 1] _0 <- ([#"../checked_ops.rs" 220 39 226 1] ()); + [#"../checked_ops.rs" 220 39 226 1] _0 <- ([#"../checked_ops.rs" 220 39 226 1] [#"../checked_ops.rs" 220 39 226 1] ()); return _0 } BB14 { @@ -3912,21 +4068,30 @@ module CheckedOps_TestI8SubOverflowNeg (8 : uint32) val overflowing_sub0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) } val saturating_sub0 (self : int8) (rhs : int8) : int8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> Int8.to_int result = Int8.to_int max0 } val wrapping_sub0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool @@ -3935,7 +4100,8 @@ module CheckedOps_TestI8SubOverflowNeg val checked_sub0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs } let rec cfg test_i8_sub_overflow_neg [#"../checked_ops.rs" 230 0 230 38] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : () requires {[#"../checked_ops.rs" 229 11 229 17] Int8.to_int a < 0} @@ -3962,7 +4128,7 @@ module CheckedOps_TestI8SubOverflowNeg goto BB0 } BB0 { - [#"../checked_ops.rs" 231 12 231 32] _6 <- ([#"../checked_ops.rs" 231 12 231 32] checked_sub0 (127 : int8) a); + [#"../checked_ops.rs" 231 12 231 32] _6 <- ([#"../checked_ops.rs" 231 12 231 32] checked_sub0 ([#"../checked_ops.rs" 231 12 231 17] (127 : int8)) a); goto BB1 } BB1 { @@ -3976,7 +4142,7 @@ module CheckedOps_TestI8SubOverflowNeg end } BB3 { - [#"../checked_ops.rs" 232 12 232 33] _11 <- ([#"../checked_ops.rs" 232 12 232 33] wrapping_sub0 (127 : int8) a); + [#"../checked_ops.rs" 232 12 232 33] _11 <- ([#"../checked_ops.rs" 232 12 232 33] wrapping_sub0 ([#"../checked_ops.rs" 232 12 232 17] (127 : int8)) a); goto BB5 } BB4 { @@ -3984,10 +4150,10 @@ module CheckedOps_TestI8SubOverflowNeg absurd } BB5 { - [#"../checked_ops.rs" 232 38 232 45] _15 <- ([#"../checked_ops.rs" 232 38 232 45] (2 : int8) + a); + [#"../checked_ops.rs" 232 38 232 45] _15 <- ([#"../checked_ops.rs" 232 38 232 45] ([#"../checked_ops.rs" 232 39 232 40] (2 : int8)) + a); [#"../checked_ops.rs" 232 37 232 45] _14 <- ([#"../checked_ops.rs" 232 37 232 45] - _15); _15 <- any int8; - [#"../checked_ops.rs" 232 37 232 51] _13 <- ([#"../checked_ops.rs" 232 37 232 51] _14 - (127 : int8)); + [#"../checked_ops.rs" 232 37 232 51] _13 <- ([#"../checked_ops.rs" 232 37 232 51] _14 - ([#"../checked_ops.rs" 232 48 232 51] (127 : int8))); _14 <- any int8; [#"../checked_ops.rs" 232 12 232 51] _10 <- ([#"../checked_ops.rs" 232 12 232 51] _11 = _13); _11 <- any int8; @@ -3998,7 +4164,7 @@ module CheckedOps_TestI8SubOverflowNeg end } BB6 { - [#"../checked_ops.rs" 233 12 233 35] _20 <- ([#"../checked_ops.rs" 233 12 233 35] saturating_sub0 (127 : int8) a); + [#"../checked_ops.rs" 233 12 233 35] _20 <- ([#"../checked_ops.rs" 233 12 233 35] saturating_sub0 ([#"../checked_ops.rs" 233 12 233 17] (127 : int8)) a); goto BB8 } BB7 { @@ -4006,7 +4172,7 @@ module CheckedOps_TestI8SubOverflowNeg absurd } BB8 { - [#"../checked_ops.rs" 233 12 233 42] _19 <- ([#"../checked_ops.rs" 233 12 233 42] _20 = (127 : int8)); + [#"../checked_ops.rs" 233 12 233 42] _19 <- ([#"../checked_ops.rs" 233 12 233 42] _20 = ([#"../checked_ops.rs" 233 39 233 42] (127 : int8))); _20 <- any int8; switch (_19) | False -> goto BB10 @@ -4014,7 +4180,7 @@ module CheckedOps_TestI8SubOverflowNeg end } BB9 { - [#"../checked_ops.rs" 234 14 234 38] res <- ([#"../checked_ops.rs" 234 14 234 38] overflowing_sub0 (127 : int8) a); + [#"../checked_ops.rs" 234 14 234 38] res <- ([#"../checked_ops.rs" 234 14 234 38] overflowing_sub0 ([#"../checked_ops.rs" 234 14 234 19] (127 : int8)) a); goto BB11 } BB10 { @@ -4022,10 +4188,10 @@ module CheckedOps_TestI8SubOverflowNeg absurd } BB11 { - [#"../checked_ops.rs" 235 22 235 29] _30 <- ([#"../checked_ops.rs" 235 22 235 29] (2 : int8) + a); + [#"../checked_ops.rs" 235 22 235 29] _30 <- ([#"../checked_ops.rs" 235 22 235 29] ([#"../checked_ops.rs" 235 23 235 24] (2 : int8)) + a); [#"../checked_ops.rs" 235 21 235 29] _29 <- ([#"../checked_ops.rs" 235 21 235 29] - _30); _30 <- any int8; - [#"../checked_ops.rs" 235 21 235 35] _28 <- ([#"../checked_ops.rs" 235 21 235 35] _29 - (127 : int8)); + [#"../checked_ops.rs" 235 21 235 35] _28 <- ([#"../checked_ops.rs" 235 21 235 35] _29 - ([#"../checked_ops.rs" 235 32 235 35] (127 : int8))); _29 <- any int8; [#"../checked_ops.rs" 235 12 235 35] _26 <- ([#"../checked_ops.rs" 235 12 235 35] (let (a, _) = res in a) = _28); _28 <- any int8; @@ -4036,14 +4202,14 @@ module CheckedOps_TestI8SubOverflowNeg } BB12 { assume { resolve0 res }; - [#"../checked_ops.rs" 235 39 235 52] _32 <- ([#"../checked_ops.rs" 235 39 235 52] Bool.eqb (let (_, a) = res in a) true); + [#"../checked_ops.rs" 235 39 235 52] _32 <- ([#"../checked_ops.rs" 235 39 235 52] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 235 48 235 52] true)); switch (_32) | False -> goto BB14 | True -> goto BB13 end } BB13 { - [#"../checked_ops.rs" 230 39 236 1] _0 <- ([#"../checked_ops.rs" 230 39 236 1] ()); + [#"../checked_ops.rs" 230 39 236 1] _0 <- ([#"../checked_ops.rs" 230 39 236 1] [#"../checked_ops.rs" 230 39 236 1] ()); return _0 } BB14 { @@ -4075,9 +4241,12 @@ module CheckedOps_TestI8WrappingSub (8 : uint32) val wrapping_sub0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } let rec cfg test_i8_wrapping_sub [#"../checked_ops.rs" 241 0 241 47] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : int8 ensures { [#"../checked_ops.rs" 240 10 240 84] Int8.to_int result = Int8.to_int a - Int8.to_int b \/ Int8.to_int result = Int8.to_int a - Int8.to_int b + 256 \/ Int8.to_int result = Int8.to_int a - Int8.to_int b - 256 } @@ -4125,7 +4294,8 @@ module CheckedOps_TestI8OverflowingSub use prelude.Int8 val checked_sub0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs } use prelude.UInt32 use int.EuclideanDivision @@ -4135,9 +4305,12 @@ module CheckedOps_TestI8OverflowingSub (8 : uint32) val wrapping_sub0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } predicate resolve2 (self : bool) = [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true @@ -4156,9 +4329,12 @@ module CheckedOps_TestI8OverflowingSub val overflowing_sub0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) } let rec cfg test_i8_overflowing_sub [#"../checked_ops.rs" 246 0 246 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : () @@ -4220,7 +4396,7 @@ module CheckedOps_TestI8OverflowingSub end } BB8 { - [#"../checked_ops.rs" 246 45 249 1] _0 <- ([#"../checked_ops.rs" 246 45 249 1] ()); + [#"../checked_ops.rs" 246 45 249 1] _0 <- ([#"../checked_ops.rs" 246 45 249 1] [#"../checked_ops.rs" 246 45 249 1] ()); return _0 } BB9 { @@ -4292,21 +4468,30 @@ module CheckedOps_TestI8MulExample use prelude.Int8 val overflowing_mul0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) } val saturating_mul0 (self : int8) (rhs : int8) : int8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 + -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 + -> Int8.to_int result = Int8.to_int max0 } val wrapping_mul0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } use prelude.Borrow val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool @@ -4321,7 +4506,8 @@ module CheckedOps_TestI8MulExample val checked_mul0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs } let rec cfg test_i8_mul_example [#"../checked_ops.rs" 252 0 252 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -4359,7 +4545,7 @@ module CheckedOps_TestI8MulExample goto BB0 } BB0 { - [#"../checked_ops.rs" 253 12 253 31] _4 <- ([#"../checked_ops.rs" 253 12 253 31] checked_mul0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 253 12 253 31] _4 <- ([#"../checked_ops.rs" 253 12 253 31] checked_mul0 ([#"../checked_ops.rs" 253 12 253 15] (5 : int8)) ([#"../checked_ops.rs" 253 28 253 30] (10 : int8))); goto BB1 } BB1 { @@ -4368,7 +4554,7 @@ module CheckedOps_TestI8MulExample goto BB2 } BB2 { - [#"../checked_ops.rs" 253 12 253 46] _2 <- ([#"../checked_ops.rs" 253 12 253 46] _3 = (50 : int8)); + [#"../checked_ops.rs" 253 12 253 46] _2 <- ([#"../checked_ops.rs" 253 12 253 46] _3 = ([#"../checked_ops.rs" 253 44 253 46] (50 : int8))); _3 <- any int8; switch (_2) | False -> goto BB4 @@ -4376,7 +4562,7 @@ module CheckedOps_TestI8MulExample end } BB3 { - [#"../checked_ops.rs" 254 12 254 32] _9 <- ([#"../checked_ops.rs" 254 12 254 32] checked_mul0 (50 : int8) (10 : int8)); + [#"../checked_ops.rs" 254 12 254 32] _9 <- ([#"../checked_ops.rs" 254 12 254 32] checked_mul0 ([#"../checked_ops.rs" 254 12 254 16] (50 : int8)) ([#"../checked_ops.rs" 254 29 254 31] (10 : int8))); goto BB5 } BB4 { @@ -4394,7 +4580,7 @@ module CheckedOps_TestI8MulExample end } BB7 { - [#"../checked_ops.rs" 255 12 255 33] _14 <- ([#"../checked_ops.rs" 255 12 255 33] checked_mul0 (50 : int8) (-10 : int8)); + [#"../checked_ops.rs" 255 12 255 33] _14 <- ([#"../checked_ops.rs" 255 12 255 33] checked_mul0 ([#"../checked_ops.rs" 255 12 255 16] (50 : int8)) ([#"../checked_ops.rs" 255 29 255 32] (-10 : int8))); goto BB9 } BB8 { @@ -4412,7 +4598,7 @@ module CheckedOps_TestI8MulExample end } BB11 { - [#"../checked_ops.rs" 257 12 257 32] _18 <- ([#"../checked_ops.rs" 257 12 257 32] wrapping_mul0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 257 12 257 32] _18 <- ([#"../checked_ops.rs" 257 12 257 32] wrapping_mul0 ([#"../checked_ops.rs" 257 12 257 15] (5 : int8)) ([#"../checked_ops.rs" 257 29 257 31] (10 : int8))); goto BB13 } BB12 { @@ -4420,7 +4606,7 @@ module CheckedOps_TestI8MulExample absurd } BB13 { - [#"../checked_ops.rs" 257 12 257 38] _17 <- ([#"../checked_ops.rs" 257 12 257 38] _18 = (50 : int8)); + [#"../checked_ops.rs" 257 12 257 38] _17 <- ([#"../checked_ops.rs" 257 12 257 38] _18 = ([#"../checked_ops.rs" 257 36 257 38] (50 : int8))); _18 <- any int8; switch (_17) | False -> goto BB15 @@ -4428,7 +4614,7 @@ module CheckedOps_TestI8MulExample end } BB14 { - [#"../checked_ops.rs" 258 12 258 33] _22 <- ([#"../checked_ops.rs" 258 12 258 33] wrapping_mul0 (50 : int8) (10 : int8)); + [#"../checked_ops.rs" 258 12 258 33] _22 <- ([#"../checked_ops.rs" 258 12 258 33] wrapping_mul0 ([#"../checked_ops.rs" 258 12 258 16] (50 : int8)) ([#"../checked_ops.rs" 258 30 258 32] (10 : int8))); goto BB16 } BB15 { @@ -4436,7 +4622,7 @@ module CheckedOps_TestI8MulExample absurd } BB16 { - [#"../checked_ops.rs" 258 12 258 40] _21 <- ([#"../checked_ops.rs" 258 12 258 40] _22 = (-12 : int8)); + [#"../checked_ops.rs" 258 12 258 40] _21 <- ([#"../checked_ops.rs" 258 12 258 40] _22 = ([#"../checked_ops.rs" 258 37 258 40] (-12 : int8))); _22 <- any int8; switch (_21) | False -> goto BB18 @@ -4444,7 +4630,7 @@ module CheckedOps_TestI8MulExample end } BB17 { - [#"../checked_ops.rs" 259 12 259 34] _26 <- ([#"../checked_ops.rs" 259 12 259 34] wrapping_mul0 (50 : int8) (-10 : int8)); + [#"../checked_ops.rs" 259 12 259 34] _26 <- ([#"../checked_ops.rs" 259 12 259 34] wrapping_mul0 ([#"../checked_ops.rs" 259 12 259 16] (50 : int8)) ([#"../checked_ops.rs" 259 30 259 33] (-10 : int8))); goto BB19 } BB18 { @@ -4452,7 +4638,7 @@ module CheckedOps_TestI8MulExample absurd } BB19 { - [#"../checked_ops.rs" 259 12 259 40] _25 <- ([#"../checked_ops.rs" 259 12 259 40] _26 = (12 : int8)); + [#"../checked_ops.rs" 259 12 259 40] _25 <- ([#"../checked_ops.rs" 259 12 259 40] _26 = ([#"../checked_ops.rs" 259 38 259 40] (12 : int8))); _26 <- any int8; switch (_25) | False -> goto BB21 @@ -4460,7 +4646,7 @@ module CheckedOps_TestI8MulExample end } BB20 { - [#"../checked_ops.rs" 261 12 261 34] _30 <- ([#"../checked_ops.rs" 261 12 261 34] saturating_mul0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 261 12 261 34] _30 <- ([#"../checked_ops.rs" 261 12 261 34] saturating_mul0 ([#"../checked_ops.rs" 261 12 261 15] (5 : int8)) ([#"../checked_ops.rs" 261 31 261 33] (10 : int8))); goto BB22 } BB21 { @@ -4468,7 +4654,7 @@ module CheckedOps_TestI8MulExample absurd } BB22 { - [#"../checked_ops.rs" 261 12 261 40] _29 <- ([#"../checked_ops.rs" 261 12 261 40] _30 = (50 : int8)); + [#"../checked_ops.rs" 261 12 261 40] _29 <- ([#"../checked_ops.rs" 261 12 261 40] _30 = ([#"../checked_ops.rs" 261 38 261 40] (50 : int8))); _30 <- any int8; switch (_29) | False -> goto BB24 @@ -4476,7 +4662,7 @@ module CheckedOps_TestI8MulExample end } BB23 { - [#"../checked_ops.rs" 262 12 262 35] _34 <- ([#"../checked_ops.rs" 262 12 262 35] saturating_mul0 (50 : int8) (10 : int8)); + [#"../checked_ops.rs" 262 12 262 35] _34 <- ([#"../checked_ops.rs" 262 12 262 35] saturating_mul0 ([#"../checked_ops.rs" 262 12 262 16] (50 : int8)) ([#"../checked_ops.rs" 262 32 262 34] (10 : int8))); goto BB25 } BB24 { @@ -4484,7 +4670,7 @@ module CheckedOps_TestI8MulExample absurd } BB25 { - [#"../checked_ops.rs" 262 12 262 42] _33 <- ([#"../checked_ops.rs" 262 12 262 42] _34 = (127 : int8)); + [#"../checked_ops.rs" 262 12 262 42] _33 <- ([#"../checked_ops.rs" 262 12 262 42] _34 = ([#"../checked_ops.rs" 262 39 262 42] (127 : int8))); _34 <- any int8; switch (_33) | False -> goto BB27 @@ -4492,7 +4678,7 @@ module CheckedOps_TestI8MulExample end } BB26 { - [#"../checked_ops.rs" 263 12 263 36] _38 <- ([#"../checked_ops.rs" 263 12 263 36] saturating_mul0 (50 : int8) (-10 : int8)); + [#"../checked_ops.rs" 263 12 263 36] _38 <- ([#"../checked_ops.rs" 263 12 263 36] saturating_mul0 ([#"../checked_ops.rs" 263 12 263 16] (50 : int8)) ([#"../checked_ops.rs" 263 32 263 35] (-10 : int8))); goto BB28 } BB27 { @@ -4500,7 +4686,7 @@ module CheckedOps_TestI8MulExample absurd } BB28 { - [#"../checked_ops.rs" 263 12 263 44] _37 <- ([#"../checked_ops.rs" 263 12 263 44] _38 = (-128 : int8)); + [#"../checked_ops.rs" 263 12 263 44] _37 <- ([#"../checked_ops.rs" 263 12 263 44] _38 = ([#"../checked_ops.rs" 263 40 263 44] (-128 : int8))); _38 <- any int8; switch (_37) | False -> goto BB30 @@ -4508,7 +4694,7 @@ module CheckedOps_TestI8MulExample end } BB29 { - [#"../checked_ops.rs" 265 14 265 37] res <- ([#"../checked_ops.rs" 265 14 265 37] overflowing_mul0 (5 : int8) (10 : int8)); + [#"../checked_ops.rs" 265 14 265 37] res <- ([#"../checked_ops.rs" 265 14 265 37] overflowing_mul0 ([#"../checked_ops.rs" 265 14 265 17] (5 : int8)) ([#"../checked_ops.rs" 265 34 265 36] (10 : int8))); goto BB31 } BB30 { @@ -4516,7 +4702,7 @@ module CheckedOps_TestI8MulExample absurd } BB31 { - [#"../checked_ops.rs" 266 12 266 23] _42 <- ([#"../checked_ops.rs" 266 12 266 23] (let (a, _) = res in a) = (50 : int8)); + [#"../checked_ops.rs" 266 12 266 23] _42 <- ([#"../checked_ops.rs" 266 12 266 23] (let (a, _) = res in a) = ([#"../checked_ops.rs" 266 21 266 23] (50 : int8))); switch (_42) | False -> goto BB35 | True -> goto BB32 @@ -4524,14 +4710,14 @@ module CheckedOps_TestI8MulExample } BB32 { assume { resolve0 res }; - [#"../checked_ops.rs" 266 27 266 41] _44 <- ([#"../checked_ops.rs" 266 27 266 41] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 266 27 266 41] _44 <- ([#"../checked_ops.rs" 266 27 266 41] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 266 36 266 41] false)); switch (_44) | False -> goto BB34 | True -> goto BB33 end } BB33 { - [#"../checked_ops.rs" 267 14 267 38] res1 <- ([#"../checked_ops.rs" 267 14 267 38] overflowing_mul0 (50 : int8) (10 : int8)); + [#"../checked_ops.rs" 267 14 267 38] res1 <- ([#"../checked_ops.rs" 267 14 267 38] overflowing_mul0 ([#"../checked_ops.rs" 267 14 267 18] (50 : int8)) ([#"../checked_ops.rs" 267 35 267 37] (10 : int8))); goto BB37 } BB34 { @@ -4546,7 +4732,7 @@ module CheckedOps_TestI8MulExample absurd } BB37 { - [#"../checked_ops.rs" 268 12 268 24] _49 <- ([#"../checked_ops.rs" 268 12 268 24] (let (a, _) = res1 in a) = (-12 : int8)); + [#"../checked_ops.rs" 268 12 268 24] _49 <- ([#"../checked_ops.rs" 268 12 268 24] (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 268 21 268 24] (-12 : int8))); switch (_49) | False -> goto BB41 | True -> goto BB38 @@ -4554,14 +4740,14 @@ module CheckedOps_TestI8MulExample } BB38 { assume { resolve0 res1 }; - [#"../checked_ops.rs" 268 28 268 41] _51 <- ([#"../checked_ops.rs" 268 28 268 41] Bool.eqb (let (_, a) = res1 in a) true); + [#"../checked_ops.rs" 268 28 268 41] _51 <- ([#"../checked_ops.rs" 268 28 268 41] Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 268 37 268 41] true)); switch (_51) | False -> goto BB40 | True -> goto BB39 end } BB39 { - [#"../checked_ops.rs" 269 14 269 39] res2 <- ([#"../checked_ops.rs" 269 14 269 39] overflowing_mul0 (50 : int8) (-10 : int8)); + [#"../checked_ops.rs" 269 14 269 39] res2 <- ([#"../checked_ops.rs" 269 14 269 39] overflowing_mul0 ([#"../checked_ops.rs" 269 14 269 18] (50 : int8)) ([#"../checked_ops.rs" 269 35 269 38] (-10 : int8))); goto BB43 } BB40 { @@ -4576,7 +4762,7 @@ module CheckedOps_TestI8MulExample absurd } BB43 { - [#"../checked_ops.rs" 270 12 270 23] _56 <- ([#"../checked_ops.rs" 270 12 270 23] (let (a, _) = res2 in a) = (12 : int8)); + [#"../checked_ops.rs" 270 12 270 23] _56 <- ([#"../checked_ops.rs" 270 12 270 23] (let (a, _) = res2 in a) = ([#"../checked_ops.rs" 270 21 270 23] (12 : int8))); switch (_56) | False -> goto BB47 | True -> goto BB44 @@ -4584,14 +4770,14 @@ module CheckedOps_TestI8MulExample } BB44 { assume { resolve0 res2 }; - [#"../checked_ops.rs" 270 27 270 40] _58 <- ([#"../checked_ops.rs" 270 27 270 40] Bool.eqb (let (_, a) = res2 in a) true); + [#"../checked_ops.rs" 270 27 270 40] _58 <- ([#"../checked_ops.rs" 270 27 270 40] Bool.eqb (let (_, a) = res2 in a) ([#"../checked_ops.rs" 270 36 270 40] true)); switch (_58) | False -> goto BB46 | True -> goto BB45 end } BB45 { - [#"../checked_ops.rs" 252 29 271 1] _0 <- ([#"../checked_ops.rs" 252 29 271 1] ()); + [#"../checked_ops.rs" 252 29 271 1] _0 <- ([#"../checked_ops.rs" 252 29 271 1] [#"../checked_ops.rs" 252 29 271 1] ()); return _0 } BB46 { @@ -4660,21 +4846,30 @@ module CheckedOps_TestI8MulZero use prelude.Int8 val overflowing_mul0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) } val saturating_mul0 (self : int8) (rhs : int8) : int8 - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 + -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 + -> Int8.to_int result = Int8.to_int max0 } val wrapping_mul0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } val unwrap0 (self : Core_Option_Option_Type.t_option int8) : int8 requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None} @@ -4684,7 +4879,8 @@ module CheckedOps_TestI8MulZero val checked_mul0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs } let rec cfg test_i8_mul_zero [#"../checked_ops.rs" 274 0 274 30] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : () @@ -4705,7 +4901,7 @@ module CheckedOps_TestI8MulZero goto BB0 } BB0 { - [#"../checked_ops.rs" 275 12 275 30] _5 <- ([#"../checked_ops.rs" 275 12 275 30] checked_mul0 (0 : int8) a); + [#"../checked_ops.rs" 275 12 275 30] _5 <- ([#"../checked_ops.rs" 275 12 275 30] checked_mul0 ([#"../checked_ops.rs" 275 12 275 15] (0 : int8)) a); goto BB1 } BB1 { @@ -4714,7 +4910,7 @@ module CheckedOps_TestI8MulZero goto BB2 } BB2 { - [#"../checked_ops.rs" 275 12 275 44] _3 <- ([#"../checked_ops.rs" 275 12 275 44] _4 = (0 : int8)); + [#"../checked_ops.rs" 275 12 275 44] _3 <- ([#"../checked_ops.rs" 275 12 275 44] _4 = ([#"../checked_ops.rs" 275 43 275 44] (0 : int8))); _4 <- any int8; switch (_3) | False -> goto BB4 @@ -4722,7 +4918,7 @@ module CheckedOps_TestI8MulZero end } BB3 { - [#"../checked_ops.rs" 276 12 276 31] _10 <- ([#"../checked_ops.rs" 276 12 276 31] wrapping_mul0 (0 : int8) a); + [#"../checked_ops.rs" 276 12 276 31] _10 <- ([#"../checked_ops.rs" 276 12 276 31] wrapping_mul0 ([#"../checked_ops.rs" 276 12 276 15] (0 : int8)) a); goto BB5 } BB4 { @@ -4730,7 +4926,7 @@ module CheckedOps_TestI8MulZero absurd } BB5 { - [#"../checked_ops.rs" 276 12 276 36] _9 <- ([#"../checked_ops.rs" 276 12 276 36] _10 = (0 : int8)); + [#"../checked_ops.rs" 276 12 276 36] _9 <- ([#"../checked_ops.rs" 276 12 276 36] _10 = ([#"../checked_ops.rs" 276 35 276 36] (0 : int8))); _10 <- any int8; switch (_9) | False -> goto BB7 @@ -4738,7 +4934,7 @@ module CheckedOps_TestI8MulZero end } BB6 { - [#"../checked_ops.rs" 277 12 277 33] _15 <- ([#"../checked_ops.rs" 277 12 277 33] saturating_mul0 (0 : int8) a); + [#"../checked_ops.rs" 277 12 277 33] _15 <- ([#"../checked_ops.rs" 277 12 277 33] saturating_mul0 ([#"../checked_ops.rs" 277 12 277 15] (0 : int8)) a); goto BB8 } BB7 { @@ -4746,7 +4942,7 @@ module CheckedOps_TestI8MulZero absurd } BB8 { - [#"../checked_ops.rs" 277 12 277 38] _14 <- ([#"../checked_ops.rs" 277 12 277 38] _15 = (0 : int8)); + [#"../checked_ops.rs" 277 12 277 38] _14 <- ([#"../checked_ops.rs" 277 12 277 38] _15 = ([#"../checked_ops.rs" 277 37 277 38] (0 : int8))); _15 <- any int8; switch (_14) | False -> goto BB10 @@ -4754,7 +4950,7 @@ module CheckedOps_TestI8MulZero end } BB9 { - [#"../checked_ops.rs" 278 14 278 36] res <- ([#"../checked_ops.rs" 278 14 278 36] overflowing_mul0 (0 : int8) a); + [#"../checked_ops.rs" 278 14 278 36] res <- ([#"../checked_ops.rs" 278 14 278 36] overflowing_mul0 ([#"../checked_ops.rs" 278 14 278 17] (0 : int8)) a); goto BB11 } BB10 { @@ -4762,7 +4958,7 @@ module CheckedOps_TestI8MulZero absurd } BB11 { - [#"../checked_ops.rs" 279 12 279 22] _21 <- ([#"../checked_ops.rs" 279 12 279 22] (let (a, _) = res in a) = (0 : int8)); + [#"../checked_ops.rs" 279 12 279 22] _21 <- ([#"../checked_ops.rs" 279 12 279 22] (let (a, _) = res in a) = ([#"../checked_ops.rs" 279 21 279 22] (0 : int8))); switch (_21) | False -> goto BB15 | True -> goto BB12 @@ -4770,14 +4966,14 @@ module CheckedOps_TestI8MulZero } BB12 { assume { resolve0 res }; - [#"../checked_ops.rs" 279 26 279 40] _23 <- ([#"../checked_ops.rs" 279 26 279 40] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 279 26 279 40] _23 <- ([#"../checked_ops.rs" 279 26 279 40] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 279 35 279 40] false)); switch (_23) | False -> goto BB14 | True -> goto BB13 end } BB13 { - [#"../checked_ops.rs" 274 31 280 1] _0 <- ([#"../checked_ops.rs" 274 31 280 1] ()); + [#"../checked_ops.rs" 274 31 280 1] _0 <- ([#"../checked_ops.rs" 274 31 280 1] [#"../checked_ops.rs" 274 31 280 1] ()); return _0 } BB14 { @@ -4820,7 +5016,8 @@ module CheckedOps_TestI8OverflowingMul use prelude.Int8 val checked_mul0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs } use prelude.UInt32 use int.EuclideanDivision @@ -4830,9 +5027,12 @@ module CheckedOps_TestI8OverflowingMul (8 : uint32) val wrapping_mul0 (self : int8) (rhs : int8) : int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } predicate resolve2 (self : bool) = [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true @@ -4851,9 +5051,12 @@ module CheckedOps_TestI8OverflowingMul val overflowing_mul0 (self : int8) (rhs : int8) : (int8, bool) ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 + -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) } let rec cfg test_i8_overflowing_mul [#"../checked_ops.rs" 283 0 283 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : () @@ -4915,7 +5118,7 @@ module CheckedOps_TestI8OverflowingMul end } BB8 { - [#"../checked_ops.rs" 283 45 286 1] _0 <- ([#"../checked_ops.rs" 283 45 286 1] ()); + [#"../checked_ops.rs" 283 45 286 1] _0 <- ([#"../checked_ops.rs" 283 45 286 1] [#"../checked_ops.rs" 283 45 286 1] ()); return _0 } BB9 { @@ -4979,18 +5182,21 @@ module CheckedOps_TestI8DivExample use prelude.Int8 val overflowing_div0 (self : int8) (rhs : int8) : (int8, bool) requires {[#"../../../../creusot-contracts/src/std/num.rs" 91 27 91 36] Int8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 95 26 95 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int (let (a, _) = result in a) = div (Int8.to_int self) (Int8.to_int rhs) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 97 26 97 74] (let (_, a) = result in a) = (Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) } val saturating_div0 (self : int8) (rhs : int8) : int8 requires {[#"../../../../creusot-contracts/src/std/num.rs" 82 27 82 36] Int8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 + -> Int8.to_int result = Int8.to_int min0 } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 86 26 86 89] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int result = div (Int8.to_int self) (Int8.to_int rhs) } val wrapping_div0 (self : int8) (rhs : int8) : int8 requires {[#"../../../../creusot-contracts/src/std/num.rs" 73 27 73 36] Int8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int result = Int8.to_int self } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 + -> Int8.to_int result = Int8.to_int self } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 77 26 77 89] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int result = div (Int8.to_int self) (Int8.to_int rhs) } val unwrap0 (self : Core_Option_Option_Type.t_option int8) : int8 @@ -5006,7 +5212,8 @@ module CheckedOps_TestI8DivExample val checked_div0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (Int8.to_int rhs = 0 \/ Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) } let rec cfg test_i8_div_example [#"../checked_ops.rs" 289 0 289 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -5047,7 +5254,7 @@ module CheckedOps_TestI8DivExample goto BB0 } BB0 { - [#"../checked_ops.rs" 290 12 290 30] _4 <- ([#"../checked_ops.rs" 290 12 290 30] checked_div0 (5 : int8) (0 : int8)); + [#"../checked_ops.rs" 290 12 290 30] _4 <- ([#"../checked_ops.rs" 290 12 290 30] checked_div0 ([#"../checked_ops.rs" 290 12 290 15] (5 : int8)) ([#"../checked_ops.rs" 290 28 290 29] (0 : int8))); goto BB1 } BB1 { @@ -5061,7 +5268,7 @@ module CheckedOps_TestI8DivExample end } BB3 { - [#"../checked_ops.rs" 291 12 291 30] _9 <- ([#"../checked_ops.rs" 291 12 291 30] checked_div0 (5 : int8) (2 : int8)); + [#"../checked_ops.rs" 291 12 291 30] _9 <- ([#"../checked_ops.rs" 291 12 291 30] checked_div0 ([#"../checked_ops.rs" 291 12 291 15] (5 : int8)) ([#"../checked_ops.rs" 291 28 291 29] (2 : int8))); goto BB5 } BB4 { @@ -5074,7 +5281,7 @@ module CheckedOps_TestI8DivExample goto BB6 } BB6 { - [#"../checked_ops.rs" 291 12 291 44] _7 <- ([#"../checked_ops.rs" 291 12 291 44] _8 = (2 : int8)); + [#"../checked_ops.rs" 291 12 291 44] _7 <- ([#"../checked_ops.rs" 291 12 291 44] _8 = ([#"../checked_ops.rs" 291 43 291 44] (2 : int8))); _8 <- any int8; switch (_7) | False -> goto BB8 @@ -5082,7 +5289,7 @@ module CheckedOps_TestI8DivExample end } BB7 { - [#"../checked_ops.rs" 292 12 292 31] _14 <- ([#"../checked_ops.rs" 292 12 292 31] checked_div0 (5 : int8) (-2 : int8)); + [#"../checked_ops.rs" 292 12 292 31] _14 <- ([#"../checked_ops.rs" 292 12 292 31] checked_div0 ([#"../checked_ops.rs" 292 12 292 15] (5 : int8)) ([#"../checked_ops.rs" 292 28 292 30] (-2 : int8))); goto BB9 } BB8 { @@ -5095,7 +5302,7 @@ module CheckedOps_TestI8DivExample goto BB10 } BB10 { - [#"../checked_ops.rs" 292 12 292 46] _12 <- ([#"../checked_ops.rs" 292 12 292 46] _13 = (-2 : int8)); + [#"../checked_ops.rs" 292 12 292 46] _12 <- ([#"../checked_ops.rs" 292 12 292 46] _13 = ([#"../checked_ops.rs" 292 44 292 46] (-2 : int8))); _13 <- any int8; switch (_12) | False -> goto BB12 @@ -5103,7 +5310,7 @@ module CheckedOps_TestI8DivExample end } BB11 { - [#"../checked_ops.rs" 293 12 293 36] _19 <- ([#"../checked_ops.rs" 293 12 293 36] checked_div0 (-128 : int8) (-1 : int8)); + [#"../checked_ops.rs" 293 12 293 36] _19 <- ([#"../checked_ops.rs" 293 12 293 36] checked_div0 ([#"../checked_ops.rs" 293 12 293 20] (-128 : int8)) ([#"../checked_ops.rs" 293 33 293 35] (-1 : int8))); goto BB13 } BB12 { @@ -5121,7 +5328,7 @@ module CheckedOps_TestI8DivExample end } BB15 { - [#"../checked_ops.rs" 295 12 295 31] _23 <- ([#"../checked_ops.rs" 295 12 295 31] wrapping_div0 (5 : int8) (2 : int8)); + [#"../checked_ops.rs" 295 12 295 31] _23 <- ([#"../checked_ops.rs" 295 12 295 31] wrapping_div0 ([#"../checked_ops.rs" 295 12 295 15] (5 : int8)) ([#"../checked_ops.rs" 295 29 295 30] (2 : int8))); goto BB17 } BB16 { @@ -5129,7 +5336,7 @@ module CheckedOps_TestI8DivExample absurd } BB17 { - [#"../checked_ops.rs" 295 12 295 36] _22 <- ([#"../checked_ops.rs" 295 12 295 36] _23 = (2 : int8)); + [#"../checked_ops.rs" 295 12 295 36] _22 <- ([#"../checked_ops.rs" 295 12 295 36] _23 = ([#"../checked_ops.rs" 295 35 295 36] (2 : int8))); _23 <- any int8; switch (_22) | False -> goto BB19 @@ -5137,7 +5344,7 @@ module CheckedOps_TestI8DivExample end } BB18 { - [#"../checked_ops.rs" 296 12 296 32] _27 <- ([#"../checked_ops.rs" 296 12 296 32] wrapping_div0 (5 : int8) (-2 : int8)); + [#"../checked_ops.rs" 296 12 296 32] _27 <- ([#"../checked_ops.rs" 296 12 296 32] wrapping_div0 ([#"../checked_ops.rs" 296 12 296 15] (5 : int8)) ([#"../checked_ops.rs" 296 29 296 31] (-2 : int8))); goto BB20 } BB19 { @@ -5145,7 +5352,7 @@ module CheckedOps_TestI8DivExample absurd } BB20 { - [#"../checked_ops.rs" 296 12 296 38] _26 <- ([#"../checked_ops.rs" 296 12 296 38] _27 = (-2 : int8)); + [#"../checked_ops.rs" 296 12 296 38] _26 <- ([#"../checked_ops.rs" 296 12 296 38] _27 = ([#"../checked_ops.rs" 296 36 296 38] (-2 : int8))); _27 <- any int8; switch (_26) | False -> goto BB22 @@ -5153,7 +5360,7 @@ module CheckedOps_TestI8DivExample end } BB21 { - [#"../checked_ops.rs" 297 12 297 37] _31 <- ([#"../checked_ops.rs" 297 12 297 37] wrapping_div0 (-128 : int8) (-1 : int8)); + [#"../checked_ops.rs" 297 12 297 37] _31 <- ([#"../checked_ops.rs" 297 12 297 37] wrapping_div0 ([#"../checked_ops.rs" 297 12 297 20] (-128 : int8)) ([#"../checked_ops.rs" 297 34 297 36] (-1 : int8))); goto BB23 } BB22 { @@ -5161,7 +5368,7 @@ module CheckedOps_TestI8DivExample absurd } BB23 { - [#"../checked_ops.rs" 297 12 297 45] _30 <- ([#"../checked_ops.rs" 297 12 297 45] _31 = (-128 : int8)); + [#"../checked_ops.rs" 297 12 297 45] _30 <- ([#"../checked_ops.rs" 297 12 297 45] _31 = ([#"../checked_ops.rs" 297 41 297 45] (-128 : int8))); _31 <- any int8; switch (_30) | False -> goto BB25 @@ -5169,7 +5376,7 @@ module CheckedOps_TestI8DivExample end } BB24 { - [#"../checked_ops.rs" 299 12 299 33] _35 <- ([#"../checked_ops.rs" 299 12 299 33] saturating_div0 (5 : int8) (2 : int8)); + [#"../checked_ops.rs" 299 12 299 33] _35 <- ([#"../checked_ops.rs" 299 12 299 33] saturating_div0 ([#"../checked_ops.rs" 299 12 299 15] (5 : int8)) ([#"../checked_ops.rs" 299 31 299 32] (2 : int8))); goto BB26 } BB25 { @@ -5177,7 +5384,7 @@ module CheckedOps_TestI8DivExample absurd } BB26 { - [#"../checked_ops.rs" 299 12 299 38] _34 <- ([#"../checked_ops.rs" 299 12 299 38] _35 = (2 : int8)); + [#"../checked_ops.rs" 299 12 299 38] _34 <- ([#"../checked_ops.rs" 299 12 299 38] _35 = ([#"../checked_ops.rs" 299 37 299 38] (2 : int8))); _35 <- any int8; switch (_34) | False -> goto BB28 @@ -5185,7 +5392,7 @@ module CheckedOps_TestI8DivExample end } BB27 { - [#"../checked_ops.rs" 300 12 300 34] _39 <- ([#"../checked_ops.rs" 300 12 300 34] saturating_div0 (5 : int8) (-2 : int8)); + [#"../checked_ops.rs" 300 12 300 34] _39 <- ([#"../checked_ops.rs" 300 12 300 34] saturating_div0 ([#"../checked_ops.rs" 300 12 300 15] (5 : int8)) ([#"../checked_ops.rs" 300 31 300 33] (-2 : int8))); goto BB29 } BB28 { @@ -5193,7 +5400,7 @@ module CheckedOps_TestI8DivExample absurd } BB29 { - [#"../checked_ops.rs" 300 12 300 40] _38 <- ([#"../checked_ops.rs" 300 12 300 40] _39 = (-2 : int8)); + [#"../checked_ops.rs" 300 12 300 40] _38 <- ([#"../checked_ops.rs" 300 12 300 40] _39 = ([#"../checked_ops.rs" 300 38 300 40] (-2 : int8))); _39 <- any int8; switch (_38) | False -> goto BB31 @@ -5201,7 +5408,7 @@ module CheckedOps_TestI8DivExample end } BB30 { - [#"../checked_ops.rs" 301 12 301 39] _43 <- ([#"../checked_ops.rs" 301 12 301 39] saturating_div0 (-128 : int8) (-1 : int8)); + [#"../checked_ops.rs" 301 12 301 39] _43 <- ([#"../checked_ops.rs" 301 12 301 39] saturating_div0 ([#"../checked_ops.rs" 301 12 301 20] (-128 : int8)) ([#"../checked_ops.rs" 301 36 301 38] (-1 : int8))); goto BB32 } BB31 { @@ -5209,7 +5416,7 @@ module CheckedOps_TestI8DivExample absurd } BB32 { - [#"../checked_ops.rs" 301 12 301 47] _42 <- ([#"../checked_ops.rs" 301 12 301 47] _43 = (-128 : int8)); + [#"../checked_ops.rs" 301 12 301 47] _42 <- ([#"../checked_ops.rs" 301 12 301 47] _43 = ([#"../checked_ops.rs" 301 43 301 47] (-128 : int8))); _43 <- any int8; switch (_42) | False -> goto BB34 @@ -5217,7 +5424,7 @@ module CheckedOps_TestI8DivExample end } BB33 { - [#"../checked_ops.rs" 303 14 303 36] res <- ([#"../checked_ops.rs" 303 14 303 36] overflowing_div0 (5 : int8) (2 : int8)); + [#"../checked_ops.rs" 303 14 303 36] res <- ([#"../checked_ops.rs" 303 14 303 36] overflowing_div0 ([#"../checked_ops.rs" 303 14 303 17] (5 : int8)) ([#"../checked_ops.rs" 303 34 303 35] (2 : int8))); goto BB35 } BB34 { @@ -5225,7 +5432,7 @@ module CheckedOps_TestI8DivExample absurd } BB35 { - [#"../checked_ops.rs" 304 12 304 22] _47 <- ([#"../checked_ops.rs" 304 12 304 22] (let (a, _) = res in a) = (2 : int8)); + [#"../checked_ops.rs" 304 12 304 22] _47 <- ([#"../checked_ops.rs" 304 12 304 22] (let (a, _) = res in a) = ([#"../checked_ops.rs" 304 21 304 22] (2 : int8))); switch (_47) | False -> goto BB39 | True -> goto BB36 @@ -5233,14 +5440,14 @@ module CheckedOps_TestI8DivExample } BB36 { assume { resolve0 res }; - [#"../checked_ops.rs" 304 26 304 40] _49 <- ([#"../checked_ops.rs" 304 26 304 40] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 304 26 304 40] _49 <- ([#"../checked_ops.rs" 304 26 304 40] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 304 35 304 40] false)); switch (_49) | False -> goto BB38 | True -> goto BB37 end } BB37 { - [#"../checked_ops.rs" 305 14 305 37] res1 <- ([#"../checked_ops.rs" 305 14 305 37] overflowing_div0 (5 : int8) (-2 : int8)); + [#"../checked_ops.rs" 305 14 305 37] res1 <- ([#"../checked_ops.rs" 305 14 305 37] overflowing_div0 ([#"../checked_ops.rs" 305 14 305 17] (5 : int8)) ([#"../checked_ops.rs" 305 34 305 36] (-2 : int8))); goto BB41 } BB38 { @@ -5255,7 +5462,7 @@ module CheckedOps_TestI8DivExample absurd } BB41 { - [#"../checked_ops.rs" 306 12 306 23] _54 <- ([#"../checked_ops.rs" 306 12 306 23] (let (a, _) = res1 in a) = (-2 : int8)); + [#"../checked_ops.rs" 306 12 306 23] _54 <- ([#"../checked_ops.rs" 306 12 306 23] (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 306 21 306 23] (-2 : int8))); switch (_54) | False -> goto BB45 | True -> goto BB42 @@ -5263,14 +5470,14 @@ module CheckedOps_TestI8DivExample } BB42 { assume { resolve0 res1 }; - [#"../checked_ops.rs" 306 27 306 41] _56 <- ([#"../checked_ops.rs" 306 27 306 41] Bool.eqb (let (_, a) = res1 in a) false); + [#"../checked_ops.rs" 306 27 306 41] _56 <- ([#"../checked_ops.rs" 306 27 306 41] Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 306 36 306 41] false)); switch (_56) | False -> goto BB44 | True -> goto BB43 end } BB43 { - [#"../checked_ops.rs" 307 14 307 42] res2 <- ([#"../checked_ops.rs" 307 14 307 42] overflowing_div0 (-128 : int8) (-1 : int8)); + [#"../checked_ops.rs" 307 14 307 42] res2 <- ([#"../checked_ops.rs" 307 14 307 42] overflowing_div0 ([#"../checked_ops.rs" 307 14 307 22] (-128 : int8)) ([#"../checked_ops.rs" 307 39 307 41] (-1 : int8))); goto BB47 } BB44 { @@ -5285,7 +5492,7 @@ module CheckedOps_TestI8DivExample absurd } BB47 { - [#"../checked_ops.rs" 308 12 308 25] _61 <- ([#"../checked_ops.rs" 308 12 308 25] (let (a, _) = res2 in a) = (-128 : int8)); + [#"../checked_ops.rs" 308 12 308 25] _61 <- ([#"../checked_ops.rs" 308 12 308 25] (let (a, _) = res2 in a) = ([#"../checked_ops.rs" 308 21 308 25] (-128 : int8))); switch (_61) | False -> goto BB51 | True -> goto BB48 @@ -5293,14 +5500,14 @@ module CheckedOps_TestI8DivExample } BB48 { assume { resolve0 res2 }; - [#"../checked_ops.rs" 308 29 308 42] _63 <- ([#"../checked_ops.rs" 308 29 308 42] Bool.eqb (let (_, a) = res2 in a) true); + [#"../checked_ops.rs" 308 29 308 42] _63 <- ([#"../checked_ops.rs" 308 29 308 42] Bool.eqb (let (_, a) = res2 in a) ([#"../checked_ops.rs" 308 38 308 42] true)); switch (_63) | False -> goto BB50 | True -> goto BB49 end } BB49 { - [#"../checked_ops.rs" 289 29 309 1] _0 <- ([#"../checked_ops.rs" 289 29 309 1] ()); + [#"../checked_ops.rs" 289 29 309 1] _0 <- ([#"../checked_ops.rs" 289 29 309 1] [#"../checked_ops.rs" 289 29 309 1] ()); return _0 } BB50 { @@ -5361,18 +5568,21 @@ module CheckedOps_TestI8DivNoOverflow (-128 : int8) val overflowing_div0 (self : int8) (rhs : int8) : (int8, bool) requires {[#"../../../../creusot-contracts/src/std/num.rs" 91 27 91 36] Int8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 + -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 95 26 95 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int (let (a, _) = result in a) = div (Int8.to_int self) (Int8.to_int rhs) } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 97 26 97 74] (let (_, a) = result in a) = (Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) } val saturating_div0 (self : int8) (rhs : int8) : int8 requires {[#"../../../../creusot-contracts/src/std/num.rs" 82 27 82 36] Int8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int result = Int8.to_int min0 } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 + -> Int8.to_int result = Int8.to_int min0 } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 86 26 86 89] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int result = div (Int8.to_int self) (Int8.to_int rhs) } val wrapping_div0 (self : int8) (rhs : int8) : int8 requires {[#"../../../../creusot-contracts/src/std/num.rs" 73 27 73 36] Int8.to_int rhs <> 0} - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int result = Int8.to_int self } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 + -> Int8.to_int result = Int8.to_int self } ensures { [#"../../../../creusot-contracts/src/std/num.rs" 77 26 77 89] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int result = div (Int8.to_int self) (Int8.to_int rhs) } val unwrap0 (self : Core_Option_Option_Type.t_option int8) : int8 @@ -5383,7 +5593,8 @@ module CheckedOps_TestI8DivNoOverflow val checked_div0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (Int8.to_int rhs = 0 \/ Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) } let rec cfg test_i8_div_no_overflow [#"../checked_ops.rs" 313 0 313 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : () requires {[#"../checked_ops.rs" 312 11 312 46] Int8.to_int b <> 0 /\ (Int8.to_int a <> - 128 \/ Int8.to_int b <> - 1)} @@ -5445,13 +5656,13 @@ module CheckedOps_TestI8DivNoOverflow BB2 { [#"../checked_ops.rs" 314 41 314 42] _11 <- ([#"../checked_ops.rs" 314 41 314 42] a); [#"../checked_ops.rs" 314 45 314 46] _12 <- ([#"../checked_ops.rs" 314 45 314 46] b); - [#"../checked_ops.rs" 314 41 314 46] _13 <- ([#"../checked_ops.rs" 314 41 314 46] _12 = (0 : int8)); + [#"../checked_ops.rs" 314 41 314 46] _13 <- ([#"../checked_ops.rs" 314 41 314 46] _12 = ([#"../checked_ops.rs" 314 41 314 46] (0 : int8))); assert { [@expl:division by zero] [#"../checked_ops.rs" 314 41 314 46] not _13 }; goto BB3 } BB3 { - [#"../checked_ops.rs" 314 41 314 46] _14 <- ([#"../checked_ops.rs" 314 41 314 46] _12 = (-1 : int8)); - [#"../checked_ops.rs" 314 41 314 46] _15 <- ([#"../checked_ops.rs" 314 41 314 46] _11 = (-128 : int8)); + [#"../checked_ops.rs" 314 41 314 46] _14 <- ([#"../checked_ops.rs" 314 41 314 46] _12 = ([#"../checked_ops.rs" 314 41 314 46] (-1 : int8))); + [#"../checked_ops.rs" 314 41 314 46] _15 <- ([#"../checked_ops.rs" 314 41 314 46] _11 = ([#"../checked_ops.rs" 314 41 314 46] (-128 : int8))); [#"../checked_ops.rs" 314 41 314 46] _16 <- ([#"../checked_ops.rs" 314 41 314 46] _14 && _15); _14 <- any bool; _15 <- any bool; @@ -5481,13 +5692,13 @@ module CheckedOps_TestI8DivNoOverflow BB7 { [#"../checked_ops.rs" 315 33 315 34] _24 <- ([#"../checked_ops.rs" 315 33 315 34] a); [#"../checked_ops.rs" 315 37 315 38] _25 <- ([#"../checked_ops.rs" 315 37 315 38] b); - [#"../checked_ops.rs" 315 33 315 38] _26 <- ([#"../checked_ops.rs" 315 33 315 38] _25 = (0 : int8)); + [#"../checked_ops.rs" 315 33 315 38] _26 <- ([#"../checked_ops.rs" 315 33 315 38] _25 = ([#"../checked_ops.rs" 315 33 315 38] (0 : int8))); assert { [@expl:division by zero] [#"../checked_ops.rs" 315 33 315 38] not _26 }; goto BB8 } BB8 { - [#"../checked_ops.rs" 315 33 315 38] _27 <- ([#"../checked_ops.rs" 315 33 315 38] _25 = (-1 : int8)); - [#"../checked_ops.rs" 315 33 315 38] _28 <- ([#"../checked_ops.rs" 315 33 315 38] _24 = (-128 : int8)); + [#"../checked_ops.rs" 315 33 315 38] _27 <- ([#"../checked_ops.rs" 315 33 315 38] _25 = ([#"../checked_ops.rs" 315 33 315 38] (-1 : int8))); + [#"../checked_ops.rs" 315 33 315 38] _28 <- ([#"../checked_ops.rs" 315 33 315 38] _24 = ([#"../checked_ops.rs" 315 33 315 38] (-128 : int8))); [#"../checked_ops.rs" 315 33 315 38] _29 <- ([#"../checked_ops.rs" 315 33 315 38] _27 && _28); _27 <- any bool; _28 <- any bool; @@ -5517,13 +5728,13 @@ module CheckedOps_TestI8DivNoOverflow BB12 { [#"../checked_ops.rs" 316 35 316 36] _37 <- ([#"../checked_ops.rs" 316 35 316 36] a); [#"../checked_ops.rs" 316 39 316 40] _38 <- ([#"../checked_ops.rs" 316 39 316 40] b); - [#"../checked_ops.rs" 316 35 316 40] _39 <- ([#"../checked_ops.rs" 316 35 316 40] _38 = (0 : int8)); + [#"../checked_ops.rs" 316 35 316 40] _39 <- ([#"../checked_ops.rs" 316 35 316 40] _38 = ([#"../checked_ops.rs" 316 35 316 40] (0 : int8))); assert { [@expl:division by zero] [#"../checked_ops.rs" 316 35 316 40] not _39 }; goto BB13 } BB13 { - [#"../checked_ops.rs" 316 35 316 40] _40 <- ([#"../checked_ops.rs" 316 35 316 40] _38 = (-1 : int8)); - [#"../checked_ops.rs" 316 35 316 40] _41 <- ([#"../checked_ops.rs" 316 35 316 40] _37 = (-128 : int8)); + [#"../checked_ops.rs" 316 35 316 40] _40 <- ([#"../checked_ops.rs" 316 35 316 40] _38 = ([#"../checked_ops.rs" 316 35 316 40] (-1 : int8))); + [#"../checked_ops.rs" 316 35 316 40] _41 <- ([#"../checked_ops.rs" 316 35 316 40] _37 = ([#"../checked_ops.rs" 316 35 316 40] (-128 : int8))); [#"../checked_ops.rs" 316 35 316 40] _42 <- ([#"../checked_ops.rs" 316 35 316 40] _40 && _41); _40 <- any bool; _41 <- any bool; @@ -5553,13 +5764,13 @@ module CheckedOps_TestI8DivNoOverflow BB17 { [#"../checked_ops.rs" 318 21 318 22] _51 <- ([#"../checked_ops.rs" 318 21 318 22] a); [#"../checked_ops.rs" 318 25 318 26] _52 <- ([#"../checked_ops.rs" 318 25 318 26] b); - [#"../checked_ops.rs" 318 21 318 26] _53 <- ([#"../checked_ops.rs" 318 21 318 26] _52 = (0 : int8)); + [#"../checked_ops.rs" 318 21 318 26] _53 <- ([#"../checked_ops.rs" 318 21 318 26] _52 = ([#"../checked_ops.rs" 318 21 318 26] (0 : int8))); assert { [@expl:division by zero] [#"../checked_ops.rs" 318 21 318 26] not _53 }; goto BB18 } BB18 { - [#"../checked_ops.rs" 318 21 318 26] _54 <- ([#"../checked_ops.rs" 318 21 318 26] _52 = (-1 : int8)); - [#"../checked_ops.rs" 318 21 318 26] _55 <- ([#"../checked_ops.rs" 318 21 318 26] _51 = (-128 : int8)); + [#"../checked_ops.rs" 318 21 318 26] _54 <- ([#"../checked_ops.rs" 318 21 318 26] _52 = ([#"../checked_ops.rs" 318 21 318 26] (-1 : int8))); + [#"../checked_ops.rs" 318 21 318 26] _55 <- ([#"../checked_ops.rs" 318 21 318 26] _51 = ([#"../checked_ops.rs" 318 21 318 26] (-128 : int8))); [#"../checked_ops.rs" 318 21 318 26] _56 <- ([#"../checked_ops.rs" 318 21 318 26] _54 && _55); _54 <- any bool; _55 <- any bool; @@ -5579,14 +5790,14 @@ module CheckedOps_TestI8DivNoOverflow } BB20 { assume { resolve0 res }; - [#"../checked_ops.rs" 318 30 318 44] _57 <- ([#"../checked_ops.rs" 318 30 318 44] Bool.eqb (let (_, a) = res in a) false); + [#"../checked_ops.rs" 318 30 318 44] _57 <- ([#"../checked_ops.rs" 318 30 318 44] Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 318 39 318 44] false)); switch (_57) | False -> goto BB22 | True -> goto BB21 end } BB21 { - [#"../checked_ops.rs" 313 45 319 1] _0 <- ([#"../checked_ops.rs" 313 45 319 1] ()); + [#"../checked_ops.rs" 313 45 319 1] _0 <- ([#"../checked_ops.rs" 313 45 319 1] [#"../checked_ops.rs" 313 45 319 1] ()); return _0 } BB22 { @@ -5626,7 +5837,8 @@ module CheckedOps_TestI8DivZero use prelude.Int8 val checked_div0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8 ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (Int8.to_int rhs = 0 \/ Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) } - ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) } + ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r + -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) } let rec cfg test_i8_div_zero [#"../checked_ops.rs" 322 0 322 30] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : () @@ -5639,7 +5851,7 @@ module CheckedOps_TestI8DivZero goto BB0 } BB0 { - [#"../checked_ops.rs" 323 12 323 28] _5 <- ([#"../checked_ops.rs" 323 12 323 28] checked_div0 a (0 : int8)); + [#"../checked_ops.rs" 323 12 323 28] _5 <- ([#"../checked_ops.rs" 323 12 323 28] checked_div0 a ([#"../checked_ops.rs" 323 26 323 27] (0 : int8))); goto BB1 } BB1 { @@ -5653,7 +5865,7 @@ module CheckedOps_TestI8DivZero end } BB3 { - [#"../checked_ops.rs" 322 31 324 1] _0 <- ([#"../checked_ops.rs" 322 31 324 1] ()); + [#"../checked_ops.rs" 322 31 324 1] _0 <- ([#"../checked_ops.rs" 322 31 324 1] [#"../checked_ops.rs" 322 31 324 1] ()); return _0 } BB4 { diff --git a/creusot/tests/should_succeed/clones/01.mlcfg b/creusot/tests/should_succeed/clones/01.mlcfg index 4f78788119..a70fee1e4c 100644 --- a/creusot/tests/should_succeed/clones/01.mlcfg +++ b/creusot/tests/should_succeed/clones/01.mlcfg @@ -7,7 +7,7 @@ module C01_Func1 goto BB0 } BB0 { - [#"../01.rs" 6 11 6 13] _0 <- ([#"../01.rs" 6 11 6 13] ()); + [#"../01.rs" 6 11 6 13] _0 <- ([#"../01.rs" 6 11 6 13] [#"../01.rs" 6 11 6 13] ()); return _0 } @@ -21,7 +21,7 @@ module C01_Func2 goto BB0 } BB0 { - [#"../01.rs" 9 4 9 11] _0 <- ([#"../01.rs" 9 4 9 11] func10 ()); + [#"../01.rs" 9 4 9 11] _0 <- ([#"../01.rs" 9 4 9 11] func10 ([#"../01.rs" 9 4 9 11] ())); goto BB1 } BB1 { @@ -38,7 +38,7 @@ module C01_Func3 goto BB0 } BB0 { - [#"../01.rs" 13 4 13 11] _0 <- ([#"../01.rs" 13 4 13 11] func20 ()); + [#"../01.rs" 13 4 13 11] _0 <- ([#"../01.rs" 13 4 13 11] func20 ([#"../01.rs" 13 4 13 11] ())); goto BB1 } BB1 { diff --git a/creusot/tests/should_succeed/clones/02.mlcfg b/creusot/tests/should_succeed/clones/02.mlcfg index 0562b05b45..6e247c4b82 100644 --- a/creusot/tests/should_succeed/clones/02.mlcfg +++ b/creusot/tests/should_succeed/clones/02.mlcfg @@ -20,7 +20,7 @@ module C02_Program goto BB0 } BB0 { - [#"../02.rs" 20 17 20 19] _0 <- ([#"../02.rs" 20 17 20 19] ()); + [#"../02.rs" 20 17 20 19] _0 <- ([#"../02.rs" 20 17 20 19] [#"../02.rs" 20 17 20 19] ()); return _0 } diff --git a/creusot/tests/should_succeed/clones/03.mlcfg b/creusot/tests/should_succeed/clones/03.mlcfg index 3700068abf..08767dbdb7 100644 --- a/creusot/tests/should_succeed/clones/03.mlcfg +++ b/creusot/tests/should_succeed/clones/03.mlcfg @@ -35,7 +35,7 @@ module C03_Prog goto BB1 } BB1 { - [#"../03.rs" 11 17 11 19] _0 <- ([#"../03.rs" 11 17 11 19] ()); + [#"../03.rs" 11 17 11 19] _0 <- ([#"../03.rs" 11 17 11 19] [#"../03.rs" 11 17 11 19] ()); goto BB2 } BB2 { @@ -81,11 +81,11 @@ module C03_Prog2 goto BB0 } BB0 { - [#"../03.rs" 15 4 15 11] _2 <- ([#"../03.rs" 15 4 15 11] prog0 (0 : int32)); + [#"../03.rs" 15 4 15 11] _2 <- ([#"../03.rs" 15 4 15 11] prog0 ([#"../03.rs" 15 9 15 10] (0 : int32))); goto BB1 } BB1 { - [#"../03.rs" 14 15 16 1] _0 <- ([#"../03.rs" 14 15 16 1] ()); + [#"../03.rs" 14 15 16 1] _0 <- ([#"../03.rs" 14 15 16 1] [#"../03.rs" 14 15 16 1] ()); return _0 } @@ -106,7 +106,7 @@ module C03_Prog3 goto BB0 } BB0 { - [#"../03.rs" 19 15 19 17] _0 <- ([#"../03.rs" 19 15 19 17] ()); + [#"../03.rs" 19 15 19 17] _0 <- ([#"../03.rs" 19 15 19 17] [#"../03.rs" 19 15 19 17] ()); return _0 } diff --git a/creusot/tests/should_succeed/clones/04.mlcfg b/creusot/tests/should_succeed/clones/04.mlcfg index ddc9b27915..cc351488ad 100644 --- a/creusot/tests/should_succeed/clones/04.mlcfg +++ b/creusot/tests/should_succeed/clones/04.mlcfg @@ -26,7 +26,7 @@ module C04_F goto BB0 } BB0 { - [#"../04.rs" 21 17 21 19] _0 <- ([#"../04.rs" 21 17 21 19] ()); + [#"../04.rs" 21 17 21 19] _0 <- ([#"../04.rs" 21 17 21 19] [#"../04.rs" 21 17 21 19] ()); return _0 } diff --git a/creusot/tests/should_succeed/closures/01_basic.mlcfg b/creusot/tests/should_succeed/closures/01_basic.mlcfg index 6490d5da08..586adb364a 100644 --- a/creusot/tests/should_succeed/closures/01_basic.mlcfg +++ b/creusot/tests/should_succeed/closures/01_basic.mlcfg @@ -56,7 +56,7 @@ module C01Basic_UsesClosure goto BB0 } BB0 { - [#"../01_basic.rs" 5 12 5 16] y <- ([#"../01_basic.rs" 5 12 5 16] true); + [#"../01_basic.rs" 5 12 5 16] y <- ([#"../01_basic.rs" 5 12 5 16] [#"../01_basic.rs" 5 12 5 16] true); [#"../01_basic.rs" 6 13 6 19] _4 <- ([#"../01_basic.rs" 6 13 6 19] C01Basic_UsesClosure_Closure0.C01Basic_UsesClosure_Closure0 y); [#"../01_basic.rs" 6 13 6 21] _6 <- ([#"../01_basic.rs" 6 13 6 21] ()); [#"../01_basic.rs" 6 13 6 21] _x <- ([#"../01_basic.rs" 6 13 6 21] let () = _6 in closure00 _4); @@ -65,7 +65,7 @@ module C01Basic_UsesClosure } BB1 { assume { resolve0 _4 }; - [#"../01_basic.rs" 4 22 7 1] _0 <- ([#"../01_basic.rs" 4 22 7 1] ()); + [#"../01_basic.rs" 4 22 7 1] _0 <- ([#"../01_basic.rs" 4 22 7 1] [#"../01_basic.rs" 4 22 7 1] ()); return _0 } @@ -119,14 +119,14 @@ module C01Basic_MultiArg } BB0 { [#"../01_basic.rs" 10 12 10 24] x <- ([#"../01_basic.rs" 10 12 10 24] C01Basic_MultiArg_Closure0.C01Basic_MultiArg_Closure0); - [#"../01_basic.rs" 11 13 11 22] _4 <- ([#"../01_basic.rs" 11 13 11 22] ((0 : int32), (3 : int32))); + [#"../01_basic.rs" 11 13 11 22] _4 <- ([#"../01_basic.rs" 11 13 11 22] (([#"../01_basic.rs" 11 17 11 18] (0 : int32)), ([#"../01_basic.rs" 11 20 11 21] (3 : int32)))); [#"../01_basic.rs" 11 13 11 22] _a <- ([#"../01_basic.rs" 11 13 11 22] let (a, b) = _4 in closure00 x a b); _4 <- any (int32, int32); goto BB1 } BB1 { assume { resolve0 x }; - [#"../01_basic.rs" 9 19 12 1] _0 <- ([#"../01_basic.rs" 9 19 12 1] ()); + [#"../01_basic.rs" 9 19 12 1] _0 <- ([#"../01_basic.rs" 9 19 12 1] [#"../01_basic.rs" 9 19 12 1] ()); return _0 } @@ -172,9 +172,9 @@ module C01Basic_MoveClosure_Closure0 goto BB0 } BB0 { - [#"../01_basic.rs" 20 8 20 15] _1 <- { _1 with current = (let C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 x0 = * _1 in C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 ({ (field_00 ( * _1)) with current = ([#"../01_basic.rs" 20 8 20 15] * field_00 ( * _1) + (1 : int32)) ; })) ; }; + [#"../01_basic.rs" 20 8 20 15] _1 <- { _1 with current = (let C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 x0 = * _1 in C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 ({ (field_00 ( * _1)) with current = ([#"../01_basic.rs" 20 8 20 15] * field_00 ( * _1) + ([#"../01_basic.rs" 20 14 20 15] (1 : int32))) ; })) ; }; assume { resolve0 _1 }; - [#"../01_basic.rs" 19 24 21 5] _0 <- ([#"../01_basic.rs" 19 24 21 5] ()); + [#"../01_basic.rs" 19 24 21 5] _0 <- ([#"../01_basic.rs" 19 24 21 5] [#"../01_basic.rs" 19 24 21 5] ()); return _0 } @@ -228,7 +228,7 @@ module C01Basic_MoveClosure goto BB0 } BB0 { - [#"../01_basic.rs" 17 17 17 21] _2 <- ([#"../01_basic.rs" 17 17 17 21] (0 : int32)); + [#"../01_basic.rs" 17 17 17 21] _2 <- ([#"../01_basic.rs" 17 17 17 21] [#"../01_basic.rs" 17 17 17 21] (0 : int32)); [#"../01_basic.rs" 17 12 17 21] a <- Borrow.borrow_mut _2; [#"../01_basic.rs" 17 12 17 21] _2 <- ^ a; [#"../01_basic.rs" 19 16 21 5] x <- ([#"../01_basic.rs" 19 16 21 5] C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 a); @@ -252,7 +252,7 @@ module C01Basic_MoveClosure } BB2 { assume { resolve0 x }; - [#"../01_basic.rs" 16 22 25 1] _0 <- ([#"../01_basic.rs" 16 22 25 1] ()); + [#"../01_basic.rs" 16 22 25 1] _0 <- ([#"../01_basic.rs" 16 22 25 1] [#"../01_basic.rs" 16 22 25 1] ()); return _0 } @@ -318,7 +318,7 @@ module C01Basic_MoveMut_Closure0 goto BB0 } BB0 { - [#"../01_basic.rs" 36 12 36 21] _3 <- ([#"../01_basic.rs" 36 12 36 21] new_ref0 ()); + [#"../01_basic.rs" 36 12 36 21] _3 <- ([#"../01_basic.rs" 36 12 36 21] new_ref0 ([#"../01_basic.rs" 36 12 36 21] ())); goto BB1 } BB1 { @@ -329,7 +329,7 @@ module C01Basic_MoveMut_Closure0 assume { resolve0 (field_00 ( * _1)) }; assume { resolve1 _1 }; assume { resolve0 _3 }; - [#"../01_basic.rs" 35 24 37 5] _0 <- ([#"../01_basic.rs" 35 24 37 5] ()); + [#"../01_basic.rs" 35 24 37 5] _0 <- ([#"../01_basic.rs" 35 24 37 5] [#"../01_basic.rs" 35 24 37 5] ()); return _0 } @@ -395,7 +395,7 @@ module C01Basic_MoveMut goto BB0 } BB0 { - [#"../01_basic.rs" 33 21 33 25] _2 <- ([#"../01_basic.rs" 33 21 33 25] (0 : uint32)); + [#"../01_basic.rs" 33 21 33 25] _2 <- ([#"../01_basic.rs" 33 21 33 25] [#"../01_basic.rs" 33 21 33 25] (0 : uint32)); [#"../01_basic.rs" 33 16 33 25] x <- Borrow.borrow_mut _2; [#"../01_basic.rs" 33 16 33 25] _2 <- ^ x; [#"../01_basic.rs" 35 16 37 5] a <- ([#"../01_basic.rs" 35 16 37 5] C01Basic_MoveMut_Closure0.C01Basic_MoveMut_Closure0 x); @@ -419,7 +419,7 @@ module C01Basic_MoveMut } BB2 { assume { resolve0 a }; - [#"../01_basic.rs" 32 18 40 1] _0 <- ([#"../01_basic.rs" 32 18 40 1] ()); + [#"../01_basic.rs" 32 18 40 1] _0 <- ([#"../01_basic.rs" 32 18 40 1] [#"../01_basic.rs" 32 18 40 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/closures/02_nested.mlcfg b/creusot/tests/should_succeed/closures/02_nested.mlcfg index 333554df29..1dd5c80699 100644 --- a/creusot/tests/should_succeed/closures/02_nested.mlcfg +++ b/creusot/tests/should_succeed/closures/02_nested.mlcfg @@ -128,7 +128,7 @@ module C02Nested_NestedClosure goto BB0 } BB0 { - [#"../02_nested.rs" 4 12 4 16] a <- ([#"../02_nested.rs" 4 12 4 16] true); + [#"../02_nested.rs" 4 12 4 16] a <- ([#"../02_nested.rs" 4 12 4 16] [#"../02_nested.rs" 4 12 4 16] true); [#"../02_nested.rs" 5 13 8 6] _4 <- ([#"../02_nested.rs" 5 13 8 6] C02Nested_NestedClosure_Closure0.C02Nested_NestedClosure_Closure0 a); [#"../02_nested.rs" 5 13 8 8] _6 <- ([#"../02_nested.rs" 5 13 8 8] ()); [#"../02_nested.rs" 5 13 8 8] _a <- ([#"../02_nested.rs" 5 13 8 8] let () = _6 in closure00 _4); @@ -137,7 +137,7 @@ module C02Nested_NestedClosure } BB1 { assume { resolve0 _4 }; - [#"../02_nested.rs" 3 24 9 1] _0 <- ([#"../02_nested.rs" 3 24 9 1] ()); + [#"../02_nested.rs" 3 24 9 1] _0 <- ([#"../02_nested.rs" 3 24 9 1] [#"../02_nested.rs" 3 24 9 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/closures/03_generic_bound.mlcfg b/creusot/tests/should_succeed/closures/03_generic_bound.mlcfg index f68b76137f..9a25790a9a 100644 --- a/creusot/tests/should_succeed/closures/03_generic_bound.mlcfg +++ b/creusot/tests/should_succeed/closures/03_generic_bound.mlcfg @@ -38,7 +38,10 @@ module C03GenericBound_ClosureParam requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv2 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv2 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -52,13 +55,19 @@ module C03GenericBound_ClosureParam requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : uint32) (res : ()) : () val postcondition_mut_unnest0 (self : borrowed f) (args : uint32) (res : ()) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -67,7 +76,11 @@ module C03GenericBound_ClosureParam requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv2 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv2 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant4 (self : borrowed f) val invariant4 (self : borrowed f) : bool ensures { result = invariant4 self } @@ -90,7 +103,10 @@ module C03GenericBound_ClosureParam requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv3 res} ensures { result = fn_once0 self args res } - axiom fn_once0_spec : forall self : f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv2 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res)) + axiom fn_once0_spec : forall self : f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv2 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res)) predicate resolve1 (self : borrowed f) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed f) : bool @@ -103,7 +119,10 @@ module C03GenericBound_ClosureParam requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv3 res} ensures { result = fn_mut0 self args res } - axiom fn_mut0_spec : forall self : borrowed f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv2 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) + axiom fn_mut0_spec : forall self : borrowed f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv2 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) predicate invariant2 (self : uint32) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant2 (self : uint32) : bool @@ -147,7 +166,7 @@ module C03GenericBound_ClosureParam goto BB0 } BB0 { - [#"../03_generic_bound.rs" 4 4 4 10] _3 <- ([#"../03_generic_bound.rs" 4 4 4 10] ((0 : uint32))); + [#"../03_generic_bound.rs" 4 4 4 10] _3 <- ([#"../03_generic_bound.rs" 4 4 4 10] (([#"../03_generic_bound.rs" 4 8 4 9] (0 : uint32)))); [#"../03_generic_bound.rs" 4 4 4 10] _0 <- ([#"../03_generic_bound.rs" 4 4 4 10] call0 f _3); _3 <- any uint32; goto BB1 diff --git a/creusot/tests/should_succeed/closures/04_generic_closure.mlcfg b/creusot/tests/should_succeed/closures/04_generic_closure.mlcfg index 1d07ea19da..3521e7b2ab 100644 --- a/creusot/tests/should_succeed/closures/04_generic_closure.mlcfg +++ b/creusot/tests/should_succeed/closures/04_generic_closure.mlcfg @@ -39,7 +39,10 @@ module C04GenericClosure_GenericClosure requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv4 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv5 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv4 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv5 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -53,13 +56,19 @@ module C04GenericClosure_GenericClosure requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -68,7 +77,11 @@ module C04GenericClosure_GenericClosure requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv4 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv4 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant5 (self : borrowed f) val invariant5 (self : borrowed f) : bool ensures { result = invariant5 self } @@ -85,7 +98,10 @@ module C04GenericClosure_GenericClosure requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res} ensures { result = fn_once0 self args res } - axiom fn_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv4 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res)) + axiom fn_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv4 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res)) predicate resolve1 (self : borrowed f) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed f) : bool @@ -98,7 +114,10 @@ module C04GenericClosure_GenericClosure requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res} ensures { result = fn_mut0 self args res } - axiom fn_mut0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv4 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) + axiom fn_mut0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv4 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) predicate invariant4 (self : a) val invariant4 (self : a) : bool ensures { result = invariant4 self } @@ -285,7 +304,7 @@ module C04GenericClosure_Mapper goto BB1 } BB1 { - [#"../04_generic_closure.rs" 7 23 9 1] _0 <- ([#"../04_generic_closure.rs" 7 23 9 1] ()); + [#"../04_generic_closure.rs" 7 23 9 1] _0 <- ([#"../04_generic_closure.rs" 7 23 9 1] [#"../04_generic_closure.rs" 7 23 9 1] ()); goto BB2 } BB2 { diff --git a/creusot/tests/should_succeed/closures/05_map.mlcfg b/creusot/tests/should_succeed/closures/05_map.mlcfg index f0754d7255..7f7f2d2c1f 100644 --- a/creusot/tests/should_succeed/closures/05_map.mlcfg +++ b/creusot/tests/should_succeed/closures/05_map.mlcfg @@ -69,7 +69,10 @@ module C05Map_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv8 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve3 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv9 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv8 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve3 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -83,13 +86,19 @@ module C05Map_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv9 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv9 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv9 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv9 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv9 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv9 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv9 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv9 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -98,7 +107,11 @@ module C05Map_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv8 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv8 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant8 (self : borrowed f) val invariant8 (self : borrowed f) : bool ensures { result = invariant8 self } @@ -120,7 +133,10 @@ module C05Map_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv7 res} ensures { result = fn_once0 self args res } - axiom fn_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve3 self /\ postcondition0 self args res)) + axiom fn_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv9 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv7 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve3 self /\ postcondition0 self args res)) predicate resolve2 (self : borrowed f) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed f) : bool @@ -133,7 +149,10 @@ module C05Map_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv7 res} ensures { result = fn_mut0 self args res } - axiom fn_mut0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv8 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve2 self /\ postcondition0 ( * self) args res)) + axiom fn_mut0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv8 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv7 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve2 self /\ postcondition0 ( * self) args res)) predicate invariant6 (self : a) val invariant6 (self : a) : bool ensures { result = invariant6 self } @@ -328,5 +347,6 @@ module C05Map_Impl0 ensures { result = inv0 _x } axiom inv0 : forall x : borrowed (C05Map_Map_Type.t_map i f) . inv0 x = true - goal next_refn : [#"../05_map.rs" 17 4 17 44] forall self : borrowed (C05Map_Map_Type.t_map i f) . inv0 self -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option b . inv1 result -> inv1 result) + goal next_refn : [#"../05_map.rs" 17 4 17 44] forall self : borrowed (C05Map_Map_Type.t_map i f) . inv0 self + -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option b . inv1 result -> inv1 result) end diff --git a/creusot/tests/should_succeed/closures/06_fn_specs.mlcfg b/creusot/tests/should_succeed/closures/06_fn_specs.mlcfg index 421d85590a..6583bbed11 100644 --- a/creusot/tests/should_succeed/closures/06_fn_specs.mlcfg +++ b/creusot/tests/should_succeed/closures/06_fn_specs.mlcfg @@ -127,7 +127,10 @@ module C06FnSpecs_Weaken2 requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv3 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 19 43 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 25 43 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 42 14 42 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 19 43 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 25 43 29] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 42 14 42 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -141,13 +144,19 @@ module C06FnSpecs_Weaken2 requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 36 15 36 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 37 15 37 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 20 39 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 26 39 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 38 14 38 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 36 15 36 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 37 15 37 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 20 39 24] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 26 39 27] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 38 14 38 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 32 14 32 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 32 14 32 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : () val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res} @@ -156,7 +165,11 @@ module C06FnSpecs_Weaken2 requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv3 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 37 29 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 43 29 47] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 28 14 28 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 37 29 41] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 43 29 47] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 28 14 28 35] unnest0 ( * self) ( ^ self)) predicate invariant2 (self : borrowed f) val invariant2 (self : borrowed f) : bool ensures { result = invariant2 self } @@ -260,7 +273,10 @@ module C06FnSpecs_Weaken requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv2 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 19 43 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 25 43 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 42 14 42 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 19 43 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 25 43 29] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 42 14 42 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -274,13 +290,19 @@ module C06FnSpecs_Weaken requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 36 15 36 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 37 15 37 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 20 39 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 26 39 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 38 14 38 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 36 15 36 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 37 15 37 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 20 39 24] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 26 39 27] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 38 14 38 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 32 14 32 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 32 14 32 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : () val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res} @@ -289,7 +311,11 @@ module C06FnSpecs_Weaken requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv2 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 37 29 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 43 29 47] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 28 14 28 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 37 29 41] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 43 29 47] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 28 14 28 35] unnest0 ( * self) ( ^ self)) predicate invariant3 (self : borrowed f) val invariant3 (self : borrowed f) : bool ensures { result = invariant3 self } @@ -311,7 +337,10 @@ module C06FnSpecs_Weaken requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 61 33 61 36] inv2 res} ensures { result = fn_once0 self args res } - axiom fn_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 15 61 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 21 61 25] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 33 61 36] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 60 14 60 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res)) + axiom fn_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 15 61 19] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 21 61 25] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 33 61 36] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 60 14 60 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res)) predicate resolve1 (self : borrowed f) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed f) : bool @@ -324,7 +353,10 @@ module C06FnSpecs_Weaken requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 57 37 57 40] inv2 res} ensures { result = fn_mut0 self args res } - axiom fn_mut0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 19 57 23] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 25 57 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 37 57 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 56 14 56 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) + axiom fn_mut0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 19 57 23] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 25 57 29] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 37 57 40] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 56 14 56 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) predicate invariant1 (self : a) val invariant1 (self : a) : bool ensures { result = invariant1 self } @@ -511,7 +543,10 @@ module C06FnSpecs_Weaken2Std requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -525,13 +560,19 @@ module C06FnSpecs_Weaken2Std requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : () val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -540,7 +581,11 @@ module C06FnSpecs_Weaken2Std requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant2 (self : borrowed f) val invariant2 (self : borrowed f) : bool ensures { result = invariant2 self } @@ -644,7 +689,10 @@ module C06FnSpecs_WeakenStd requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -658,13 +706,19 @@ module C06FnSpecs_WeakenStd requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : () val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -673,7 +727,11 @@ module C06FnSpecs_WeakenStd requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant3 (self : borrowed f) val invariant3 (self : borrowed f) : bool ensures { result = invariant3 self } @@ -695,7 +753,10 @@ module C06FnSpecs_WeakenStd requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res} ensures { result = fn_once0 self args res } - axiom fn_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res)) + axiom fn_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res)) predicate resolve1 (self : borrowed f) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed f) : bool @@ -708,7 +769,10 @@ module C06FnSpecs_WeakenStd requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res} ensures { result = fn_mut0 self args res } - axiom fn_mut0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) + axiom fn_mut0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv1 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res)) predicate invariant1 (self : a) val invariant1 (self : a) : bool ensures { result = invariant1 self } @@ -830,7 +894,7 @@ module C06FnSpecs_FnOnceUser goto BB1 } BB1 { - [#"../06_fn_specs.rs" 45 4 45 8] _4 <- ([#"../06_fn_specs.rs" 45 4 45 8] ((0 : usize))); + [#"../06_fn_specs.rs" 45 4 45 8] _4 <- ([#"../06_fn_specs.rs" 45 4 45 8] (([#"../06_fn_specs.rs" 45 6 45 7] (0 : usize)))); [#"../06_fn_specs.rs" 45 4 45 8] _0 <- ([#"../06_fn_specs.rs" 45 4 45 8] call_once0 f _4); f <- any f; _4 <- any usize; diff --git a/creusot/tests/should_succeed/closures/07_mutable_capture.mlcfg b/creusot/tests/should_succeed/closures/07_mutable_capture.mlcfg index 6aa30a62af..5626ec403b 100644 --- a/creusot/tests/should_succeed/closures/07_mutable_capture.mlcfg +++ b/creusot/tests/should_succeed/closures/07_mutable_capture.mlcfg @@ -47,9 +47,9 @@ module C07MutableCapture_TestFnmut_Closure1 goto BB0 } BB0 { - [#"../07_mutable_capture.rs" 10 12 10 18] _1 <- { _1 with current = (let C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 x0 = * _1 in C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 ({ (field_00 ( * _1)) with current = ([#"../07_mutable_capture.rs" 10 12 10 18] * field_00 ( * _1) + (1 : uint32)) ; })) ; }; + [#"../07_mutable_capture.rs" 10 12 10 18] _1 <- { _1 with current = (let C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 x0 = * _1 in C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 ({ (field_00 ( * _1)) with current = ([#"../07_mutable_capture.rs" 10 12 10 18] * field_00 ( * _1) + ([#"../07_mutable_capture.rs" 10 17 10 18] (1 : uint32))) ; })) ; }; assume { resolve0 _1 }; - [#"../07_mutable_capture.rs" 11 12 11 13] res1 <- ([#"../07_mutable_capture.rs" 11 12 11 13] (5 : int32)); + [#"../07_mutable_capture.rs" 11 12 11 13] res1 <- ([#"../07_mutable_capture.rs" 11 12 11 13] [#"../07_mutable_capture.rs" 11 12 11 13] (5 : int32)); [#"../07_mutable_capture.rs" 7 8 7 35] res <- ([#"../07_mutable_capture.rs" 7 8 7 35] res1); [#"../07_mutable_capture.rs" 8 8 8 37] _0 <- ([#"../07_mutable_capture.rs" 8 8 8 37] res); return _0 @@ -136,7 +136,7 @@ module C07MutableCapture_TestFnmut BB2 { assume { resolve0 c }; assert { [@expl:assertion] [#"../07_mutable_capture.rs" 17 20 17 33] UInt32.to_int x = 100002 }; - [#"../07_mutable_capture.rs" 5 30 18 1] _0 <- ([#"../07_mutable_capture.rs" 5 30 18 1] ()); + [#"../07_mutable_capture.rs" 5 30 18 1] _0 <- ([#"../07_mutable_capture.rs" 5 30 18 1] [#"../07_mutable_capture.rs" 5 30 18 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/closures/08_multiple_calls.mlcfg b/creusot/tests/should_succeed/closures/08_multiple_calls.mlcfg index 671707d640..9aedfae435 100644 --- a/creusot/tests/should_succeed/closures/08_multiple_calls.mlcfg +++ b/creusot/tests/should_succeed/closures/08_multiple_calls.mlcfg @@ -37,7 +37,7 @@ module C08MultipleCalls_MultiUse_Closure0 } BB0 { assume { resolve0 _1 }; - [#"../08_multiple_calls.rs" 8 8 8 9] res <- ([#"../08_multiple_calls.rs" 8 8 8 9] (0 : uint32)); + [#"../08_multiple_calls.rs" 8 8 8 9] res <- ([#"../08_multiple_calls.rs" 8 8 8 9] [#"../08_multiple_calls.rs" 8 8 8 9] (0 : uint32)); [#"../08_multiple_calls.rs" 5 12 5 31] _0 <- ([#"../08_multiple_calls.rs" 5 12 5 31] res); return _0 } @@ -129,7 +129,7 @@ module C08MultipleCalls_MultiUse BB1 { assert { [@expl:type invariant] inv0 x }; assume { resolve1 x }; - [#"../08_multiple_calls.rs" 4 27 14 1] _0 <- ([#"../08_multiple_calls.rs" 4 27 14 1] ()); + [#"../08_multiple_calls.rs" 4 27 14 1] _0 <- ([#"../08_multiple_calls.rs" 4 27 14 1] [#"../08_multiple_calls.rs" 4 27 14 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/drop_pair.mlcfg b/creusot/tests/should_succeed/drop_pair.mlcfg index b4de795411..cf64fb8fea 100644 --- a/creusot/tests/should_succeed/drop_pair.mlcfg +++ b/creusot/tests/should_succeed/drop_pair.mlcfg @@ -26,7 +26,7 @@ module DropPair_DropPair } BB0 { assume { resolve0 _x }; - [#"../drop_pair.rs" 7 43 7 45] _0 <- ([#"../drop_pair.rs" 7 43 7 45] ()); + [#"../drop_pair.rs" 7 43 7 45] _0 <- ([#"../drop_pair.rs" 7 43 7 45] [#"../drop_pair.rs" 7 43 7 45] ()); return _0 } @@ -55,7 +55,7 @@ module DropPair_DropPair2 } BB0 { assume { resolve0 x }; - [#"../drop_pair.rs" 9 43 11 1] _0 <- ([#"../drop_pair.rs" 9 43 11 1] ()); + [#"../drop_pair.rs" 9 43 11 1] _0 <- ([#"../drop_pair.rs" 9 43 11 1] [#"../drop_pair.rs" 9 43 11 1] ()); return _0 } @@ -86,7 +86,7 @@ module DropPair_Drop [#"../drop_pair.rs" 16 4 16 10] _x <- ([#"../drop_pair.rs" 16 4 16 10] _3); _3 <- any borrowed uint32; assume { resolve0 _x }; - [#"../drop_pair.rs" 15 53 17 1] _0 <- ([#"../drop_pair.rs" 15 53 17 1] ()); + [#"../drop_pair.rs" 15 53 17 1] _0 <- ([#"../drop_pair.rs" 15 53 17 1] [#"../drop_pair.rs" 15 53 17 1] ()); assume { resolve0 y }; return _0 } diff --git a/creusot/tests/should_succeed/duration.mlcfg b/creusot/tests/should_succeed/duration.mlcfg index 2b78a75c9e..520273912b 100644 --- a/creusot/tests/should_succeed/duration.mlcfg +++ b/creusot/tests/should_succeed/duration.mlcfg @@ -74,20 +74,26 @@ module Duration_TestDuration use prelude.UInt32 val checked_div0 (self : Core_Time_Duration_Type.t_duration) (rhs : uint32) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration) - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 137 16 137 58] rhs = (0 : uint32) -> result = Core_Option_Option_Type.C_None } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 138 16 138 85] rhs <> (0 : uint32) -> deep_model0 result = Core_Option_Option_Type.C_Some (div (shallow_model0 self) (UInt32.to_int rhs)) } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 137 16 137 58] rhs = (0 : uint32) + -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 138 16 138 85] rhs <> (0 : uint32) + -> deep_model0 result = Core_Option_Option_Type.C_Some (div (shallow_model0 self) (UInt32.to_int rhs)) } function nanos_to_secs0 (nanos : int) : int val nanos_to_secs0 (nanos : int) : int ensures { result = nanos_to_secs0 nanos } val checked_mul0 (self : Core_Time_Duration_Type.t_duration) (rhs : uint32) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration) - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 133 16 133 86] nanos_to_secs0 (shallow_model0 self * UInt32.to_int rhs) > UInt64.to_int max0 -> result = Core_Option_Option_Type.C_None } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 134 16 134 114] nanos_to_secs0 (shallow_model0 self * UInt32.to_int rhs) <= UInt64.to_int max0 -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self * UInt32.to_int rhs) } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 133 16 133 86] nanos_to_secs0 (shallow_model0 self * UInt32.to_int rhs) > UInt64.to_int max0 + -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 134 16 134 114] nanos_to_secs0 (shallow_model0 self * UInt32.to_int rhs) <= UInt64.to_int max0 + -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self * UInt32.to_int rhs) } val checked_sub0 (self : Core_Time_Duration_Type.t_duration) (rhs : Core_Time_Duration_Type.t_duration) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration) - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 129 16 129 63] shallow_model0 self - shallow_model0 rhs < 0 -> result = Core_Option_Option_Type.C_None } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 130 16 130 91] shallow_model0 self - shallow_model0 rhs >= 0 -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self - shallow_model0 rhs) } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 129 16 129 63] shallow_model0 self - shallow_model0 rhs < 0 + -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 130 16 130 91] shallow_model0 self - shallow_model0 rhs >= 0 + -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self - shallow_model0 rhs) } use prelude.Borrow val is_some0 (self : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration)) : bool @@ -99,8 +105,10 @@ module Duration_TestDuration ensures { [#"../../../../creusot-contracts/src/std/option.rs" 36 26 36 51] result = (self = Core_Option_Option_Type.C_None) } val checked_add0 (self : Core_Time_Duration_Type.t_duration) (rhs : Core_Time_Duration_Type.t_duration) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration) - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 125 16 125 86] nanos_to_secs0 (shallow_model0 self + shallow_model0 rhs) > UInt64.to_int max0 -> result = Core_Option_Option_Type.C_None } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 126 16 126 114] nanos_to_secs0 (shallow_model0 self + shallow_model0 rhs) <= UInt64.to_int max0 -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self + shallow_model0 rhs) } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 125 16 125 86] nanos_to_secs0 (shallow_model0 self + shallow_model0 rhs) > UInt64.to_int max0 + -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 126 16 126 114] nanos_to_secs0 (shallow_model0 self + shallow_model0 rhs) <= UInt64.to_int max0 + -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self + shallow_model0 rhs) } use prelude.UInt128 function nanos_to_micros0 (nanos : int) : int @@ -139,8 +147,9 @@ module Duration_TestDuration ensures { [#"../../../../creusot-contracts/src/std/time.rs" 100 26 100 57] UInt64.to_int result = nanos_to_secs0 (shallow_model4 self) } val is_zero0 (self : Core_Time_Duration_Type.t_duration) : bool - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 96 16 96 57] shallow_model4 self = 0 -> result = true } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 97 16 97 58] shallow_model4 self <> 0 -> result = false } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 96 16 96 57] shallow_model4 self = 0 -> result = true } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 97 16 97 58] shallow_model4 self <> 0 + -> result = false } val from_nanos0 (nanos : uint64) : Core_Time_Duration_Type.t_duration ensures { [#"../../../../creusot-contracts/src/std/time.rs" 93 26 93 43] shallow_model0 result = UInt64.to_int nanos } @@ -217,7 +226,7 @@ module Duration_TestDuration goto BB0 } BB0 { - [#"../duration.rs" 8 15 8 34] zero <- ([#"../duration.rs" 8 15 8 34] new0 (0 : uint64) (0 : uint32)); + [#"../duration.rs" 8 15 8 34] zero <- ([#"../duration.rs" 8 15 8 34] new0 ([#"../duration.rs" 8 29 8 30] (0 : uint64)) ([#"../duration.rs" 8 32 8 33] (0 : uint32))); goto BB1 } BB1 { @@ -226,7 +235,7 @@ module Duration_TestDuration goto BB2 } BB2 { - [#"../duration.rs" 10 12 10 32] _5 <- ([#"../duration.rs" 10 12 10 32] _6 = (0 : uint128)); + [#"../duration.rs" 10 12 10 32] _5 <- ([#"../duration.rs" 10 12 10 32] _6 = ([#"../duration.rs" 10 31 10 32] (0 : uint128))); _6 <- any uint128; switch (_5) | False -> goto BB4 @@ -234,7 +243,7 @@ module Duration_TestDuration end } BB3 { - [#"../duration.rs" 12 14 12 50] max <- ([#"../duration.rs" 12 14 12 50] new0 (18446744073709551615 : uint64) (999999999 : uint32)); + [#"../duration.rs" 12 14 12 50] max <- ([#"../duration.rs" 12 14 12 50] new0 ([#"../duration.rs" 12 28 12 36] (18446744073709551615 : uint64)) ([#"../duration.rs" 12 38 12 49] (999999999 : uint32))); goto BB5 } BB4 { @@ -242,22 +251,22 @@ module Duration_TestDuration absurd } BB5 { - [#"../duration.rs" 14 17 14 39] d_secs <- ([#"../duration.rs" 14 17 14 39] from_secs0 (1 : uint64)); + [#"../duration.rs" 14 17 14 39] d_secs <- ([#"../duration.rs" 14 17 14 39] from_secs0 ([#"../duration.rs" 14 37 14 38] (1 : uint64))); goto BB6 } BB6 { assert { [@expl:assertion] [#"../duration.rs" 15 18 15 42] shallow_model0 d_secs = 1000000000 }; - [#"../duration.rs" 17 19 17 43] d_millis <- ([#"../duration.rs" 17 19 17 43] from_millis0 (1 : uint64)); + [#"../duration.rs" 17 19 17 43] d_millis <- ([#"../duration.rs" 17 19 17 43] from_millis0 ([#"../duration.rs" 17 41 17 42] (1 : uint64))); goto BB7 } BB7 { assert { [@expl:assertion] [#"../duration.rs" 18 18 18 40] shallow_model0 d_millis = 1000000 }; - [#"../duration.rs" 20 19 20 43] d_micros <- ([#"../duration.rs" 20 19 20 43] from_micros0 (1 : uint64)); + [#"../duration.rs" 20 19 20 43] d_micros <- ([#"../duration.rs" 20 19 20 43] from_micros0 ([#"../duration.rs" 20 41 20 42] (1 : uint64))); goto BB8 } BB8 { assert { [@expl:assertion] [#"../duration.rs" 21 18 21 36] shallow_model0 d_micros = 1000 }; - [#"../duration.rs" 23 18 23 41] d_nanos <- ([#"../duration.rs" 23 18 23 41] from_nanos0 (1 : uint64)); + [#"../duration.rs" 23 18 23 41] d_nanos <- ([#"../duration.rs" 23 18 23 41] from_nanos0 ([#"../duration.rs" 23 39 23 40] (1 : uint64))); goto BB9 } BB9 { @@ -294,7 +303,7 @@ module Duration_TestDuration goto BB16 } BB16 { - [#"../duration.rs" 29 12 29 33] _31 <- ([#"../duration.rs" 29 12 29 33] (1 : uint64) = _32); + [#"../duration.rs" 29 12 29 33] _31 <- ([#"../duration.rs" 29 12 29 33] ([#"../duration.rs" 29 12 29 13] (1 : uint64)) = _32); _32 <- any uint64; switch (_31) | False -> goto BB18 @@ -310,7 +319,7 @@ module Duration_TestDuration absurd } BB19 { - [#"../duration.rs" 30 12 30 39] _36 <- ([#"../duration.rs" 30 12 30 39] (0 : uint32) = _37); + [#"../duration.rs" 30 12 30 39] _36 <- ([#"../duration.rs" 30 12 30 39] ([#"../duration.rs" 30 12 30 13] (0 : uint32)) = _37); _37 <- any uint32; switch (_36) | False -> goto BB21 @@ -326,7 +335,7 @@ module Duration_TestDuration absurd } BB22 { - [#"../duration.rs" 31 12 31 39] _41 <- ([#"../duration.rs" 31 12 31 39] (0 : uint32) = _42); + [#"../duration.rs" 31 12 31 39] _41 <- ([#"../duration.rs" 31 12 31 39] ([#"../duration.rs" 31 12 31 13] (0 : uint32)) = _42); _42 <- any uint32; switch (_41) | False -> goto BB24 @@ -342,7 +351,7 @@ module Duration_TestDuration absurd } BB25 { - [#"../duration.rs" 32 12 32 38] _46 <- ([#"../duration.rs" 32 12 32 38] (0 : uint32) = _47); + [#"../duration.rs" 32 12 32 38] _46 <- ([#"../duration.rs" 32 12 32 38] ([#"../duration.rs" 32 12 32 13] (0 : uint32)) = _47); _47 <- any uint32; switch (_46) | False -> goto BB27 @@ -491,7 +500,7 @@ module Duration_TestDuration end } BB54 { - [#"../duration.rs" 44 12 44 30] _105 <- ([#"../duration.rs" 44 12 44 30] checked_mul0 max (2 : uint32)); + [#"../duration.rs" 44 12 44 30] _105 <- ([#"../duration.rs" 44 12 44 30] checked_mul0 max ([#"../duration.rs" 44 28 44 29] (2 : uint32))); goto BB56 } BB55 { @@ -509,7 +518,7 @@ module Duration_TestDuration end } BB58 { - [#"../duration.rs" 45 12 45 34] _111 <- ([#"../duration.rs" 45 12 45 34] checked_mul0 d_secs (10 : uint32)); + [#"../duration.rs" 45 12 45 34] _111 <- ([#"../duration.rs" 45 12 45 34] checked_mul0 d_secs ([#"../duration.rs" 45 31 45 33] (10 : uint32))); goto BB60 } BB59 { @@ -527,7 +536,7 @@ module Duration_TestDuration end } BB62 { - [#"../duration.rs" 47 12 47 33] _117 <- ([#"../duration.rs" 47 12 47 33] checked_div0 d_secs (0 : uint32)); + [#"../duration.rs" 47 12 47 33] _117 <- ([#"../duration.rs" 47 12 47 33] checked_div0 d_secs ([#"../duration.rs" 47 31 47 32] (0 : uint32))); goto BB64 } BB63 { @@ -545,7 +554,7 @@ module Duration_TestDuration end } BB66 { - [#"../duration.rs" 48 12 48 34] _123 <- ([#"../duration.rs" 48 12 48 34] checked_div0 d_secs (10 : uint32)); + [#"../duration.rs" 48 12 48 34] _123 <- ([#"../duration.rs" 48 12 48 34] checked_div0 d_secs ([#"../duration.rs" 48 31 48 33] (10 : uint32))); goto BB68 } BB67 { @@ -577,7 +586,7 @@ module Duration_TestDuration BB73 { assert { [@expl:assertion] [#"../duration.rs" 52 18 52 35] shallow_model0 sum = 1001000 }; assert { [@expl:assertion] [#"../duration.rs" 53 18 53 39] shallow_model0 difference = 999000 }; - [#"../duration.rs" 7 23 54 1] _0 <- ([#"../duration.rs" 7 23 54 1] ()); + [#"../duration.rs" 7 23 54 1] _0 <- ([#"../duration.rs" 7 23 54 1] [#"../duration.rs" 7 23 54 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/filter_positive.mlcfg b/creusot/tests/should_succeed/filter_positive.mlcfg index fe25709bb5..75528e23e2 100644 --- a/creusot/tests/should_succeed/filter_positive.mlcfg +++ b/creusot/tests/should_succeed/filter_positive.mlcfg @@ -38,8 +38,10 @@ module FilterPositive_LemmaNumOfPosIncreasing_Impl constant t : Seq.seq int32 function lemma_num_of_pos_increasing [#"../filter_positive.rs" 65 0 65 67] (i : int) (j : int) (k : int) (t : Seq.seq int32) : () - goal vc_lemma_num_of_pos_increasing : ([#"../filter_positive.rs" 62 11 62 17] j <= k) -> match j < k with - | True -> (([#"../filter_positive.rs" 62 11 62 17] j + 1 <= k) /\ 0 <= ([#"../filter_positive.rs" 64 10 64 13] k - j) /\ ([#"../filter_positive.rs" 64 10 64 13] k - (j + 1)) < ([#"../filter_positive.rs" 64 10 64 13] k - j)) /\ (([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i (j + 1) t <= num_of_pos0 i k t) -> ([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t)) + goal vc_lemma_num_of_pos_increasing : ([#"../filter_positive.rs" 62 11 62 17] j <= k) + -> match j < k with + | True -> (([#"../filter_positive.rs" 62 11 62 17] j + 1 <= k) /\ 0 <= ([#"../filter_positive.rs" 64 10 64 13] k - j) /\ ([#"../filter_positive.rs" 64 10 64 13] k - (j + 1)) < ([#"../filter_positive.rs" 64 10 64 13] k - j)) /\ (([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i (j + 1) t <= num_of_pos0 i k t) + -> ([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t)) | False -> [#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t end end @@ -62,7 +64,9 @@ module FilterPositive_LemmaNumOfPosStrictlyIncreasing_Impl constant i : int constant t : Seq.seq int32 function lemma_num_of_pos_strictly_increasing [#"../filter_positive.rs" 79 0 79 60] (i : int) (t : Seq.seq int32) : () - goal vc_lemma_num_of_pos_strictly_increasing : ([#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0) -> ([#"../filter_positive.rs" 76 11 76 32] 0 <= i /\ i < Seq.length t) -> ([#"../filter_positive.rs" 78 10 78 49] num_of_pos0 0 i t < num_of_pos0 0 (i + 1) t) + goal vc_lemma_num_of_pos_strictly_increasing : ([#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0) + -> ([#"../filter_positive.rs" 76 11 76 32] 0 <= i /\ i < Seq.length t) + -> ([#"../filter_positive.rs" 78 10 78 49] num_of_pos0 0 i t < num_of_pos0 0 (i + 1) t) end module Core_Ptr_NonNull_NonNull_Type use prelude.Opaque @@ -194,7 +198,8 @@ module FilterPositive_M requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model1 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -209,7 +214,8 @@ module FilterPositive_M use prelude.Slice use seq.Seq predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq int32) (fin : Seq.seq int32) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -261,7 +267,8 @@ module FilterPositive_M requires {[#"../filter_positive.rs" 62 11 62 17] j <= k} ensures { result = lemma_num_of_pos_increasing0 i j k t } - axiom lemma_num_of_pos_increasing0_spec : forall i : int, j : int, k : int, t : Seq.seq int32 . ([#"../filter_positive.rs" 62 11 62 17] j <= k) -> ([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t) + axiom lemma_num_of_pos_increasing0_spec : forall i : int, j : int, k : int, t : Seq.seq int32 . ([#"../filter_positive.rs" 62 11 62 17] j <= k) + -> ([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t) function lemma_num_of_pos_strictly_increasing0 [#"../filter_positive.rs" 79 0 79 60] (i : int) (t : Seq.seq int32) : () = @@ -271,7 +278,9 @@ module FilterPositive_M requires {[#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0} ensures { result = lemma_num_of_pos_strictly_increasing0 i t } - axiom lemma_num_of_pos_strictly_increasing0_spec : forall i : int, t : Seq.seq int32 . ([#"../filter_positive.rs" 76 11 76 32] 0 <= i /\ i < Seq.length t) -> ([#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0) -> ([#"../filter_positive.rs" 78 10 78 49] num_of_pos0 0 i t < num_of_pos0 0 (i + 1) t) + axiom lemma_num_of_pos_strictly_increasing0_spec : forall i : int, t : Seq.seq int32 . ([#"../filter_positive.rs" 76 11 76 32] 0 <= i /\ i < Seq.length t) + -> ([#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0) + -> ([#"../filter_positive.rs" 78 10 78 49] num_of_pos0 0 i t < num_of_pos0 0 (i + 1) t) function shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq int32 = [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self val shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq int32 @@ -297,14 +306,16 @@ module FilterPositive_M ensures { result = index_logic1 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve2 (index_logic1 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) + -> resolve2 (index_logic1 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } val from_elem0 (elem : int32) (n : usize) : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) requires {inv3 elem} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model1 result) = UIntSize.to_int n } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic1 result i = elem } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic1 result i = elem } ensures { inv0 result } val len1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : usize @@ -337,8 +348,8 @@ module FilterPositive_M goto BB0 } BB0 { - [#"../filter_positive.rs" 83 27 83 28] count <- ([#"../filter_positive.rs" 83 27 83 28] (0 : usize)); - [#"../filter_positive.rs" 84 23 84 24] i <- ([#"../filter_positive.rs" 84 23 84 24] (0 : usize)); + [#"../filter_positive.rs" 83 27 83 28] count <- ([#"../filter_positive.rs" 83 27 83 28] [#"../filter_positive.rs" 83 27 83 28] (0 : usize)); + [#"../filter_positive.rs" 84 23 84 24] i <- ([#"../filter_positive.rs" 84 23 84 24] [#"../filter_positive.rs" 84 23 84 24] (0 : usize)); goto BB1 } BB1 { @@ -370,33 +381,33 @@ module FilterPositive_M goto BB7 } BB7 { - [#"../filter_positive.rs" 90 11 90 19] _15 <- ([#"../filter_positive.rs" 90 11 90 19] _17 > (0 : int32)); + [#"../filter_positive.rs" 90 11 90 19] _15 <- ([#"../filter_positive.rs" 90 11 90 19] _17 > ([#"../filter_positive.rs" 90 18 90 19] (0 : int32))); switch (_15) | False -> goto BB9 | True -> goto BB8 end } BB8 { - [#"../filter_positive.rs" 91 12 91 22] count <- ([#"../filter_positive.rs" 91 12 91 22] count + (1 : usize)); - [#"../filter_positive.rs" 91 12 91 22] _14 <- ([#"../filter_positive.rs" 91 12 91 22] ()); + [#"../filter_positive.rs" 91 12 91 22] count <- ([#"../filter_positive.rs" 91 12 91 22] count + ([#"../filter_positive.rs" 91 21 91 22] (1 : usize))); + [#"../filter_positive.rs" 91 12 91 22] _14 <- ([#"../filter_positive.rs" 91 12 91 22] [#"../filter_positive.rs" 91 12 91 22] ()); goto BB10 } BB9 { - [#"../filter_positive.rs" 92 9 92 9] _14 <- ([#"../filter_positive.rs" 92 9 92 9] ()); + [#"../filter_positive.rs" 92 9 92 9] _14 <- ([#"../filter_positive.rs" 92 9 92 9] [#"../filter_positive.rs" 92 9 92 9] ()); goto BB10 } BB10 { - [#"../filter_positive.rs" 93 8 93 14] i <- ([#"../filter_positive.rs" 93 8 93 14] i + (1 : usize)); - [#"../filter_positive.rs" 89 22 94 5] _9 <- ([#"../filter_positive.rs" 89 22 94 5] ()); + [#"../filter_positive.rs" 93 8 93 14] i <- ([#"../filter_positive.rs" 93 8 93 14] i + ([#"../filter_positive.rs" 93 13 93 14] (1 : usize))); + [#"../filter_positive.rs" 89 22 94 5] _9 <- ([#"../filter_positive.rs" 89 22 94 5] [#"../filter_positive.rs" 89 22 94 5] ()); goto BB3 } BB11 { - [#"../filter_positive.rs" 95 26 95 40] u <- ([#"../filter_positive.rs" 95 26 95 40] from_elem0 (0 : int32) count); + [#"../filter_positive.rs" 95 26 95 40] u <- ([#"../filter_positive.rs" 95 26 95 40] from_elem0 ([#"../filter_positive.rs" 95 31 95 32] (0 : int32)) count); goto BB12 } BB12 { - [#"../filter_positive.rs" 96 4 96 13] count <- ([#"../filter_positive.rs" 96 4 96 13] (0 : usize)); - [#"../filter_positive.rs" 98 4 98 9] i <- ([#"../filter_positive.rs" 98 4 98 9] (0 : usize)); + [#"../filter_positive.rs" 96 4 96 13] count <- ([#"../filter_positive.rs" 96 4 96 13] [#"../filter_positive.rs" 96 12 96 13] (0 : usize)); + [#"../filter_positive.rs" 98 4 98 9] i <- ([#"../filter_positive.rs" 98 4 98 9] [#"../filter_positive.rs" 98 8 98 9] (0 : usize)); goto BB13 } BB13 { @@ -427,7 +438,7 @@ module FilterPositive_M goto BB19 } BB19 { - [#"../filter_positive.rs" 103 11 103 19] _33 <- ([#"../filter_positive.rs" 103 11 103 19] _35 > (0 : int32)); + [#"../filter_positive.rs" 103 11 103 19] _33 <- ([#"../filter_positive.rs" 103 11 103 19] _35 > ([#"../filter_positive.rs" 103 18 103 19] (0 : int32))); switch (_33) | False -> goto BB25 | True -> goto BB20 @@ -455,17 +466,17 @@ module FilterPositive_M BB24 { [#"../filter_positive.rs" 113 12 113 27] _46 <- { _46 with current = ([#"../filter_positive.rs" 113 12 113 27] _43) ; }; assume { resolve1 _46 }; - [#"../filter_positive.rs" 114 12 114 22] count <- ([#"../filter_positive.rs" 114 12 114 22] count + (1 : usize)); - [#"../filter_positive.rs" 103 20 115 9] _32 <- ([#"../filter_positive.rs" 103 20 115 9] ()); + [#"../filter_positive.rs" 114 12 114 22] count <- ([#"../filter_positive.rs" 114 12 114 22] count + ([#"../filter_positive.rs" 114 21 114 22] (1 : usize))); + [#"../filter_positive.rs" 103 20 115 9] _32 <- ([#"../filter_positive.rs" 103 20 115 9] [#"../filter_positive.rs" 103 20 115 9] ()); goto BB26 } BB25 { - [#"../filter_positive.rs" 115 9 115 9] _32 <- ([#"../filter_positive.rs" 115 9 115 9] ()); + [#"../filter_positive.rs" 115 9 115 9] _32 <- ([#"../filter_positive.rs" 115 9 115 9] [#"../filter_positive.rs" 115 9 115 9] ()); goto BB26 } BB26 { - [#"../filter_positive.rs" 116 8 116 14] i <- ([#"../filter_positive.rs" 116 8 116 14] i + (1 : usize)); - [#"../filter_positive.rs" 102 22 117 5] _9 <- ([#"../filter_positive.rs" 102 22 117 5] ()); + [#"../filter_positive.rs" 116 8 116 14] i <- ([#"../filter_positive.rs" 116 8 116 14] i + ([#"../filter_positive.rs" 116 13 116 14] (1 : usize))); + [#"../filter_positive.rs" 102 22 117 5] _9 <- ([#"../filter_positive.rs" 102 22 117 5] [#"../filter_positive.rs" 102 22 117 5] ()); goto BB15 } BB27 { diff --git a/creusot/tests/should_succeed/ghost_ptr_token.mlcfg b/creusot/tests/should_succeed/ghost_ptr_token.mlcfg index 3f5801cef8..5e668e0e8f 100644 --- a/creusot/tests/should_succeed/ghost_ptr_token.mlcfg +++ b/creusot/tests/should_succeed/ghost_ptr_token.mlcfg @@ -144,14 +144,17 @@ module GhostPtrToken_Test requires {[#"../../../../creusot-contracts/src/util.rs" 24 11 24 16] false} ensures { result = unreachable0 _1 } - axiom unreachable0_spec : forall _1 : () . ([#"../../../../creusot-contracts/src/util.rs" 24 11 24 16] false) -> ([#"../../../../creusot-contracts/src/util.rs" 27 0 27 28] inv0 (unreachable0 _1)) && ([#"../../../../creusot-contracts/src/util.rs" 25 10 25 15] false) + axiom unreachable0_spec : forall _1 : () . ([#"../../../../creusot-contracts/src/util.rs" 24 11 24 16] false) + -> ([#"../../../../creusot-contracts/src/util.rs" 27 0 27 28] inv0 (unreachable0 _1)) && ([#"../../../../creusot-contracts/src/util.rs" 25 10 25 15] false) function unwrap0 (op : Core_Option_Option_Type.t_option int32) : int32 val unwrap0 (op : Core_Option_Option_Type.t_option int32) : int32 requires {[#"../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None} requires {[#"../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv7 op} ensures { result = unwrap0 op } - axiom unwrap0_spec : forall op : Core_Option_Option_Type.t_option int32 . ([#"../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) -> ([#"../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv7 op) -> ([#"../../../../creusot-contracts/src/util.rs" 35 0 35 36] inv0 (unwrap0 op)) && ([#"../../../../creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap0 op) = op) + axiom unwrap0_spec : forall op : Core_Option_Option_Type.t_option int32 . ([#"../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None) + -> ([#"../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv7 op) + -> ([#"../../../../creusot-contracts/src/util.rs" 35 0 35 36] inv0 (unwrap0 op)) && ([#"../../../../creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap0 op) = op) use map.Map function mk0 (_m : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 @@ -164,7 +167,8 @@ module GhostPtrToken_Test requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv3 self} ensures { result = view0 self } - axiom view0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv3 self) -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 28 4 28 35] inv6 (view0 self)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 27 14 27 38] mk0 (view0 self) = self) + axiom view0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv3 self) + -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 28 4 28 35] inv6 (view0 self)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 27 14 27 38] mk0 (view0 self) = self) function get0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : Core_Option_Option_Type.t_option int32 = @@ -247,14 +251,16 @@ module GhostPtrToken_Test requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv3 self} ensures { result = len0 self } - axiom len0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv3 self) -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len0 self >= 0) + axiom len0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv3 self) + -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len0 self >= 0) use map.Map function make_sized0 (self : int32) : int32 val make_sized0 (self : int32) : int32 requires {[#"../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv2 self} ensures { result = make_sized0 self } - axiom make_sized0_spec : forall self : int32 . ([#"../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv2 self) -> ([#"../../../../creusot-contracts/src/util.rs" 16 4 16 40] inv0 (make_sized0 self)) && ([#"../../../../creusot-contracts/src/util.rs" 15 14 15 30] make_sized0 self = self) + axiom make_sized0_spec : forall self : int32 . ([#"../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv2 self) + -> ([#"../../../../creusot-contracts/src/util.rs" 16 4 16 40] inv0 (make_sized0 self)) && ([#"../../../../creusot-contracts/src/util.rs" 15 14 15 30] make_sized0 self = self) function insert0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) (v : int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 val insert0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) (v : int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 @@ -263,7 +269,12 @@ module GhostPtrToken_Test requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv5 v} ensures { result = insert0 self k v } - axiom insert0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr, v : int32 . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 18 38 22] inv3 self) -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 24 38 25] inv4 k) -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv5 v) -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 4 38 43] inv3 (insert0 self k v)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not contains0 self k -> len0 (insert0 self k v) = len0 self + 1) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 36 4 36 63] contains0 self k -> len0 (insert0 self k v) = len0 self) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 35 14 35 71] view0 (insert0 self k v) = Map.set (view0 self) k (Core_Option_Option_Type.C_Some (make_sized0 v))) + axiom insert0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr, v : int32 . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 18 38 22] inv3 self) + -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 24 38 25] inv4 k) + -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv5 v) + -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 4 38 43] inv3 (insert0 self k v)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not contains0 self k + -> len0 (insert0 self k v) = len0 self + 1) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 36 4 36 63] contains0 self k + -> len0 (insert0 self k v) = len0 self) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 35 14 35 71] view0 (insert0 self k v) = Map.set (view0 self) k (Core_Option_Option_Type.C_Some (make_sized0 v))) function remove0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 val remove0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 @@ -271,7 +282,9 @@ module GhostPtrToken_Test requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv4 k} ensures { result = remove0 self k } - axiom remove0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 47 18 47 22] inv3 self) -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv4 k) -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 47 4 47 37] inv3 (remove0 self k)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 46 14 46 84] len0 (remove0 self k) = (if contains0 self k then + axiom remove0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 47 18 47 22] inv3 self) + -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv4 k) + -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 47 4 47 37] inv3 (remove0 self k)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 46 14 46 84] len0 (remove0 self k) = (if contains0 self k then len0 self - 1 else len0 self @@ -303,13 +316,13 @@ module GhostPtrToken_Test ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 41 14 41 38] shallow_model0 result = empty0 () } let constant promoted0 [#"../ghost_ptr_token.rs" 3 0 3 13] : int32 = [@vc:do_not_keep_trace] [@vc:sp] - let _1 = [#"../ghost_ptr_token.rs" 17 40 17 41] (1 : int32) in let _0 = _1 in _0 + let _1 = [#"../ghost_ptr_token.rs" 17 40 17 41] [#"../ghost_ptr_token.rs" 17 40 17 41] (1 : int32) in let _0 = _1 in _0 let constant promoted1 [#"../ghost_ptr_token.rs" 3 0 3 13] : int32 = [@vc:do_not_keep_trace] [@vc:sp] - let _1 = [#"../ghost_ptr_token.rs" 16 40 16 41] (2 : int32) in let _0 = _1 in _0 + let _1 = [#"../ghost_ptr_token.rs" 16 40 16 41] [#"../ghost_ptr_token.rs" 16 40 16 41] (2 : int32) in let _0 = _1 in _0 let constant promoted2 [#"../ghost_ptr_token.rs" 3 0 3 13] : int32 = [@vc:do_not_keep_trace] [@vc:sp] - let _1 = [#"../ghost_ptr_token.rs" 13 20 13 21] (2 : int32) in let _0 = _1 in _0 + let _1 = [#"../ghost_ptr_token.rs" 13 20 13 21] [#"../ghost_ptr_token.rs" 13 20 13 21] (2 : int32) in let _0 = _1 in _0 let constant promoted3 [#"../ghost_ptr_token.rs" 3 0 3 13] : int32 = [@vc:do_not_keep_trace] [@vc:sp] - let _1 = [#"../ghost_ptr_token.rs" 12 20 12 21] (1 : int32) in let _0 = _1 in _0 + let _1 = [#"../ghost_ptr_token.rs" 12 20 12 21] [#"../ghost_ptr_token.rs" 12 20 12 21] (1 : int32) in let _0 = _1 in _0 let rec cfg test [#"../ghost_ptr_token.rs" 3 0 3 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -365,7 +378,7 @@ module GhostPtrToken_Test goto BB0 } BB0 { - [#"../ghost_ptr_token.rs" 4 20 4 40] token <- ([#"../ghost_ptr_token.rs" 4 20 4 40] new0 ()); + [#"../ghost_ptr_token.rs" 4 20 4 40] token <- ([#"../ghost_ptr_token.rs" 4 20 4 40] new0 ([#"../ghost_ptr_token.rs" 4 20 4 40] ())); goto BB1 } BB1 { @@ -374,7 +387,7 @@ module GhostPtrToken_Test goto BB2 } BB2 { - [#"../ghost_ptr_token.rs" 5 15 5 46] ptr1 <- ([#"../ghost_ptr_token.rs" 5 15 5 46] ptr_from_box0 _3 (1 : int32)); + [#"../ghost_ptr_token.rs" 5 15 5 46] ptr1 <- ([#"../ghost_ptr_token.rs" 5 15 5 46] ptr_from_box0 _3 ([#"../ghost_ptr_token.rs" 5 43 5 44] (1 : int32))); _3 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32); goto BB3 } @@ -384,7 +397,7 @@ module GhostPtrToken_Test goto BB4 } BB4 { - [#"../ghost_ptr_token.rs" 6 15 6 46] ptr2 <- ([#"../ghost_ptr_token.rs" 6 15 6 46] ptr_from_box0 _6 (2 : int32)); + [#"../ghost_ptr_token.rs" 6 15 6 46] ptr2 <- ([#"../ghost_ptr_token.rs" 6 15 6 46] ptr_from_box0 _6 ([#"../ghost_ptr_token.rs" 6 43 6 44] (2 : int32))); _6 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32); goto BB5 } @@ -502,7 +515,7 @@ module GhostPtrToken_Test end } BB18 { - [#"../ghost_ptr_token.rs" 3 14 18 1] _0 <- ([#"../ghost_ptr_token.rs" 3 14 18 1] ()); + [#"../ghost_ptr_token.rs" 3 14 18 1] _0 <- ([#"../ghost_ptr_token.rs" 3 14 18 1] [#"../ghost_ptr_token.rs" 3 14 18 1] ()); return _0 } BB19 { diff --git a/creusot/tests/should_succeed/hashmap.mlcfg b/creusot/tests/should_succeed/hashmap.mlcfg index 8decff6f31..9e997d3136 100644 --- a/creusot/tests/should_succeed/hashmap.mlcfg +++ b/creusot/tests/should_succeed/hashmap.mlcfg @@ -153,7 +153,8 @@ module Hashmap_Impl5_New requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model2 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model2 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) = @@ -258,26 +259,30 @@ module Hashmap_Impl5_New predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) = - [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv5 v -> inv0 k -> get1 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h + [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv5 v + -> inv0 k -> get1 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) : bool ensures { result = good_bucket0 self l h } use prelude.Borrow predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) = - [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model2 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) + [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model2 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) + -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool ensures { result = hashmap_inv0 self } val from_elem0 (elem : Hashmap_List_Type.t_list (k, v)) (n : usize) : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) requires {inv2 elem} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model2 result) = UIntSize.to_int n } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic0 result i = elem } ensures { inv3 result } let rec cfg new [#"../hashmap.rs" 98 4 98 46] [@cfg:stackify] [@cfg:subregion_analysis] (size : usize) : Hashmap_MyHashMap_Type.t_myhashmap k v requires {[#"../hashmap.rs" 95 15 95 24] 0 < UIntSize.to_int size} ensures { [#"../hashmap.rs" 96 14 96 34] hashmap_inv0 result } - ensures { [#"../hashmap.rs" 97 4 97 64] forall i : deep_model_ty0 . inv0 i -> Map.get (shallow_model1 result) i = Core_Option_Option_Type.C_None } + ensures { [#"../hashmap.rs" 97 4 97 64] forall i : deep_model_ty0 . inv0 i + -> Map.get (shallow_model1 result) i = Core_Option_Option_Type.C_None } ensures { [#"../hashmap.rs" 98 31 98 46] inv1 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -491,7 +496,8 @@ module Hashmap_Impl5_Add requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv17 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv17 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) = @@ -587,12 +593,14 @@ module Hashmap_Impl5_Add predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) = - [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv7 v -> inv5 k -> get0 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h + [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv7 v + -> inv5 k -> get0 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) : bool ensures { result = good_bucket0 self l h } predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) = - [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model6 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model6 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) + [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model6 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model6 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) + -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool ensures { result = hashmap_inv0 self } @@ -651,7 +659,8 @@ module Hashmap_Impl5_Add predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Hashmap_List_Type.t_list (k, v))) (fin : Seq.seq (Hashmap_List_Type.t_list (k, v))) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Hashmap_List_Type.t_list (k, v))) (fin : Seq.seq (Hashmap_List_Type.t_list (k, v))) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -712,7 +721,8 @@ module Hashmap_Impl5_Add requires {[#"../hashmap.rs" 106 26 106 29] inv6 key} requires {[#"../hashmap.rs" 106 34 106 37] inv7 val'} ensures { [#"../hashmap.rs" 104 14 104 35] hashmap_inv0 ( ^ self) } - ensures { [#"../hashmap.rs" 105 4 105 124] forall i : deep_model_ty0 . inv5 i -> Map.get (shallow_model1 ( ^ self)) i = (if i = deep_model0 key then + ensures { [#"../hashmap.rs" 105 4 105 124] forall i : deep_model_ty0 . inv5 i + -> Map.get (shallow_model1 ( ^ self)) i = (if i = deep_model0 key then Core_Option_Option_Type.C_Some val' else Map.get (shallow_model2 self) i @@ -766,7 +776,7 @@ module Hashmap_Impl5_Add [#"../hashmap.rs" 110 27 110 46] _12 <- ([#"../hashmap.rs" 110 27 110 46] UIntSize.of_int (UInt64.to_int _13)); _13 <- any uint64; [#"../hashmap.rs" 110 49 110 55] _15 <- ([#"../hashmap.rs" 110 49 110 55] length); - [#"../hashmap.rs" 110 27 110 55] _16 <- ([#"../hashmap.rs" 110 27 110 55] _15 = (0 : usize)); + [#"../hashmap.rs" 110 27 110 55] _16 <- ([#"../hashmap.rs" 110 27 110 55] _15 = ([#"../hashmap.rs" 110 27 110 55] (0 : usize))); assert { [@expl:remainder by zero] [#"../hashmap.rs" 110 27 110 55] not _16 }; goto BB4 } @@ -800,11 +810,16 @@ module Hashmap_Impl5_Add } BB7 { invariant { [#"../hashmap.rs" 114 20 114 52] good_bucket0 ( * Snapshot.inner old_self) ( * l) (UIntSize.to_int index) }; - invariant { [#"../hashmap.rs" 114 8 114 54] good_bucket0 ( * Snapshot.inner old_self) ( ^ l) (UIntSize.to_int index) -> good_bucket0 ( * Snapshot.inner old_self) ( ^ Snapshot.inner old_l) (UIntSize.to_int index) }; - invariant { [#"../hashmap.rs" 114 8 114 54] get0 ( ^ l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' -> get0 ( ^ Snapshot.inner old_l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' }; - invariant { [#"../hashmap.rs" 114 8 114 54] forall i : deep_model_ty0 . inv5 i -> get0 ( ^ l) i = get0 ( * l) i -> get0 ( ^ Snapshot.inner old_l) i = get0 ( * Snapshot.inner old_l) i }; + invariant { [#"../hashmap.rs" 114 8 114 54] good_bucket0 ( * Snapshot.inner old_self) ( ^ l) (UIntSize.to_int index) + -> good_bucket0 ( * Snapshot.inner old_self) ( ^ Snapshot.inner old_l) (UIntSize.to_int index) }; + invariant { [#"../hashmap.rs" 114 8 114 54] get0 ( ^ l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' + -> get0 ( ^ Snapshot.inner old_l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' }; + invariant { [#"../hashmap.rs" 114 8 114 54] forall i : deep_model_ty0 . inv5 i + -> get0 ( ^ l) i = get0 ( * l) i -> get0 ( ^ Snapshot.inner old_l) i = get0 ( * Snapshot.inner old_l) i }; invariant { [#"../hashmap.rs" 118 20 118 44] no_double_binding0 ( * l) }; - invariant { [#"../hashmap.rs" 114 8 114 54] (forall i : deep_model_ty0 . inv5 i -> get0 ( * l) i = get0 ( ^ l) i \/ i = deep_model0 key) /\ no_double_binding0 ( ^ l) -> no_double_binding0 ( ^ Snapshot.inner old_l) }; + invariant { [#"../hashmap.rs" 114 8 114 54] (forall i : deep_model_ty0 . inv5 i + -> get0 ( * l) i = get0 ( ^ l) i \/ i = deep_model0 key) /\ no_double_binding0 ( ^ l) + -> no_double_binding0 ( ^ Snapshot.inner old_l) }; goto BB8 } BB8 { @@ -858,7 +873,7 @@ module Hashmap_Impl5_Add assert { [@expl:type invariant] inv12 self }; assume { resolve8 self }; assert { [@expl:assertion] [#"../hashmap.rs" 125 32 125 52] hashmap_inv0 ( * self) }; - [#"../hashmap.rs" 126 16 126 22] _0 <- ([#"../hashmap.rs" 126 16 126 22] ()); + [#"../hashmap.rs" 126 16 126 22] _0 <- ([#"../hashmap.rs" 126 16 126 22] [#"../hashmap.rs" 126 16 126 22] ()); goto BB20 } BB13 { @@ -915,7 +930,7 @@ module Hashmap_Impl5_Add assert { [@expl:type invariant] inv12 self }; assume { resolve8 self }; assert { [@expl:assertion] [#"../hashmap.rs" 133 24 133 44] hashmap_inv0 ( * self) }; - [#"../hashmap.rs" 106 42 134 5] _0 <- ([#"../hashmap.rs" 106 42 134 5] ()); + [#"../hashmap.rs" 106 42 134 5] _0 <- ([#"../hashmap.rs" 106 42 134 5] [#"../hashmap.rs" 106 42 134 5] ()); goto BB20 } BB20 { @@ -974,7 +989,8 @@ module Hashmap_Impl5_Get requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) = @@ -1142,12 +1158,14 @@ module Hashmap_Impl5_Get predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) = - [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv12 k -> get0 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h + [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv12 k -> get0 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) : bool ensures { result = good_bucket0 self l h } predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) = - [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) + [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) + -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool ensures { result = hashmap_inv0 self } @@ -1262,7 +1280,7 @@ module Hashmap_Impl5_Get goto BB2 } BB2 { - [#"../hashmap.rs" 142 27 142 67] _12 <- ([#"../hashmap.rs" 142 27 142 67] _10 = (0 : usize)); + [#"../hashmap.rs" 142 27 142 67] _12 <- ([#"../hashmap.rs" 142 27 142 67] _10 = ([#"../hashmap.rs" 142 27 142 67] (0 : usize))); assert { [@expl:remainder by zero] [#"../hashmap.rs" 142 27 142 67] not _12 }; goto BB3 } @@ -1454,7 +1472,8 @@ module Hashmap_Impl5_Resize requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) = @@ -1585,12 +1604,14 @@ module Hashmap_Impl5_Resize predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) = - [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv8 v -> inv1 k -> get1 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h + [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv8 v + -> inv1 k -> get1 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) : bool ensures { result = good_bucket0 self l h } predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) = - [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) + [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) + -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool ensures { result = hashmap_inv0 self } @@ -1600,7 +1621,8 @@ module Hashmap_Impl5_Resize requires {[#"../hashmap.rs" 106 26 106 29] inv7 key} requires {[#"../hashmap.rs" 106 34 106 37] inv8 val'} ensures { [#"../hashmap.rs" 104 14 104 35] hashmap_inv0 ( ^ self) } - ensures { [#"../hashmap.rs" 105 4 105 124] forall i : deep_model_ty0 . inv1 i -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model0 key then + ensures { [#"../hashmap.rs" 105 4 105 124] forall i : deep_model_ty0 . inv1 i + -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model0 key then Core_Option_Option_Type.C_Some val' else Map.get (shallow_model4 self) i @@ -1630,7 +1652,8 @@ module Hashmap_Impl5_Resize predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Hashmap_List_Type.t_list (k, v))) (fin : Seq.seq (Hashmap_List_Type.t_list (k, v))) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Hashmap_List_Type.t_list (k, v))) (fin : Seq.seq (Hashmap_List_Type.t_list (k, v))) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -1691,7 +1714,8 @@ module Hashmap_Impl5_Resize val new1 [#"../hashmap.rs" 98 4 98 46] (size : usize) : Hashmap_MyHashMap_Type.t_myhashmap k v requires {[#"../hashmap.rs" 95 15 95 24] 0 < UIntSize.to_int size} ensures { [#"../hashmap.rs" 96 14 96 34] hashmap_inv0 result } - ensures { [#"../hashmap.rs" 97 4 97 64] forall i : deep_model_ty0 . inv1 i -> Map.get (shallow_model2 result) i = Core_Option_Option_Type.C_None } + ensures { [#"../hashmap.rs" 97 4 97 64] forall i : deep_model_ty0 . inv1 i + -> Map.get (shallow_model2 result) i = Core_Option_Option_Type.C_None } ensures { [#"../hashmap.rs" 98 31 98 46] inv2 result } function shallow_model5 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Hashmap_List_Type.t_list (k, v)) @@ -1715,7 +1739,8 @@ module Hashmap_Impl5_Resize requires {[#"../hashmap.rs" 157 15 157 36] hashmap_inv0 ( * self)} requires {[#"../hashmap.rs" 161 19 161 23] inv3 self} ensures { [#"../hashmap.rs" 158 14 158 35] hashmap_inv0 ( ^ self) } - ensures { [#"../hashmap.rs" 159 4 159 74] forall k : deep_model_ty0 . inv1 k -> Map.get (shallow_model2 ( ^ self)) k = Map.get (shallow_model4 self) k } + ensures { [#"../hashmap.rs" 159 4 159 74] forall k : deep_model_ty0 . inv1 k + -> Map.get (shallow_model2 ( ^ self)) k = Map.get (shallow_model4 self) k } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -1753,14 +1778,14 @@ module Hashmap_Impl5_Resize goto BB2 } BB2 { - [#"../hashmap.rs" 163 32 163 54] _9 <- ([#"../hashmap.rs" 163 32 163 54] _10 * (2 : usize)); + [#"../hashmap.rs" 163 32 163 54] _9 <- ([#"../hashmap.rs" 163 32 163 54] _10 * ([#"../hashmap.rs" 163 53 163 54] (2 : usize))); _10 <- any usize; [#"../hashmap.rs" 163 22 163 55] new <- ([#"../hashmap.rs" 163 22 163 55] new1 _9); _9 <- any usize; goto BB3 } BB3 { - [#"../hashmap.rs" 165 27 165 28] i <- ([#"../hashmap.rs" 165 27 165 28] (0 : usize)); + [#"../hashmap.rs" 165 27 165 28] i <- ([#"../hashmap.rs" 165 27 165 28] [#"../hashmap.rs" 165 27 165 28] (0 : usize)); goto BB4 } BB4 { @@ -1770,9 +1795,14 @@ module Hashmap_Impl5_Resize goto BB6 } BB6 { - invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Snapshot.inner old_self) k < UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; - invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k -> UIntSize.to_int i <= bucket_ix0 ( * Snapshot.inner old_self) k /\ bucket_ix0 ( * Snapshot.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None }; - invariant { [#"../hashmap.rs" 166 8 166 111] forall j : int . UIntSize.to_int i <= j /\ j < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) -> index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)) j = index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self)) j }; + invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k + -> bucket_ix0 ( * Snapshot.inner old_self) k < UIntSize.to_int i + -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; + invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k + -> UIntSize.to_int i <= bucket_ix0 ( * Snapshot.inner old_self) k /\ bucket_ix0 ( * Snapshot.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) + -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None }; + invariant { [#"../hashmap.rs" 166 8 166 111] forall j : int . UIntSize.to_int i <= j /\ j < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) + -> index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)) j = index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self)) j }; invariant { [#"../hashmap.rs" 172 20 172 37] hashmap_inv0 new }; invariant { [#"../hashmap.rs" 173 20 173 46] ^ Snapshot.inner old_self = ^ self }; invariant { [#"../hashmap.rs" 174 20 174 66] Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) = Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self))) }; @@ -1836,9 +1866,15 @@ module Hashmap_Impl5_Resize } BB17 { invariant { [#"../hashmap.rs" 179 24 179 41] hashmap_inv0 new }; - invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Snapshot.inner old_self) k < UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; - invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> UIntSize.to_int i < bucket_ix0 ( * Snapshot.inner old_self) k /\ bucket_ix0 ( * Snapshot.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None }; - invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Snapshot.inner old_self) k = UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = match get1 l k with + invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k + -> bucket_ix0 ( * Snapshot.inner old_self) k < UIntSize.to_int i + -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; + invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k + -> UIntSize.to_int i < bucket_ix0 ( * Snapshot.inner old_self) k /\ bucket_ix0 ( * Snapshot.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) + -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None }; + invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k + -> bucket_ix0 ( * Snapshot.inner old_self) k = UIntSize.to_int i + -> Map.get (shallow_model1 old_self) k = match get1 l k with | Core_Option_Option_Type.C_None -> Map.get (shallow_model2 new) k | Core_Option_Option_Type.C_Some v -> Core_Option_Option_Type.C_Some v end }; @@ -1884,21 +1920,23 @@ module Hashmap_Impl5_Resize goto BB24 } BB24 { - [#"../hashmap.rs" 188 49 191 13] _21 <- ([#"../hashmap.rs" 188 49 191 13] ()); + [#"../hashmap.rs" 188 49 191 13] _21 <- ([#"../hashmap.rs" 188 49 191 13] [#"../hashmap.rs" 188 49 191 13] ()); goto BB26 } BB25 { assert { [@expl:type invariant] inv5 l }; assume { resolve4 l }; - assert { [@expl:assertion] [#"../hashmap.rs" 192 12 192 121] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Snapshot.inner old_self) k = UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; + assert { [@expl:assertion] [#"../hashmap.rs" 192 12 192 121] forall k : deep_model_ty0 . inv1 k + -> bucket_ix0 ( * Snapshot.inner old_self) k = UIntSize.to_int i + -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k }; goto BB27 } BB26 { goto BB17 } BB27 { - [#"../hashmap.rs" 193 12 193 18] i <- ([#"../hashmap.rs" 193 12 193 18] i + (1 : usize)); - [#"../hashmap.rs" 176 37 194 9] _21 <- ([#"../hashmap.rs" 176 37 194 9] ()); + [#"../hashmap.rs" 193 12 193 18] i <- ([#"../hashmap.rs" 193 12 193 18] i + ([#"../hashmap.rs" 193 17 193 18] (1 : usize))); + [#"../hashmap.rs" 176 37 194 9] _21 <- ([#"../hashmap.rs" 176 37 194 9] [#"../hashmap.rs" 176 37 194 9] ()); goto BB28 } BB28 { @@ -1917,7 +1955,7 @@ module Hashmap_Impl5_Resize goto BB32 } BB32 { - [#"../hashmap.rs" 161 25 197 5] _0 <- ([#"../hashmap.rs" 161 25 197 5] ()); + [#"../hashmap.rs" 161 25 197 5] _0 <- ([#"../hashmap.rs" 161 25 197 5] [#"../hashmap.rs" 161 25 197 5] ()); goto BB33 } BB33 { @@ -1958,7 +1996,8 @@ module Hashmap_Main requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (usize, isize)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (usize, isize)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (usize, isize)) (Alloc_Alloc_Global_Type.t_global)) = @@ -2116,12 +2155,14 @@ module Hashmap_Main predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) (l : Hashmap_List_Type.t_list (usize, isize)) (h : int) = - [#"../hashmap.rs" 201 8 203 9] forall v : isize . forall k : int . inv6 v -> inv0 k -> get2 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h + [#"../hashmap.rs" 201 8 203 9] forall v : isize . forall k : int . inv6 v + -> inv0 k -> get2 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) (l : Hashmap_List_Type.t_list (usize, isize)) (h : int) : bool ensures { result = good_bucket0 self l h } predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) = - [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) + [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) + -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i)) val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) : bool ensures { result = hashmap_inv0 self } @@ -2131,7 +2172,8 @@ module Hashmap_Main requires {[#"../hashmap.rs" 106 26 106 29] inv3 key} requires {[#"../hashmap.rs" 106 34 106 37] inv6 val'} ensures { [#"../hashmap.rs" 104 14 104 35] hashmap_inv0 ( ^ self) } - ensures { [#"../hashmap.rs" 105 4 105 124] forall i : int . inv0 i -> Map.get (shallow_model1 ( ^ self)) i = (if i = deep_model0 key then + ensures { [#"../hashmap.rs" 105 4 105 124] forall i : int . inv0 i + -> Map.get (shallow_model1 ( ^ self)) i = (if i = deep_model0 key then Core_Option_Option_Type.C_Some val' else Map.get (shallow_model3 self) i @@ -2157,7 +2199,8 @@ module Hashmap_Main val new0 [#"../hashmap.rs" 98 4 98 46] (size : usize) : Hashmap_MyHashMap_Type.t_myhashmap usize isize requires {[#"../hashmap.rs" 95 15 95 24] 0 < UIntSize.to_int size} ensures { [#"../hashmap.rs" 96 14 96 34] hashmap_inv0 result } - ensures { [#"../hashmap.rs" 97 4 97 64] forall i : int . inv0 i -> Map.get (shallow_model1 result) i = Core_Option_Option_Type.C_None } + ensures { [#"../hashmap.rs" 97 4 97 64] forall i : int . inv0 i + -> Map.get (shallow_model1 result) i = Core_Option_Option_Type.C_None } ensures { [#"../hashmap.rs" 98 31 98 46] inv1 result } let rec cfg main [#"../hashmap.rs" 217 0 217 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -2185,56 +2228,56 @@ module Hashmap_Main goto BB0 } BB0 { - [#"../hashmap.rs" 224 42 224 60] h1 <- ([#"../hashmap.rs" 224 42 224 60] new0 (17 : usize)); + [#"../hashmap.rs" 224 42 224 60] h1 <- ([#"../hashmap.rs" 224 42 224 60] new0 ([#"../hashmap.rs" 224 57 224 59] (17 : usize))); goto BB1 } BB1 { - [#"../hashmap.rs" 225 42 225 60] h2 <- ([#"../hashmap.rs" 225 42 225 60] new0 (42 : usize)); + [#"../hashmap.rs" 225 42 225 60] h2 <- ([#"../hashmap.rs" 225 42 225 60] new0 ([#"../hashmap.rs" 225 57 225 59] (42 : usize))); goto BB2 } BB2 { - [#"../hashmap.rs" 226 17 226 26] _x <- ([#"../hashmap.rs" 226 17 226 26] get0 h1 (1 : usize)); + [#"../hashmap.rs" 226 17 226 26] _x <- ([#"../hashmap.rs" 226 17 226 26] get0 h1 ([#"../hashmap.rs" 226 24 226 25] (1 : usize))); goto BB3 } BB3 { - [#"../hashmap.rs" 227 17 227 26] _y <- ([#"../hashmap.rs" 227 17 227 26] get0 h1 (2 : usize)); + [#"../hashmap.rs" 227 17 227 26] _y <- ([#"../hashmap.rs" 227 17 227 26] get0 h1 ([#"../hashmap.rs" 227 24 227 25] (2 : usize))); goto BB4 } BB4 { - [#"../hashmap.rs" 228 17 228 26] _z <- ([#"../hashmap.rs" 228 17 228 26] get0 h2 (1 : usize)); + [#"../hashmap.rs" 228 17 228 26] _z <- ([#"../hashmap.rs" 228 17 228 26] get0 h2 ([#"../hashmap.rs" 228 24 228 25] (1 : usize))); goto BB5 } BB5 { - [#"../hashmap.rs" 229 17 229 26] _t <- ([#"../hashmap.rs" 229 17 229 26] get0 h2 (2 : usize)); + [#"../hashmap.rs" 229 17 229 26] _t <- ([#"../hashmap.rs" 229 17 229 26] get0 h2 ([#"../hashmap.rs" 229 24 229 25] (2 : usize))); goto BB6 } BB6 { [#"../hashmap.rs" 233 4 233 6] _12 <- Borrow.borrow_mut h1; [#"../hashmap.rs" 233 4 233 6] h1 <- ^ _12; - [#"../hashmap.rs" 233 4 233 17] _11 <- ([#"../hashmap.rs" 233 4 233 17] add0 _12 (1 : usize) (17 : isize)); + [#"../hashmap.rs" 233 4 233 17] _11 <- ([#"../hashmap.rs" 233 4 233 17] add0 _12 ([#"../hashmap.rs" 233 11 233 12] (1 : usize)) ([#"../hashmap.rs" 233 14 233 16] (17 : isize))); _12 <- any borrowed (Hashmap_MyHashMap_Type.t_myhashmap usize isize); goto BB7 } BB7 { - [#"../hashmap.rs" 234 9 234 18] _13 <- ([#"../hashmap.rs" 234 9 234 18] get0 h1 (1 : usize)); + [#"../hashmap.rs" 234 9 234 18] _13 <- ([#"../hashmap.rs" 234 9 234 18] get0 h1 ([#"../hashmap.rs" 234 16 234 17] (1 : usize))); goto BB8 } BB8 { [#"../hashmap.rs" 234 4 234 18] _x <- ([#"../hashmap.rs" 234 4 234 18] _13); _13 <- any Core_Option_Option_Type.t_option isize; - [#"../hashmap.rs" 235 9 235 18] _15 <- ([#"../hashmap.rs" 235 9 235 18] get0 h1 (2 : usize)); + [#"../hashmap.rs" 235 9 235 18] _15 <- ([#"../hashmap.rs" 235 9 235 18] get0 h1 ([#"../hashmap.rs" 235 16 235 17] (2 : usize))); goto BB9 } BB9 { [#"../hashmap.rs" 235 4 235 18] _y <- ([#"../hashmap.rs" 235 4 235 18] _15); _15 <- any Core_Option_Option_Type.t_option isize; - [#"../hashmap.rs" 236 9 236 18] _17 <- ([#"../hashmap.rs" 236 9 236 18] get0 h2 (1 : usize)); + [#"../hashmap.rs" 236 9 236 18] _17 <- ([#"../hashmap.rs" 236 9 236 18] get0 h2 ([#"../hashmap.rs" 236 16 236 17] (1 : usize))); goto BB10 } BB10 { [#"../hashmap.rs" 236 4 236 18] _z <- ([#"../hashmap.rs" 236 4 236 18] _17); _17 <- any Core_Option_Option_Type.t_option isize; - [#"../hashmap.rs" 237 9 237 18] _19 <- ([#"../hashmap.rs" 237 9 237 18] get0 h2 (2 : usize)); + [#"../hashmap.rs" 237 9 237 18] _19 <- ([#"../hashmap.rs" 237 9 237 18] get0 h2 ([#"../hashmap.rs" 237 16 237 17] (2 : usize))); goto BB11 } BB11 { @@ -2242,36 +2285,36 @@ module Hashmap_Main _19 <- any Core_Option_Option_Type.t_option isize; [#"../hashmap.rs" 240 4 240 6] _22 <- Borrow.borrow_mut h2; [#"../hashmap.rs" 240 4 240 6] h2 <- ^ _22; - [#"../hashmap.rs" 240 4 240 17] _21 <- ([#"../hashmap.rs" 240 4 240 17] add0 _22 (1 : usize) (42 : isize)); + [#"../hashmap.rs" 240 4 240 17] _21 <- ([#"../hashmap.rs" 240 4 240 17] add0 _22 ([#"../hashmap.rs" 240 11 240 12] (1 : usize)) ([#"../hashmap.rs" 240 14 240 16] (42 : isize))); _22 <- any borrowed (Hashmap_MyHashMap_Type.t_myhashmap usize isize); goto BB12 } BB12 { - [#"../hashmap.rs" 241 9 241 18] _23 <- ([#"../hashmap.rs" 241 9 241 18] get0 h1 (1 : usize)); + [#"../hashmap.rs" 241 9 241 18] _23 <- ([#"../hashmap.rs" 241 9 241 18] get0 h1 ([#"../hashmap.rs" 241 16 241 17] (1 : usize))); goto BB13 } BB13 { [#"../hashmap.rs" 241 4 241 18] _x <- ([#"../hashmap.rs" 241 4 241 18] _23); _23 <- any Core_Option_Option_Type.t_option isize; - [#"../hashmap.rs" 242 9 242 18] _25 <- ([#"../hashmap.rs" 242 9 242 18] get0 h1 (2 : usize)); + [#"../hashmap.rs" 242 9 242 18] _25 <- ([#"../hashmap.rs" 242 9 242 18] get0 h1 ([#"../hashmap.rs" 242 16 242 17] (2 : usize))); goto BB14 } BB14 { [#"../hashmap.rs" 242 4 242 18] _y <- ([#"../hashmap.rs" 242 4 242 18] _25); _25 <- any Core_Option_Option_Type.t_option isize; - [#"../hashmap.rs" 243 9 243 18] _27 <- ([#"../hashmap.rs" 243 9 243 18] get0 h2 (1 : usize)); + [#"../hashmap.rs" 243 9 243 18] _27 <- ([#"../hashmap.rs" 243 9 243 18] get0 h2 ([#"../hashmap.rs" 243 16 243 17] (1 : usize))); goto BB15 } BB15 { [#"../hashmap.rs" 243 4 243 18] _z <- ([#"../hashmap.rs" 243 4 243 18] _27); _27 <- any Core_Option_Option_Type.t_option isize; - [#"../hashmap.rs" 244 9 244 18] _29 <- ([#"../hashmap.rs" 244 9 244 18] get0 h2 (2 : usize)); + [#"../hashmap.rs" 244 9 244 18] _29 <- ([#"../hashmap.rs" 244 9 244 18] get0 h2 ([#"../hashmap.rs" 244 16 244 17] (2 : usize))); goto BB16 } BB16 { [#"../hashmap.rs" 244 4 244 18] _t <- ([#"../hashmap.rs" 244 4 244 18] _29); _29 <- any Core_Option_Option_Type.t_option isize; - [#"../hashmap.rs" 217 14 247 1] _0 <- ([#"../hashmap.rs" 217 14 247 1] ()); + [#"../hashmap.rs" 217 14 247 1] _0 <- ([#"../hashmap.rs" 217 14 247 1] [#"../hashmap.rs" 217 14 247 1] ()); goto BB17 } BB17 { @@ -2304,7 +2347,9 @@ module Hashmap_Impl0 axiom inv0 : forall x : Hashmap_List_Type.t_list t . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../hashmap.rs" 16 4 16 27] forall self : Hashmap_List_Type.t_list t . inv0 self -> inv0 self /\ (forall result : Hashmap_List_Type.t_list t . inv1 result /\ result = self -> inv1 result /\ result = self) + goal clone'_refn : [#"../hashmap.rs" 16 4 16 27] forall self : Hashmap_List_Type.t_list t . inv0 self + -> inv0 self /\ (forall result : Hashmap_List_Type.t_list t . inv1 result /\ result = self + -> inv1 result /\ result = self) end module Hashmap_Impl2 use prelude.UIntSize @@ -2339,7 +2384,9 @@ module Hashmap_Impl2 use prelude.UInt64 use prelude.UInt64 - goal hash_refn : [#"../hashmap.rs" 59 4 59 25] forall self : usize . inv0 self -> (forall result : uint64 . UInt64.to_int result = hash_log0 (deep_model0 self) -> UInt64.to_int result = hash_log0 (deep_model0 self)) + goal hash_refn : [#"../hashmap.rs" 59 4 59 25] forall self : usize . inv0 self + -> (forall result : uint64 . UInt64.to_int result = hash_log0 (deep_model0 self) + -> UInt64.to_int result = hash_log0 (deep_model0 self)) end module Hashmap_Impl3 type k diff --git a/creusot/tests/should_succeed/heapsort_generic.mlcfg b/creusot/tests/should_succeed/heapsort_generic.mlcfg index a94fc218d4..1902e99d20 100644 --- a/creusot/tests/should_succeed/heapsort_generic.mlcfg +++ b/creusot/tests/should_succeed/heapsort_generic.mlcfg @@ -28,7 +28,9 @@ module HeapsortGeneric_HeapFragMax_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : t) (y : t) : () val antisym20 (x : t) (y : t) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -36,7 +38,10 @@ module HeapsortGeneric_HeapFragMax_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : t) (y : t) : () val antisym10 (x : t) (y : t) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -44,7 +49,10 @@ module HeapsortGeneric_HeapFragMax_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : t) (y : t) (z : t) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : t) (y : t) (z : t) (o : Core_Cmp_Ordering_Type.t_ordering) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o} @@ -54,13 +62,19 @@ module HeapsortGeneric_HeapFragMax_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : t, y : t, z : t, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : t, y : t, z : t, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : t) : () val refl0 (x : t) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : t) (o : t) : bool val gt_log0 (self : t) (o : t) : bool ensures { result = gt_log0 self o } @@ -71,7 +85,9 @@ module HeapsortGeneric_HeapFragMax_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : t) (o : t) : bool val ge_log0 (self : t) (o : t) : bool ensures { result = ge_log0 self o } @@ -82,7 +98,9 @@ module HeapsortGeneric_HeapFragMax_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : t) (o : t) : bool val lt_log0 (self : t) (o : t) : bool ensures { result = lt_log0 self o } @@ -93,7 +111,9 @@ module HeapsortGeneric_HeapFragMax_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : t) (o : t) : bool val le_log0 (self : t) (o : t) : bool ensures { result = le_log0 self o } @@ -104,7 +124,9 @@ module HeapsortGeneric_HeapFragMax_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use seq.Seq predicate invariant0 (self : Seq.seq t) val invariant0 (self : Seq.seq t) : bool @@ -123,7 +145,8 @@ module HeapsortGeneric_HeapFragMax_Impl use seq.Seq predicate heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq t) (start : int) (end' : int) = - [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end' -> le_log0 (Seq.get s i) (Seq.get s (parent0 i)) + [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end' + -> le_log0 (Seq.get s i) (Seq.get s (parent0 i)) val heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq t) (start : int) (end' : int) : bool ensures { result = heap_frag0 s start end' } @@ -131,8 +154,12 @@ module HeapsortGeneric_HeapFragMax_Impl constant i : int constant end' : int function heap_frag_max [#"../heapsort_generic.rs" 25 0 25 58] (s : Seq.seq t) (i : int) (end' : int) : () - goal vc_heap_frag_max : ([#"../heapsort_generic.rs" 25 30 25 31] inv0 s) -> ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= i /\ i < end') -> ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end') -> match i > 0 with - | True -> ((([#"../heapsort_generic.rs" 25 30 25 31] inv0 s) && ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= parent0 i /\ parent0 i < end') && ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end')) /\ 0 <= ([#"../heapsort_generic.rs" 24 10 24 11] i) /\ ([#"../heapsort_generic.rs" 24 10 24 11] parent0 i) < ([#"../heapsort_generic.rs" 24 10 24 11] i)) /\ (([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s (parent0 i)) (Seq.get s 0)) -> ([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0))) + goal vc_heap_frag_max : ([#"../heapsort_generic.rs" 25 30 25 31] inv0 s) + -> ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= i /\ i < end') + -> ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end') + -> match i > 0 with + | True -> ((([#"../heapsort_generic.rs" 25 30 25 31] inv0 s) && ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= parent0 i /\ parent0 i < end') && ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end')) /\ 0 <= ([#"../heapsort_generic.rs" 24 10 24 11] i) /\ ([#"../heapsort_generic.rs" 24 10 24 11] parent0 i) < ([#"../heapsort_generic.rs" 24 10 24 11] i)) /\ (([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s (parent0 i)) (Seq.get s 0)) + -> ([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0))) | False -> [#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0) end end @@ -262,7 +289,8 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model3 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -293,7 +321,9 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -301,7 +331,10 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -309,7 +342,10 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -320,13 +356,19 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -337,7 +379,9 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -348,7 +392,9 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -359,7 +405,9 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -370,7 +418,9 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant1 (self : deep_model_ty0) val invariant1 (self : deep_model_ty0) : bool ensures { result = invariant1 self } @@ -406,14 +456,17 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self} ensures { result = deep_model1 self } - axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv9 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model1 self) i = deep_model3 (index_logic0 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self)) + axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv9 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) + -> Seq.get (deep_model1 self) i = deep_model3 (index_logic0 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self)) function parent0 [#"../heapsort_generic.rs" 10 0 10 24] (i : int) : int = [#"../heapsort_generic.rs" 11 4 11 19] div (i + 1) 2 - 1 val parent0 [#"../heapsort_generic.rs" 10 0 10 24] (i : int) : int ensures { result = parent0 i } predicate heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq deep_model_ty0) (start : int) (end' : int) = - [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end' -> le_log0 (Seq.get s i) (Seq.get s (parent0 i)) + [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end' + -> le_log0 (Seq.get s i) (Seq.get s (parent0 i)) val heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq deep_model_ty0) (start : int) (end' : int) : bool ensures { result = heap_frag0 s start end' } @@ -434,7 +487,8 @@ module HeapsortGeneric_SiftDown requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model7 self } - axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) + axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) function shallow_model6 (self : borrowed (slice t)) : Seq.seq t = [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model7 ( * self) val shallow_model6 (self : borrowed (slice t)) : Seq.seq t @@ -539,8 +593,13 @@ module HeapsortGeneric_SiftDown requires {[#"../heapsort_generic.rs" 41 33 41 34] inv6 v} ensures { [#"../heapsort_generic.rs" 34 10 34 52] heap_frag0 (deep_model1 ( ^ v)) (UIntSize.to_int start) (UIntSize.to_int end') } ensures { [#"../heapsort_generic.rs" 35 0 35 36] permutation_of0 (shallow_model3 ( ^ v)) (shallow_model0 v) } - ensures { [#"../heapsort_generic.rs" 36 0 37 43] forall i : int . 0 <= i /\ i < UIntSize.to_int start \/ UIntSize.to_int end' <= i /\ i < Seq.length (shallow_model0 v) -> index_logic0 ( * v) i = index_logic0 ( ^ v) i } - ensures { [#"../heapsort_generic.rs" 38 0 40 80] forall m : deep_model_ty0 . inv1 m -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 v) j) m) -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model1 ( ^ v)) j) m) } + ensures { [#"../heapsort_generic.rs" 36 0 37 43] forall i : int . 0 <= i /\ i < UIntSize.to_int start \/ UIntSize.to_int end' <= i /\ i < Seq.length (shallow_model0 v) + -> index_logic0 ( * v) i = index_logic0 ( ^ v) i } + ensures { [#"../heapsort_generic.rs" 38 0 40 80] forall m : deep_model_ty0 . inv1 m + -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' + -> le_log0 (Seq.get (deep_model0 v) j) m) + -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' + -> le_log0 (Seq.get (deep_model1 ( ^ v)) j) m) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -584,20 +643,28 @@ module HeapsortGeneric_SiftDown BB2 { invariant { [#"../heapsort_generic.rs" 48 4 48 43] permutation_of0 (shallow_model0 v) (shallow_model1 old_v) }; invariant { [#"../heapsort_generic.rs" 49 16 49 41] UIntSize.to_int start <= UIntSize.to_int i /\ UIntSize.to_int i < UIntSize.to_int end' }; - invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . 0 <= j /\ j < UIntSize.to_int start \/ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) -> index_logic0 ( * Snapshot.inner old_v) j = index_logic0 ( * v) j }; - invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall m : deep_model_ty0 . inv1 m -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 (Snapshot.inner old_v)) j) m) -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 v) j) m) }; - invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . UIntSize.to_int start <= parent0 j /\ j < UIntSize.to_int end' /\ UIntSize.to_int i <> parent0 j -> le_log0 (Seq.get (deep_model0 v) j) (Seq.get (deep_model0 v) (parent0 j)) }; - invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 1 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i) -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) }; - invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 2 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i) -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) }; + invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . 0 <= j /\ j < UIntSize.to_int start \/ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) + -> index_logic0 ( * Snapshot.inner old_v) j = index_logic0 ( * v) j }; + invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall m : deep_model_ty0 . inv1 m + -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' + -> le_log0 (Seq.get (deep_model0 (Snapshot.inner old_v)) j) m) + -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' + -> le_log0 (Seq.get (deep_model0 v) j) m) }; + invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . UIntSize.to_int start <= parent0 j /\ j < UIntSize.to_int end' /\ UIntSize.to_int i <> parent0 j + -> le_log0 (Seq.get (deep_model0 v) j) (Seq.get (deep_model0 v) (parent0 j)) }; + invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 1 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i) + -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) }; + invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 2 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i) + -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) }; goto BB3 } BB3 { - [#"../heapsort_generic.rs" 60 16 60 23] _28 <- ([#"../heapsort_generic.rs" 60 16 60 23] (2 : usize) = (0 : usize)); + [#"../heapsort_generic.rs" 60 16 60 23] _28 <- ([#"../heapsort_generic.rs" 60 16 60 23] ([#"../heapsort_generic.rs" 60 22 60 23] (2 : usize)) = ([#"../heapsort_generic.rs" 60 16 60 23] (0 : usize))); assert { [@expl:division by zero] [#"../heapsort_generic.rs" 60 16 60 23] not _28 }; goto BB4 } BB4 { - [#"../heapsort_generic.rs" 60 16 60 23] _26 <- ([#"../heapsort_generic.rs" 60 16 60 23] end' / (2 : usize)); + [#"../heapsort_generic.rs" 60 16 60 23] _26 <- ([#"../heapsort_generic.rs" 60 16 60 23] end' / ([#"../heapsort_generic.rs" 60 22 60 23] (2 : usize))); [#"../heapsort_generic.rs" 60 11 60 23] _24 <- ([#"../heapsort_generic.rs" 60 11 60 23] i >= _26); _26 <- any usize; switch (_24) @@ -608,14 +675,14 @@ module HeapsortGeneric_SiftDown BB5 { assert { [@expl:type invariant] inv6 v }; assume { resolve3 v }; - [#"../heapsort_generic.rs" 61 12 61 18] _0 <- ([#"../heapsort_generic.rs" 61 12 61 18] ()); + [#"../heapsort_generic.rs" 61 12 61 18] _0 <- ([#"../heapsort_generic.rs" 61 12 61 18] [#"../heapsort_generic.rs" 61 12 61 18] ()); goto BB23 } BB6 { - [#"../heapsort_generic.rs" 64 24 64 29] _31 <- ([#"../heapsort_generic.rs" 64 24 64 29] (2 : usize) * i); - [#"../heapsort_generic.rs" 64 24 64 33] child <- ([#"../heapsort_generic.rs" 64 24 64 33] _31 + (1 : usize)); + [#"../heapsort_generic.rs" 64 24 64 29] _31 <- ([#"../heapsort_generic.rs" 64 24 64 29] ([#"../heapsort_generic.rs" 64 24 64 25] (2 : usize)) * i); + [#"../heapsort_generic.rs" 64 24 64 33] child <- ([#"../heapsort_generic.rs" 64 24 64 33] _31 + ([#"../heapsort_generic.rs" 64 32 64 33] (1 : usize))); _31 <- any usize; - [#"../heapsort_generic.rs" 65 11 65 20] _35 <- ([#"../heapsort_generic.rs" 65 11 65 20] child + (1 : usize)); + [#"../heapsort_generic.rs" 65 11 65 20] _35 <- ([#"../heapsort_generic.rs" 65 11 65 20] child + ([#"../heapsort_generic.rs" 65 19 65 20] (1 : usize))); [#"../heapsort_generic.rs" 65 11 65 26] _34 <- ([#"../heapsort_generic.rs" 65 11 65 26] _35 < end'); _35 <- any usize; switch (_34) @@ -633,7 +700,7 @@ module HeapsortGeneric_SiftDown BB9 { assert { [@expl:type invariant] inv2 _40 }; assume { resolve1 _40 }; - [#"../heapsort_generic.rs" 65 43 65 52] _46 <- ([#"../heapsort_generic.rs" 65 43 65 52] child + (1 : usize)); + [#"../heapsort_generic.rs" 65 43 65 52] _46 <- ([#"../heapsort_generic.rs" 65 43 65 52] child + ([#"../heapsort_generic.rs" 65 51 65 52] (1 : usize))); [#"../heapsort_generic.rs" 65 42 65 53] _44 <- ([#"../heapsort_generic.rs" 65 42 65 53] index0 ( * v) _46); _46 <- any usize; goto BB10 @@ -651,15 +718,15 @@ module HeapsortGeneric_SiftDown end } BB12 { - [#"../heapsort_generic.rs" 66 12 66 22] child <- ([#"../heapsort_generic.rs" 66 12 66 22] child + (1 : usize)); - [#"../heapsort_generic.rs" 66 12 66 22] _33 <- ([#"../heapsort_generic.rs" 66 12 66 22] ()); + [#"../heapsort_generic.rs" 66 12 66 22] child <- ([#"../heapsort_generic.rs" 66 12 66 22] child + ([#"../heapsort_generic.rs" 66 21 66 22] (1 : usize))); + [#"../heapsort_generic.rs" 66 12 66 22] _33 <- ([#"../heapsort_generic.rs" 66 12 66 22] [#"../heapsort_generic.rs" 66 12 66 22] ()); goto BB15 } BB13 { goto BB14 } BB14 { - [#"../heapsort_generic.rs" 67 9 67 9] _33 <- ([#"../heapsort_generic.rs" 67 9 67 9] ()); + [#"../heapsort_generic.rs" 67 9 67 9] _33 <- ([#"../heapsort_generic.rs" 67 9 67 9] [#"../heapsort_generic.rs" 67 9 67 9] ()); goto BB15 } BB15 { @@ -687,7 +754,7 @@ module HeapsortGeneric_SiftDown BB19 { assert { [@expl:type invariant] inv6 v }; assume { resolve3 v }; - [#"../heapsort_generic.rs" 69 12 69 18] _0 <- ([#"../heapsort_generic.rs" 69 12 69 18] ()); + [#"../heapsort_generic.rs" 69 12 69 18] _0 <- ([#"../heapsort_generic.rs" 69 12 69 18] [#"../heapsort_generic.rs" 69 12 69 18] ()); goto BB23 } BB20 { @@ -794,7 +861,8 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model3 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -821,7 +889,9 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -829,7 +899,10 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -837,7 +910,10 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -848,13 +924,19 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -865,7 +947,9 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -876,7 +960,9 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -887,7 +973,9 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -898,7 +986,9 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use prelude.Snapshot predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) @@ -912,7 +1002,8 @@ module HeapsortGeneric_HeapSort axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true use seq.Seq predicate sorted_range0 [#"../heapsort_generic.rs" 77 0 77 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) = - [#"../heapsort_generic.rs" 78 4 80 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j) + [#"../heapsort_generic.rs" 78 4 80 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u + -> le_log0 (Seq.get s i) (Seq.get s j) val sorted_range0 [#"../heapsort_generic.rs" 77 0 77 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) : bool ensures { result = sorted_range0 s l u } @@ -939,7 +1030,9 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self} ensures { result = deep_model1 self } - axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model1 self) i = deep_model2 (index_logic1 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self)) + axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) + -> Seq.get (deep_model1 self) i = deep_model2 (index_logic1 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self)) let constant max0 : usize = [@vc:do_not_keep_trace] [@vc:sp] (18446744073709551615 : usize) use seq.Permut @@ -960,7 +1053,8 @@ module HeapsortGeneric_HeapSort ensures { result = parent0 i } predicate heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq deep_model_ty0) (start : int) (end' : int) = - [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end' -> le_log0 (Seq.get s i) (Seq.get s (parent0 i)) + [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end' + -> le_log0 (Seq.get s i) (Seq.get s (parent0 i)) val heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq deep_model_ty0) (start : int) (end' : int) : bool ensures { result = heap_frag0 s start end' } @@ -978,8 +1072,13 @@ module HeapsortGeneric_HeapSort requires {[#"../heapsort_generic.rs" 41 33 41 34] inv1 v} ensures { [#"../heapsort_generic.rs" 34 10 34 52] heap_frag0 (deep_model1 ( ^ v)) (UIntSize.to_int start) (UIntSize.to_int end') } ensures { [#"../heapsort_generic.rs" 35 0 35 36] permutation_of0 (shallow_model3 ( ^ v)) (shallow_model0 v) } - ensures { [#"../heapsort_generic.rs" 36 0 37 43] forall i : int . 0 <= i /\ i < UIntSize.to_int start \/ UIntSize.to_int end' <= i /\ i < Seq.length (shallow_model0 v) -> index_logic1 ( * v) i = index_logic1 ( ^ v) i } - ensures { [#"../heapsort_generic.rs" 38 0 40 80] forall m : deep_model_ty0 . inv7 m -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 v) j) m) -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model1 ( ^ v)) j) m) } + ensures { [#"../heapsort_generic.rs" 36 0 37 43] forall i : int . 0 <= i /\ i < UIntSize.to_int start \/ UIntSize.to_int end' <= i /\ i < Seq.length (shallow_model0 v) + -> index_logic1 ( * v) i = index_logic1 ( ^ v) i } + ensures { [#"../heapsort_generic.rs" 38 0 40 80] forall m : deep_model_ty0 . inv7 m + -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' + -> le_log0 (Seq.get (deep_model0 v) j) m) + -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' + -> le_log0 (Seq.get (deep_model1 ( ^ v)) j) m) } function heap_frag_max0 [#"../heapsort_generic.rs" 25 0 25 58] (s : Seq.seq deep_model_ty0) (i : int) (end' : int) : () @@ -994,7 +1093,10 @@ module HeapsortGeneric_HeapSort requires {[#"../heapsort_generic.rs" 25 30 25 31] inv6 s} ensures { result = heap_frag_max0 s i end' } - axiom heap_frag_max0_spec : forall s : Seq.seq deep_model_ty0, i : int, end' : int . ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end') -> ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= i /\ i < end') -> ([#"../heapsort_generic.rs" 25 30 25 31] inv6 s) -> ([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0)) + axiom heap_frag_max0_spec : forall s : Seq.seq deep_model_ty0, i : int, end' : int . ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end') + -> ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= i /\ i < end') + -> ([#"../heapsort_generic.rs" 25 30 25 31] inv6 s) + -> ([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0)) predicate resolve2 (self : borrowed (slice t)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (slice t)) : bool @@ -1007,7 +1109,8 @@ module HeapsortGeneric_HeapSort requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model7 self } - axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max1) + axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max1) function shallow_model6 (self : borrowed (slice t)) : Seq.seq t = [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model7 ( * self) val shallow_model6 (self : borrowed (slice t)) : Seq.seq t @@ -1099,12 +1202,12 @@ module HeapsortGeneric_HeapSort goto BB2 } BB2 { - [#"../heapsort_generic.rs" 99 20 99 31] _10 <- ([#"../heapsort_generic.rs" 99 20 99 31] (2 : usize) = (0 : usize)); + [#"../heapsort_generic.rs" 99 20 99 31] _10 <- ([#"../heapsort_generic.rs" 99 20 99 31] ([#"../heapsort_generic.rs" 99 30 99 31] (2 : usize)) = ([#"../heapsort_generic.rs" 99 20 99 31] (0 : usize))); assert { [@expl:division by zero] [#"../heapsort_generic.rs" 99 20 99 31] not _10 }; goto BB3 } BB3 { - [#"../heapsort_generic.rs" 99 20 99 31] start <- ([#"../heapsort_generic.rs" 99 20 99 31] _8 / (2 : usize)); + [#"../heapsort_generic.rs" 99 20 99 31] start <- ([#"../heapsort_generic.rs" 99 20 99 31] _8 / ([#"../heapsort_generic.rs" 99 30 99 31] (2 : usize))); _8 <- any usize; goto BB4 } @@ -1115,14 +1218,14 @@ module HeapsortGeneric_HeapSort goto BB5 } BB5 { - [#"../heapsort_generic.rs" 103 10 103 19] _16 <- ([#"../heapsort_generic.rs" 103 10 103 19] start > (0 : usize)); + [#"../heapsort_generic.rs" 103 10 103 19] _16 <- ([#"../heapsort_generic.rs" 103 10 103 19] start > ([#"../heapsort_generic.rs" 103 18 103 19] (0 : usize))); switch (_16) | False -> goto BB9 | True -> goto BB6 end } BB6 { - [#"../heapsort_generic.rs" 104 8 104 18] start <- ([#"../heapsort_generic.rs" 104 8 104 18] start - (1 : usize)); + [#"../heapsort_generic.rs" 104 8 104 18] start <- ([#"../heapsort_generic.rs" 104 8 104 18] start - ([#"../heapsort_generic.rs" 104 17 104 18] (1 : usize))); [#"../heapsort_generic.rs" 105 18 105 19] _19 <- Borrow.borrow_mut ( * v); [#"../heapsort_generic.rs" 105 18 105 19] v <- { v with current = ( ^ _19) ; }; assume { inv2 ( ^ _19) }; @@ -1136,7 +1239,7 @@ module HeapsortGeneric_HeapSort goto BB8 } BB8 { - [#"../heapsort_generic.rs" 103 20 106 5] _15 <- ([#"../heapsort_generic.rs" 103 20 106 5] ()); + [#"../heapsort_generic.rs" 103 20 106 5] _15 <- ([#"../heapsort_generic.rs" 103 20 106 5] [#"../heapsort_generic.rs" 103 20 106 5] ()); goto BB4 } BB9 { @@ -1151,18 +1254,19 @@ module HeapsortGeneric_HeapSort invariant { [#"../heapsort_generic.rs" 109 4 109 34] permutation_of0 (shallow_model0 v) (shallow_model1 old_v) }; invariant { [#"../heapsort_generic.rs" 111 16 111 50] heap_frag0 (deep_model0 v) 0 (UIntSize.to_int end') }; invariant { [#"../heapsort_generic.rs" 112 16 112 60] sorted_range0 (deep_model0 v) (UIntSize.to_int end') (Seq.length (shallow_model0 v)) }; - invariant { [#"../heapsort_generic.rs" 109 4 109 34] forall j : int . forall i : int . 0 <= i /\ i < UIntSize.to_int end' /\ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) -> le_log0 (Seq.get (deep_model0 v) i) (Seq.get (deep_model0 v) j) }; + invariant { [#"../heapsort_generic.rs" 109 4 109 34] forall j : int . forall i : int . 0 <= i /\ i < UIntSize.to_int end' /\ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) + -> le_log0 (Seq.get (deep_model0 v) i) (Seq.get (deep_model0 v) j) }; goto BB12 } BB12 { - [#"../heapsort_generic.rs" 115 10 115 17] _33 <- ([#"../heapsort_generic.rs" 115 10 115 17] end' > (1 : usize)); + [#"../heapsort_generic.rs" 115 10 115 17] _33 <- ([#"../heapsort_generic.rs" 115 10 115 17] end' > ([#"../heapsort_generic.rs" 115 16 115 17] (1 : usize))); switch (_33) | False -> goto BB17 | True -> goto BB13 end } BB13 { - [#"../heapsort_generic.rs" 116 8 116 16] end' <- ([#"../heapsort_generic.rs" 116 8 116 16] end' - (1 : usize)); + [#"../heapsort_generic.rs" 116 8 116 16] end' <- ([#"../heapsort_generic.rs" 116 8 116 16] end' - ([#"../heapsort_generic.rs" 116 15 116 16] (1 : usize))); [#"../heapsort_generic.rs" 117 8 117 9] _38 <- Borrow.borrow_mut ( * v); [#"../heapsort_generic.rs" 117 8 117 9] v <- { v with current = ( ^ _38) ; }; assume { inv2 ( ^ _38) }; @@ -1174,29 +1278,30 @@ module HeapsortGeneric_HeapSort [#"../heapsort_generic.rs" 117 8 117 9] _36 <- Borrow.borrow_final ( * _37) (Borrow.get_id _37); [#"../heapsort_generic.rs" 117 8 117 9] _37 <- { _37 with current = ( ^ _36) ; }; assume { inv3 ( ^ _36) }; - [#"../heapsort_generic.rs" 117 8 117 22] _35 <- ([#"../heapsort_generic.rs" 117 8 117 22] swap0 _36 (0 : usize) end'); + [#"../heapsort_generic.rs" 117 8 117 22] _35 <- ([#"../heapsort_generic.rs" 117 8 117 22] swap0 _36 ([#"../heapsort_generic.rs" 117 15 117 16] (0 : usize)) end'); _36 <- any borrowed (slice t); goto BB15 } BB15 { assert { [@expl:type invariant] inv4 _37 }; assume { resolve2 _37 }; - assert { [@expl:assertion] [#"../heapsort_generic.rs" 119 12 119 59] let _ = heap_frag_max0 (deep_model0 v) 0 (UIntSize.to_int end') in forall j : int . forall i : int . 0 <= i /\ i < UIntSize.to_int end' /\ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) -> le_log0 (Seq.get (deep_model0 v) i) (Seq.get (deep_model0 v) j) }; + assert { [@expl:assertion] [#"../heapsort_generic.rs" 119 12 119 59] let _ = heap_frag_max0 (deep_model0 v) 0 (UIntSize.to_int end') in forall j : int . forall i : int . 0 <= i /\ i < UIntSize.to_int end' /\ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) + -> le_log0 (Seq.get (deep_model0 v) i) (Seq.get (deep_model0 v) j) }; [#"../heapsort_generic.rs" 123 18 123 19] _43 <- Borrow.borrow_mut ( * v); [#"../heapsort_generic.rs" 123 18 123 19] v <- { v with current = ( ^ _43) ; }; assume { inv2 ( ^ _43) }; - [#"../heapsort_generic.rs" 123 8 123 28] _42 <- ([#"../heapsort_generic.rs" 123 8 123 28] sift_down0 _43 (0 : usize) end'); + [#"../heapsort_generic.rs" 123 8 123 28] _42 <- ([#"../heapsort_generic.rs" 123 8 123 28] sift_down0 _43 ([#"../heapsort_generic.rs" 123 21 123 22] (0 : usize)) end'); _43 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); goto BB16 } BB16 { - [#"../heapsort_generic.rs" 115 18 124 5] _15 <- ([#"../heapsort_generic.rs" 115 18 124 5] ()); + [#"../heapsort_generic.rs" 115 18 124 5] _15 <- ([#"../heapsort_generic.rs" 115 18 124 5] [#"../heapsort_generic.rs" 115 18 124 5] ()); goto BB11 } BB17 { assert { [@expl:type invariant] inv1 v }; assume { resolve1 v }; - [#"../heapsort_generic.rs" 115 4 124 5] _0 <- ([#"../heapsort_generic.rs" 115 4 124 5] ()); + [#"../heapsort_generic.rs" 115 4 124 5] _0 <- ([#"../heapsort_generic.rs" 115 4 124 5] [#"../heapsort_generic.rs" 115 4 124 5] ()); return _0 } diff --git a/creusot/tests/should_succeed/hillel.mlcfg b/creusot/tests/should_succeed/hillel.mlcfg index 1ff97fbf85..393f7ab249 100644 --- a/creusot/tests/should_succeed/hillel.mlcfg +++ b/creusot/tests/should_succeed/hillel.mlcfg @@ -76,7 +76,8 @@ module Hillel_RightPad requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model3 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -176,10 +177,14 @@ module Hillel_RightPad requires {[#"../hillel.rs" 16 52 16 55] inv1 pad} ensures { [#"../hillel.rs" 10 10 10 62] Seq.length (shallow_model3 ( ^ str)) >= UIntSize.to_int len /\ Seq.length (shallow_model3 ( ^ str)) >= Seq.length (shallow_model1 str) } ensures { [#"../hillel.rs" 11 10 11 62] Seq.length (shallow_model3 ( ^ str)) = UIntSize.to_int len \/ Seq.length (shallow_model3 ( ^ str)) = Seq.length (shallow_model1 str) } - ensures { [#"../hillel.rs" 12 0 12 62] UIntSize.to_int len <= Seq.length (shallow_model1 str) -> Seq.length (shallow_model3 ( ^ str)) = Seq.length (shallow_model1 str) } - ensures { [#"../hillel.rs" 13 0 13 55] UIntSize.to_int len > Seq.length (shallow_model1 str) -> Seq.length (shallow_model3 ( ^ str)) = UIntSize.to_int len } - ensures { [#"../hillel.rs" 14 0 14 75] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( ^ str) i = index_logic0 ( * str) i } - ensures { [#"../hillel.rs" 15 0 15 75] forall i : int . Seq.length (shallow_model1 str) <= i /\ i < UIntSize.to_int len -> index_logic0 ( ^ str) i = pad } + ensures { [#"../hillel.rs" 12 0 12 62] UIntSize.to_int len <= Seq.length (shallow_model1 str) + -> Seq.length (shallow_model3 ( ^ str)) = Seq.length (shallow_model1 str) } + ensures { [#"../hillel.rs" 13 0 13 55] UIntSize.to_int len > Seq.length (shallow_model1 str) + -> Seq.length (shallow_model3 ( ^ str)) = UIntSize.to_int len } + ensures { [#"../hillel.rs" 14 0 14 75] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 str) + -> index_logic0 ( ^ str) i = index_logic0 ( * str) i } + ensures { [#"../hillel.rs" 15 0 15 75] forall i : int . Seq.length (shallow_model1 str) <= i /\ i < UIntSize.to_int len + -> index_logic0 ( ^ str) i = pad } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -205,10 +210,14 @@ module Hillel_RightPad } BB2 { invariant { [#"../hillel.rs" 19 16 19 44] Seq.length (shallow_model0 old_str) <= Seq.length (shallow_model1 str) }; - invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len -> Seq.length (shallow_model1 str) <= UIntSize.to_int len }; - invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model1 str) > UIntSize.to_int len -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) }; - invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 old_str) -> index_logic0 ( * str) i = index_logic0 ( * Snapshot.inner old_str) i }; - invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . Seq.length (shallow_model0 old_str) <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( * str) i = pad }; + invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len + -> Seq.length (shallow_model1 str) <= UIntSize.to_int len }; + invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model1 str) > UIntSize.to_int len + -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) }; + invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 old_str) + -> index_logic0 ( * str) i = index_logic0 ( * Snapshot.inner old_str) i }; + invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . Seq.length (shallow_model0 old_str) <= i /\ i < Seq.length (shallow_model1 str) + -> index_logic0 ( * str) i = pad }; goto BB3 } BB3 { @@ -239,7 +248,7 @@ module Hillel_RightPad assume { resolve1 pad }; assert { [@expl:type invariant] inv2 str }; assume { resolve2 str }; - [#"../hillel.rs" 24 4 26 5] _0 <- ([#"../hillel.rs" 24 4 26 5] ()); + [#"../hillel.rs" 24 4 26 5] _0 <- ([#"../hillel.rs" 24 4 26 5] [#"../hillel.rs" 24 4 26 5] ()); return _0 } @@ -282,7 +291,8 @@ module Hillel_LeftPad requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model4 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -338,9 +348,11 @@ module Hillel_LeftPad requires {inv2 self} requires {inv1 element} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 95 26 95 59] Seq.length (shallow_model4 ( ^ self)) = Seq.length (shallow_model1 self) + 1 } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 96 16 96 89] forall i : int . 0 <= i /\ i < UIntSize.to_int index -> index_logic0 ( ^ self) i = index_logic0 ( * self) i } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 96 16 96 89] forall i : int . 0 <= i /\ i < UIntSize.to_int index + -> index_logic0 ( ^ self) i = index_logic0 ( * self) i } ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 97 26 97 52] index_logic0 ( ^ self) (UIntSize.to_int index) = element } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 98 16 98 105] forall i : int . UIntSize.to_int index < i /\ i < Seq.length (shallow_model4 ( ^ self)) -> index_logic0 ( ^ self) i = index_logic0 ( * self) (i - 1) } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 98 16 98 105] forall i : int . UIntSize.to_int index < i /\ i < Seq.length (shallow_model4 ( ^ self)) + -> index_logic0 ( ^ self) i = index_logic0 ( * self) (i - 1) } predicate resolve2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -397,8 +409,10 @@ module Hillel_LeftPad requires {[#"../hillel.rs" 33 51 33 54] inv1 pad} ensures { [#"../hillel.rs" 29 10 29 62] Seq.length (shallow_model4 ( ^ str)) >= UIntSize.to_int len /\ Seq.length (shallow_model4 ( ^ str)) >= Seq.length (shallow_model1 str) } ensures { [#"../hillel.rs" 30 10 30 62] Seq.length (shallow_model4 ( ^ str)) = UIntSize.to_int len \/ Seq.length (shallow_model4 ( ^ str)) = Seq.length (shallow_model1 str) } - ensures { [#"../hillel.rs" 31 0 31 90] forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 ( ^ str)) - Seq.length (shallow_model1 str) -> index_logic0 ( ^ str) i = pad } - ensures { [#"../hillel.rs" 32 0 32 106] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( ^ str) (i + (Seq.length (shallow_model4 ( ^ str)) - Seq.length (shallow_model1 str))) = index_logic0 ( * str) i } + ensures { [#"../hillel.rs" 31 0 31 90] forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 ( ^ str)) - Seq.length (shallow_model1 str) + -> index_logic0 ( ^ str) i = pad } + ensures { [#"../hillel.rs" 32 0 32 106] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 str) + -> index_logic0 ( ^ str) (i + (Seq.length (shallow_model4 ( ^ str)) - Seq.length (shallow_model1 str))) = index_logic0 ( * str) i } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -430,11 +444,15 @@ module Hillel_LeftPad } BB3 { invariant { [#"../hillel.rs" 37 16 37 44] Seq.length (shallow_model0 old_str) <= Seq.length (shallow_model1 str) }; - invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len -> Seq.length (shallow_model1 str) <= UIntSize.to_int len }; - invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model1 str) > UIntSize.to_int len -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) }; + invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len + -> Seq.length (shallow_model1 str) <= UIntSize.to_int len }; + invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model1 str) > UIntSize.to_int len + -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) }; invariant { [#"../hillel.rs" 40 16 40 49] shallow_model3 c = Seq.length (shallow_model1 str) - Seq.length (shallow_model0 old_str) }; - invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . shallow_model3 c <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( * str) i = index_logic0 ( * Snapshot.inner old_str) (i - shallow_model3 c) }; - invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . 0 <= i /\ i < shallow_model3 c -> index_logic0 ( * str) i = pad }; + invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . shallow_model3 c <= i /\ i < Seq.length (shallow_model1 str) + -> index_logic0 ( * str) i = index_logic0 ( * Snapshot.inner old_str) (i - shallow_model3 c) }; + invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . 0 <= i /\ i < shallow_model3 c + -> index_logic0 ( * str) i = pad }; goto BB4 } BB4 { @@ -453,7 +471,7 @@ module Hillel_LeftPad [#"../hillel.rs" 44 8 44 11] _24 <- Borrow.borrow_mut ( * str); [#"../hillel.rs" 44 8 44 11] str <- { str with current = ( ^ _24) ; }; assume { inv3 ( ^ _24) }; - [#"../hillel.rs" 44 8 44 26] _23 <- ([#"../hillel.rs" 44 8 44 26] insert0 _24 (0 : usize) pad); + [#"../hillel.rs" 44 8 44 26] _23 <- ([#"../hillel.rs" 44 8 44 26] insert0 _24 ([#"../hillel.rs" 44 19 44 20] (0 : usize)) pad); _24 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); goto BB7 } @@ -471,7 +489,7 @@ module Hillel_LeftPad assume { resolve1 pad }; assert { [@expl:type invariant] inv2 str }; assume { resolve2 str }; - [#"../hillel.rs" 43 4 46 5] _0 <- ([#"../hillel.rs" 43 4 46 5] ()); + [#"../hillel.rs" 43 4 46 5] _0 <- ([#"../hillel.rs" 43 4 46 5] [#"../hillel.rs" 43 4 46 5] ()); return _0 } @@ -506,7 +524,7 @@ module Hillel_SubsetPush_Impl ensures { result = contains0 seq elem } predicate is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq t) (sup : Seq.seq t) = - [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i) + [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i) val is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq t) (sup : Seq.seq t) : bool ensures { result = is_subset0 sub sup } @@ -514,7 +532,8 @@ module Hillel_SubsetPush_Impl constant s : Seq.seq t constant elem : t function subset_push [#"../hillel.rs" 72 0 72 37] (s : Seq.seq t) (elem : t) : () - goal vc_subset_push : ([#"../hillel.rs" 72 29 72 33] inv1 elem) -> ([#"../hillel.rs" 72 18 72 19] inv0 s) -> ([#"../hillel.rs" 71 10 71 36] is_subset0 s (Seq.snoc s elem)) + goal vc_subset_push : ([#"../hillel.rs" 72 29 72 33] inv1 elem) + -> ([#"../hillel.rs" 72 18 72 19] inv0 s) -> ([#"../hillel.rs" 71 10 71 36] is_subset0 s (Seq.snoc s elem)) end module Core_Slice_Iter_Iter_Type use prelude.Borrow @@ -621,7 +640,8 @@ module Hillel_InsertUnique requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv14 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv14 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant8 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv14 (shallow_model3 self) val invariant8 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -675,7 +695,8 @@ module Hillel_InsertUnique requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv15 self} ensures { result = shallow_model5 self } - axiom shallow_model5_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv15 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv14 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model5 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) + axiom shallow_model5_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv15 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv14 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model5 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) function index_logic5 [@inline:trivial] (self : slice t) (ix : int) : t = [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model5 self) ix val index_logic5 [@inline:trivial] (self : slice t) (ix : int) : t @@ -697,7 +718,9 @@ module Hillel_InsertUnique requires {[#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self} ensures { result = to_ref_seq0 self } - axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv13 (to_ref_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic5 self i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model0 self)) + axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv13 (to_ref_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) + -> Seq.get (to_ref_seq0 self) i = index_logic5 self i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model0 self)) function shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t val shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t ensures { result = shallow_model2 self } @@ -720,7 +743,11 @@ module Hillel_InsertUnique requires {[#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv13 bc} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv13 ab) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv13 bc) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv13 ab) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv13 bc) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter t) : () = [#"../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] () @@ -779,7 +806,9 @@ module Hillel_InsertUnique requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv8 self} ensures { result = deep_model3 self } - axiom deep_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv8 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv9 (deep_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model3 self) i = deep_model1 (index_logic1 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model3 self)) + axiom deep_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv8 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv9 (deep_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) + -> Seq.get (deep_model3 self) i = deep_model1 (index_logic1 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model3 self)) use seq.Seq function shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t = @@ -793,7 +822,8 @@ module Hillel_InsertUnique ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 78 26 78 51] shallow_model3 ( ^ self) = Seq.snoc (shallow_model4 self) value } predicate is_unique0 [#"../hillel.rs" 50 0 50 34] (s : Seq.seq deep_model_ty0) = - [#"../hillel.rs" 51 4 53 5] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s -> Seq.get s i = Seq.get s j -> i = j + [#"../hillel.rs" 51 4 53 5] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s + -> Seq.get s i = Seq.get s j -> i = j val is_unique0 [#"../hillel.rs" 50 0 50 34] (s : Seq.seq deep_model_ty0) : bool ensures { result = is_unique0 s } @@ -921,7 +951,7 @@ module Hillel_InsertUnique use prelude.Snapshot predicate is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) = - [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i) + [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i) val is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) : bool ensures { result = is_subset0 sub sup } @@ -945,7 +975,8 @@ module Hillel_InsertUnique requires {[#"../hillel.rs" 72 29 72 33] inv10 elem} ensures { result = subset_push0 s elem } - axiom subset_push0_spec : forall s : Seq.seq deep_model_ty0, elem : deep_model_ty0 . ([#"../hillel.rs" 72 18 72 19] inv9 s) -> ([#"../hillel.rs" 72 29 72 33] inv10 elem) -> ([#"../hillel.rs" 71 10 71 36] is_subset0 s (Seq.snoc s elem)) + axiom subset_push0_spec : forall s : Seq.seq deep_model_ty0, elem : deep_model_ty0 . ([#"../hillel.rs" 72 18 72 19] inv9 s) + -> ([#"../hillel.rs" 72 29 72 33] inv10 elem) -> ([#"../hillel.rs" 71 10 71 36] is_subset0 s (Seq.snoc s elem)) let rec cfg insert_unique [#"../hillel.rs" 79 0 79 62] [@cfg:stackify] [@cfg:subregion_analysis] (vec : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (elem : t) : () requires {[#"../hillel.rs" 74 11 74 38] is_unique0 (deep_model0 vec)} requires {[#"../hillel.rs" 79 36 79 39] inv7 vec} @@ -1035,7 +1066,8 @@ module Hillel_InsertUnique BB12 { invariant { [#"../hillel.rs" 84 4 84 111] inv3 iter }; invariant { [#"../hillel.rs" 84 4 84 111] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; - invariant { [#"../hillel.rs" 84 4 84 111] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced) -> deep_model2 (index_logic0 produced j) <> deep_model1 elem }; + invariant { [#"../hillel.rs" 84 4 84 111] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced) + -> deep_model2 (index_logic0 produced j) <> deep_model1 elem }; goto BB13 } BB13 { @@ -1115,7 +1147,7 @@ module Hillel_InsertUnique goto BB22 } BB22 { - [#"../hillel.rs" 89 12 89 18] _0 <- ([#"../hillel.rs" 89 12 89 18] ()); + [#"../hillel.rs" 89 12 89 18] _0 <- ([#"../hillel.rs" 89 12 89 18] [#"../hillel.rs" 89 12 89 18] ()); goto BB26 } BB23 { @@ -1137,7 +1169,7 @@ module Hillel_InsertUnique BB25 { assert { [@expl:type invariant] inv7 vec }; assume { resolve10 vec }; - [#"../hillel.rs" 79 63 95 1] _0 <- ([#"../hillel.rs" 79 63 95 1] ()); + [#"../hillel.rs" 79 63 95 1] _0 <- ([#"../hillel.rs" 79 63 95 1] [#"../hillel.rs" 79 63 95 1] ()); goto BB26 } BB26 { @@ -1267,7 +1299,8 @@ module Hillel_Unique requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv9 (shallow_model1 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1290,7 +1323,9 @@ module Hillel_Unique predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model2 (Core_Ops_Range_Range_Type.range_start self) <= deep_model2 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model2 (Core_Ops_Range_Range_Type.range_start o) <= deep_model2 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model2 (Core_Ops_Range_Range_Type.range_start o) - deep_model2 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model2 (Seq.get visited i) = deep_model2 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model2 (Core_Ops_Range_Range_Type.range_start self) <= deep_model2 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model2 (Core_Ops_Range_Range_Type.range_start o) <= deep_model2 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model2 (Core_Ops_Range_Range_Type.range_start o) - deep_model2 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model2 (Seq.get visited i) = deep_model2 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces0 self visited o } @@ -1306,14 +1341,22 @@ module Hillel_Unique requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -1343,7 +1386,8 @@ module Hillel_Unique ensures { result = index_logic2 self ix } predicate resolve5 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve2 (index_logic2 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) + -> resolve2 (index_logic2 self i) val resolve5 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve5 self } @@ -1354,7 +1398,8 @@ module Hillel_Unique requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) function shallow_model0 (self : slice t) : Seq.seq t = [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self val shallow_model0 (self : slice t) : Seq.seq t @@ -1384,7 +1429,7 @@ module Hillel_Unique ensures { result = deep_model3 self } predicate is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) = - [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i) + [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i) val is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) : bool ensures { result = is_subset0 sub sup } @@ -1393,9 +1438,12 @@ module Hillel_Unique requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self} ensures { result = deep_model0 self } - axiom deep_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> Seq.get (deep_model0 self) i = deep_model3 (index_logic2 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model1 self) = Seq.length (deep_model0 self)) + axiom deep_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) + -> Seq.get (deep_model0 self) i = deep_model3 (index_logic2 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model1 self) = Seq.length (deep_model0 self)) predicate is_unique0 [#"../hillel.rs" 50 0 50 34] (s : Seq.seq deep_model_ty0) = - [#"../hillel.rs" 51 4 53 5] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s -> Seq.get s i = Seq.get s j -> i = j + [#"../hillel.rs" 51 4 53 5] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s + -> Seq.get s i = Seq.get s j -> i = j val is_unique0 [#"../hillel.rs" 50 0 50 34] (s : Seq.seq deep_model_ty0) : bool ensures { result = is_unique0 s } @@ -1446,7 +1494,9 @@ module Hillel_Unique requires {[#"../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv11 self} ensures { result = deep_model4 self } - axiom deep_model4_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 32 4 32 44] inv6 (deep_model4 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 31 4 31 98] forall i : int . 0 <= i /\ i < Seq.length (deep_model4 self) -> Seq.get (deep_model4 self) i = deep_model3 (index_logic4 self i)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 30 14 30 44] Seq.length (shallow_model0 self) = Seq.length (deep_model4 self)) + axiom deep_model4_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv11 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 32 4 32 44] inv6 (deep_model4 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 31 4 31 98] forall i : int . 0 <= i /\ i < Seq.length (deep_model4 self) + -> Seq.get (deep_model4 self) i = deep_model3 (index_logic4 self i)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 30 14 30 44] Seq.length (shallow_model0 self) = Seq.length (deep_model4 self)) function deep_model1 (self : slice t) : Seq.seq deep_model_ty0 = [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model4 self val deep_model1 (self : slice t) : Seq.seq deep_model_ty0 @@ -1523,7 +1573,7 @@ module Hillel_Unique goto BB0 } BB0 { - [#"../hillel.rs" 101 21 101 31] unique <- ([#"../hillel.rs" 101 21 101 31] new0 ()); + [#"../hillel.rs" 101 21 101 31] unique <- ([#"../hillel.rs" 101 21 101 31] new0 ([#"../hillel.rs" 101 21 101 31] ())); goto BB1 } BB1 { @@ -1537,7 +1587,7 @@ module Hillel_Unique goto BB3 } BB3 { - [#"../hillel.rs" 107 13 107 25] _10 <- ([#"../hillel.rs" 107 13 107 25] Core_Ops_Range_Range_Type.C_Range (0 : usize) _11); + [#"../hillel.rs" 107 13 107 25] _10 <- ([#"../hillel.rs" 107 13 107 25] Core_Ops_Range_Range_Type.C_Range ([#"../hillel.rs" 107 13 107 14] (0 : usize)) _11); _11 <- any usize; [#"../hillel.rs" 104 4 104 48] iter <- ([#"../hillel.rs" 104 4 104 48] into_iter0 _10); _10 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -1668,8 +1718,10 @@ module Hillel_SumRange_Impl constant from : int constant to' : int function sum_range [#"../hillel.rs" 122 0 122 54] (seq : Seq.seq uint32) (from : int) (to' : int) : int - goal vc_sum_range : ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) -> match to' - from > 0 with - | True -> (([#"../hillel.rs" 120 11 120 53] 0 <= from + 1 /\ from + 1 <= to' /\ to' <= Seq.length seq) /\ 0 <= ([#"../hillel.rs" 119 10 119 19] to' - from) /\ ([#"../hillel.rs" 119 10 119 19] to' - (from + 1)) < ([#"../hillel.rs" 119 10 119 19] to' - from)) /\ (([#"../hillel.rs" 121 10 121 21] sum_range seq (from + 1) to' >= 0) -> ([#"../hillel.rs" 121 10 121 21] UInt32.to_int (Seq.get seq from) + sum_range seq (from + 1) to' >= 0)) + goal vc_sum_range : ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) + -> match to' - from > 0 with + | True -> (([#"../hillel.rs" 120 11 120 53] 0 <= from + 1 /\ from + 1 <= to' /\ to' <= Seq.length seq) /\ 0 <= ([#"../hillel.rs" 119 10 119 19] to' - from) /\ ([#"../hillel.rs" 119 10 119 19] to' - (from + 1)) < ([#"../hillel.rs" 119 10 119 19] to' - from)) /\ (([#"../hillel.rs" 121 10 121 21] sum_range seq (from + 1) to' >= 0) + -> ([#"../hillel.rs" 121 10 121 21] UInt32.to_int (Seq.get seq from) + sum_range seq (from + 1) to' >= 0)) | False -> [#"../hillel.rs" 121 10 121 21] 0 >= 0 end end @@ -1690,14 +1742,17 @@ module Hillel_SumRangeSplit_Impl requires {[#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq} ensures { result = sum_range0 seq from to' } - axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0) + axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) + -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0) constant seq : Seq.seq uint32 constant from : int constant to' : int constant i : int function sum_range_split [#"../hillel.rs" 134 0 134 61] (seq : Seq.seq uint32) (from : int) (to' : int) (i : int) : () - goal vc_sum_range_split : ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq) -> match i > from with - | True -> (([#"../hillel.rs" 132 11 132 63] 0 <= from + 1 /\ from + 1 <= i /\ i <= to' /\ to' <= Seq.length seq) /\ 0 <= ([#"../hillel.rs" 131 10 131 18] i - from) /\ ([#"../hillel.rs" 131 10 131 18] i - (from + 1)) < ([#"../hillel.rs" 131 10 131 18] i - from)) /\ (([#"../hillel.rs" 133 10 133 85] sum_range0 seq (from + 1) to' = sum_range0 seq (from + 1) i + sum_range0 seq i to') -> (let _ = sum_range_split seq (from + 1) to' i in [#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to')) + goal vc_sum_range_split : ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq) + -> match i > from with + | True -> (([#"../hillel.rs" 132 11 132 63] 0 <= from + 1 /\ from + 1 <= i /\ i <= to' /\ to' <= Seq.length seq) /\ 0 <= ([#"../hillel.rs" 131 10 131 18] i - from) /\ ([#"../hillel.rs" 131 10 131 18] i - (from + 1)) < ([#"../hillel.rs" 131 10 131 18] i - from)) /\ (([#"../hillel.rs" 133 10 133 85] sum_range0 seq (from + 1) to' = sum_range0 seq (from + 1) i + sum_range0 seq i to') + -> (let _ = sum_range_split seq (from + 1) to' i in [#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to')) | False -> [#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to' end end @@ -1723,7 +1778,8 @@ module Hillel_Score_Impl requires {[#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq} ensures { result = sum_range0 seq from to' } - axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0) + axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) + -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0) function sum_range_split0 [#"../hillel.rs" 134 0 134 61] (seq : Seq.seq uint32) (from : int) (to' : int) (i : int) : () axiom sum_range_split0_def : forall seq : Seq.seq uint32, from : int, to' : int, i : int . sum_range_split0 seq from to' i = ([#"../hillel.rs" 135 4 137 5] if i > from then @@ -1735,11 +1791,17 @@ module Hillel_Score_Impl requires {[#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq} ensures { result = sum_range_split0 seq from to' i } - axiom sum_range_split0_spec : forall seq : Seq.seq uint32, from : int, to' : int, i : int . ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to') + axiom sum_range_split0_spec : forall seq : Seq.seq uint32, from : int, to' : int, i : int . ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq) + -> ([#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to') constant seq : Seq.seq uint32 constant i : int function score [#"../hillel.rs" 144 0 144 38] (seq : Seq.seq uint32) (i : int) : int - goal vc_score : ([#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq) -> ([#"../hillel.rs" 132 11 132 63] 0 <= 0 /\ 0 <= i /\ i <= Seq.length seq /\ Seq.length seq <= Seq.length seq) /\ (([#"../hillel.rs" 133 10 133 85] sum_range0 seq 0 (Seq.length seq) = sum_range0 seq 0 i + sum_range0 seq i (Seq.length seq)) -> (let _ = sum_range_split0 seq 0 (Seq.length seq) i in ([#"../hillel.rs" 120 11 120 53] 0 <= 0 /\ 0 <= i /\ i <= Seq.length seq) /\ (([#"../hillel.rs" 121 10 121 21] sum_range0 seq 0 i >= 0) -> ([#"../hillel.rs" 120 11 120 53] 0 <= i /\ i <= Seq.length seq /\ Seq.length seq <= Seq.length seq) /\ (([#"../hillel.rs" 121 10 121 21] sum_range0 seq i (Seq.length seq) >= 0) -> (let result = abs_diff0 (sum_range0 seq 0 i) (sum_range0 seq i (Seq.length seq)) in ([#"../hillel.rs" 143 0 143 79] 0 = i \/ i = Seq.length seq -> result = sum_range0 seq 0 (Seq.length seq)) && ([#"../hillel.rs" 142 10 142 64] 0 <= result /\ result <= sum_range0 seq 0 (Seq.length seq))))))) + goal vc_score : ([#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq) + -> ([#"../hillel.rs" 132 11 132 63] 0 <= 0 /\ 0 <= i /\ i <= Seq.length seq /\ Seq.length seq <= Seq.length seq) /\ (([#"../hillel.rs" 133 10 133 85] sum_range0 seq 0 (Seq.length seq) = sum_range0 seq 0 i + sum_range0 seq i (Seq.length seq)) + -> (let _ = sum_range_split0 seq 0 (Seq.length seq) i in ([#"../hillel.rs" 120 11 120 53] 0 <= 0 /\ 0 <= i /\ i <= Seq.length seq) /\ (([#"../hillel.rs" 121 10 121 21] sum_range0 seq 0 i >= 0) + -> ([#"../hillel.rs" 120 11 120 53] 0 <= i /\ i <= Seq.length seq /\ Seq.length seq <= Seq.length seq) /\ (([#"../hillel.rs" 121 10 121 21] sum_range0 seq i (Seq.length seq) >= 0) + -> (let result = abs_diff0 (sum_range0 seq 0 i) (sum_range0 seq i (Seq.length seq)) in ([#"../hillel.rs" 143 0 143 79] 0 = i \/ i = Seq.length seq + -> result = sum_range0 seq 0 (Seq.length seq)) && ([#"../hillel.rs" 142 10 142 64] 0 <= result /\ result <= sum_range0 seq 0 (Seq.length seq))))))) end module Hillel_Fulcrum use prelude.UIntSize @@ -1847,7 +1909,9 @@ module Hillel_Fulcrum predicate produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces1 self visited o } @@ -1863,14 +1927,22 @@ module Hillel_Fulcrum requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv9 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv9 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv9 ab) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv9 bc) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -1889,7 +1961,8 @@ module Hillel_Fulcrum requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : slice uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : slice uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) function index_logic3 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 = [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model4 self) ix val index_logic3 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 @@ -1907,7 +1980,9 @@ module Hillel_Fulcrum requires {[#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv2 self} ensures { result = to_ref_seq0 self } - axiom to_ref_seq0_spec : forall self : slice uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv2 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv6 (to_ref_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic3 self i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model1 self)) + axiom to_ref_seq0_spec : forall self : slice uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv6 (to_ref_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) + -> Seq.get (to_ref_seq0 self) i = index_logic3 self i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model1 self)) function shallow_model3 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : slice uint32 val shallow_model3 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : slice uint32 ensures { result = shallow_model3 self } @@ -1930,7 +2005,11 @@ module Hillel_Fulcrum requires {[#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv6 bc} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv6 ab) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv6 bc) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv6 ab) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv6 bc) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : () = [#"../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] () @@ -1987,7 +2066,8 @@ module Hillel_Fulcrum requires {[#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq} ensures { result = sum_range0 seq from to' } - axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0) + axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) + -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0) function sum_range_split0 [#"../hillel.rs" 134 0 134 61] (seq : Seq.seq uint32) (from : int) (to' : int) (i : int) : () axiom sum_range_split0_def : forall seq : Seq.seq uint32, from : int, to' : int, i : int . sum_range_split0 seq from to' i = ([#"../hillel.rs" 135 4 137 5] if i > from then @@ -1999,14 +2079,17 @@ module Hillel_Fulcrum requires {[#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq} ensures { result = sum_range_split0 seq from to' i } - axiom sum_range_split0_spec : forall seq : Seq.seq uint32, from : int, to' : int, i : int . ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to') + axiom sum_range_split0_spec : forall seq : Seq.seq uint32, from : int, to' : int, i : int . ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq) + -> ([#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to') function score0 [#"../hillel.rs" 144 0 144 38] (seq : Seq.seq uint32) (i : int) : int = [#"../hillel.rs" 145 4 145 41] let _ = sum_range_split0 seq 0 (Seq.length seq) i in abs_diff1 (sum_range0 seq 0 i) (sum_range0 seq i (Seq.length seq)) val score0 [#"../hillel.rs" 144 0 144 38] (seq : Seq.seq uint32) (i : int) : int requires {[#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq} ensures { result = score0 seq i } - axiom score0_spec : forall seq : Seq.seq uint32, i : int . ([#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq) -> ([#"../hillel.rs" 143 0 143 79] 0 = i \/ i = Seq.length seq -> score0 seq i = sum_range0 seq 0 (Seq.length seq)) && ([#"../hillel.rs" 142 10 142 64] 0 <= score0 seq i /\ score0 seq i <= sum_range0 seq 0 (Seq.length seq)) + axiom score0_spec : forall seq : Seq.seq uint32, i : int . ([#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq) + -> ([#"../hillel.rs" 143 0 143 79] 0 = i \/ i = Seq.length seq + -> score0 seq i = sum_range0 seq 0 (Seq.length seq)) && ([#"../hillel.rs" 142 10 142 64] 0 <= score0 seq i /\ score0 seq i <= sum_range0 seq 0 (Seq.length seq)) use prelude.Snapshot use prelude.Snapshot use prelude.Snapshot @@ -2082,7 +2165,8 @@ module Hillel_Fulcrum requires {[#"../hillel.rs" 152 11 152 45] sum_range0 (shallow_model1 s) 0 (Seq.length (shallow_model1 s)) <= 1000} requires {[#"../hillel.rs" 153 11 153 23] Seq.length (shallow_model1 s) > 0} ensures { [#"../hillel.rs" 154 10 154 44] 0 <= UIntSize.to_int result /\ UIntSize.to_int result < Seq.length (shallow_model1 s) } - ensures { [#"../hillel.rs" 155 0 155 88] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 s) -> score0 (shallow_model1 s) (UIntSize.to_int result) <= score0 (shallow_model1 s) i } + ensures { [#"../hillel.rs" 155 0 155 88] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 s) + -> score0 (shallow_model1 s) (UIntSize.to_int result) <= score0 (shallow_model1 s) i } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : usize; @@ -2123,7 +2207,7 @@ module Hillel_Fulcrum goto BB0 } BB0 { - [#"../hillel.rs" 157 25 157 26] total <- ([#"../hillel.rs" 157 25 157 26] (0 : uint32)); + [#"../hillel.rs" 157 25 157 26] total <- ([#"../hillel.rs" 157 25 157 26] [#"../hillel.rs" 157 25 157 26] (0 : uint32)); [#"../hillel.rs" 159 4 159 60] iter <- ([#"../hillel.rs" 159 4 159 60] into_iter0 s); goto BB1 } @@ -2163,9 +2247,9 @@ module Hillel_Fulcrum } BB7 { assert { [@expl:assertion] [#"../hillel.rs" 165 20 165 56] UInt32.to_int total = sum_range0 (shallow_model1 s) 0 (Seq.length (shallow_model1 s)) }; - [#"../hillel.rs" 167 27 167 28] min_i <- ([#"../hillel.rs" 167 27 167 28] (0 : usize)); + [#"../hillel.rs" 167 27 167 28] min_i <- ([#"../hillel.rs" 167 27 167 28] [#"../hillel.rs" 167 27 167 28] (0 : usize)); [#"../hillel.rs" 168 28 168 33] min_dist <- ([#"../hillel.rs" 168 28 168 33] total); - [#"../hillel.rs" 170 23 170 24] sum <- ([#"../hillel.rs" 170 23 170 24] (0 : uint32)); + [#"../hillel.rs" 170 23 170 24] sum <- ([#"../hillel.rs" 170 23 170 24] [#"../hillel.rs" 170 23 170 24] (0 : uint32)); [#"../hillel.rs" 176 16 176 23] _37 <- ([#"../hillel.rs" 176 16 176 23] len2 s); goto BB12 } @@ -2186,11 +2270,11 @@ module Hillel_Fulcrum _24 <- any Snapshot.snap_ty (Seq.seq uint32); [#"../hillel.rs" 161 9 161 10] x <- ([#"../hillel.rs" 161 9 161 10] __creusot_proc_iter_elem); [#"../hillel.rs" 162 8 162 18] total <- ([#"../hillel.rs" 162 8 162 18] total + x); - [#"../hillel.rs" 161 16 163 5] _18 <- ([#"../hillel.rs" 161 16 163 5] ()); + [#"../hillel.rs" 161 16 163 5] _18 <- ([#"../hillel.rs" 161 16 163 5] [#"../hillel.rs" 161 16 163 5] ()); goto BB4 } BB12 { - [#"../hillel.rs" 176 13 176 23] _36 <- ([#"../hillel.rs" 176 13 176 23] Core_Ops_Range_Range_Type.C_Range (0 : usize) _37); + [#"../hillel.rs" 176 13 176 23] _36 <- ([#"../hillel.rs" 176 13 176 23] Core_Ops_Range_Range_Type.C_Range ([#"../hillel.rs" 176 13 176 14] (0 : usize)) _37); _37 <- any usize; [#"../hillel.rs" 171 4 171 58] iter1 <- ([#"../hillel.rs" 171 4 171 58] into_iter1 _36); _36 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -2214,7 +2298,8 @@ module Hillel_Fulcrum invariant { [#"../hillel.rs" 172 16 172 30] UInt32.to_int sum <= UInt32.to_int total }; invariant { [#"../hillel.rs" 173 16 173 61] UIntSize.to_int min_i <= Seq.length (Snapshot.inner produced1) /\ UIntSize.to_int min_i < Seq.length (shallow_model1 s) }; invariant { [#"../hillel.rs" 174 16 174 46] UInt32.to_int min_dist = score0 (shallow_model1 s) (UIntSize.to_int min_i) }; - invariant { [#"../hillel.rs" 171 4 171 58] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced1) -> score0 (shallow_model1 s) (UIntSize.to_int min_i) <= score0 (shallow_model1 s) j }; + invariant { [#"../hillel.rs" 171 4 171 58] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced1) + -> score0 (shallow_model1 s) (UIntSize.to_int min_i) <= score0 (shallow_model1 s) j }; goto BB17 } BB17 { @@ -2264,11 +2349,11 @@ module Hillel_Fulcrum BB24 { [#"../hillel.rs" 179 12 179 21] min_i <- ([#"../hillel.rs" 179 12 179 21] i); [#"../hillel.rs" 180 12 180 27] min_dist <- ([#"../hillel.rs" 180 12 180 27] dist); - [#"../hillel.rs" 178 27 181 9] _63 <- ([#"../hillel.rs" 178 27 181 9] ()); + [#"../hillel.rs" 178 27 181 9] _63 <- ([#"../hillel.rs" 178 27 181 9] [#"../hillel.rs" 178 27 181 9] ()); goto BB26 } BB25 { - [#"../hillel.rs" 181 9 181 9] _63 <- ([#"../hillel.rs" 181 9 181 9] ()); + [#"../hillel.rs" 181 9 181 9] _63 <- ([#"../hillel.rs" 181 9 181 9] [#"../hillel.rs" 181 9 181 9] ()); goto BB26 } BB26 { @@ -2280,7 +2365,7 @@ module Hillel_Fulcrum } BB27 { [#"../hillel.rs" 183 8 183 19] sum <- ([#"../hillel.rs" 183 8 183 19] sum + Slice.get s _70); - [#"../hillel.rs" 176 24 184 5] _18 <- ([#"../hillel.rs" 176 24 184 5] ()); + [#"../hillel.rs" 176 24 184 5] _18 <- ([#"../hillel.rs" 176 24 184 5] [#"../hillel.rs" 176 24 184 5] ()); goto BB16 } BB29 { diff --git a/creusot/tests/should_succeed/immut.mlcfg b/creusot/tests/should_succeed/immut.mlcfg index ef59f377ef..ff8a0d5922 100644 --- a/creusot/tests/should_succeed/immut.mlcfg +++ b/creusot/tests/should_succeed/immut.mlcfg @@ -18,11 +18,11 @@ module Immut_F goto BB0 } BB0 { - [#"../immut.rs" 4 16 4 18] a <- ([#"../immut.rs" 4 16 4 18] (10 : uint32)); + [#"../immut.rs" 4 16 4 18] a <- ([#"../immut.rs" 4 16 4 18] [#"../immut.rs" 4 16 4 18] (10 : uint32)); [#"../immut.rs" 5 12 5 18] b <- Borrow.borrow_mut a; [#"../immut.rs" 5 12 5 18] a <- ^ b; [#"../immut.rs" 6 19 6 20] _c <- ([#"../immut.rs" 6 19 6 20] * b); - [#"../immut.rs" 3 11 7 1] _0 <- ([#"../immut.rs" 3 11 7 1] ()); + [#"../immut.rs" 3 11 7 1] _0 <- ([#"../immut.rs" 3 11 7 1] [#"../immut.rs" 3 11 7 1] ()); assume { resolve0 b }; return _0 } diff --git a/creusot/tests/should_succeed/index_range.mlcfg b/creusot/tests/should_succeed/index_range.mlcfg index c17e4d2486..462f0884b0 100644 --- a/creusot/tests/should_succeed/index_range.mlcfg +++ b/creusot/tests/should_succeed/index_range.mlcfg @@ -89,7 +89,8 @@ module IndexRange_CreateArr requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -142,41 +143,41 @@ module IndexRange_CreateArr goto BB0 } BB0 { - [#"../index_range.rs" 15 18 15 28] arr <- ([#"../index_range.rs" 15 18 15 28] new0 ()); + [#"../index_range.rs" 15 18 15 28] arr <- ([#"../index_range.rs" 15 18 15 28] new0 ([#"../index_range.rs" 15 18 15 28] ())); goto BB1 } BB1 { [#"../index_range.rs" 17 4 17 7] _4 <- Borrow.borrow_mut arr; [#"../index_range.rs" 17 4 17 7] arr <- ^ _4; - [#"../index_range.rs" 17 4 17 15] _3 <- ([#"../index_range.rs" 17 4 17 15] push0 _4 (0 : int32)); + [#"../index_range.rs" 17 4 17 15] _3 <- ([#"../index_range.rs" 17 4 17 15] push0 _4 ([#"../index_range.rs" 17 13 17 14] (0 : int32))); _4 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); goto BB2 } BB2 { [#"../index_range.rs" 18 4 18 7] _6 <- Borrow.borrow_mut arr; [#"../index_range.rs" 18 4 18 7] arr <- ^ _6; - [#"../index_range.rs" 18 4 18 15] _5 <- ([#"../index_range.rs" 18 4 18 15] push0 _6 (1 : int32)); + [#"../index_range.rs" 18 4 18 15] _5 <- ([#"../index_range.rs" 18 4 18 15] push0 _6 ([#"../index_range.rs" 18 13 18 14] (1 : int32))); _6 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); goto BB3 } BB3 { [#"../index_range.rs" 19 4 19 7] _8 <- Borrow.borrow_mut arr; [#"../index_range.rs" 19 4 19 7] arr <- ^ _8; - [#"../index_range.rs" 19 4 19 15] _7 <- ([#"../index_range.rs" 19 4 19 15] push0 _8 (2 : int32)); + [#"../index_range.rs" 19 4 19 15] _7 <- ([#"../index_range.rs" 19 4 19 15] push0 _8 ([#"../index_range.rs" 19 13 19 14] (2 : int32))); _8 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); goto BB4 } BB4 { [#"../index_range.rs" 20 4 20 7] _10 <- Borrow.borrow_mut arr; [#"../index_range.rs" 20 4 20 7] arr <- ^ _10; - [#"../index_range.rs" 20 4 20 15] _9 <- ([#"../index_range.rs" 20 4 20 15] push0 _10 (3 : int32)); + [#"../index_range.rs" 20 4 20 15] _9 <- ([#"../index_range.rs" 20 4 20 15] push0 _10 ([#"../index_range.rs" 20 13 20 14] (3 : int32))); _10 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); goto BB5 } BB5 { [#"../index_range.rs" 21 4 21 7] _12 <- Borrow.borrow_mut arr; [#"../index_range.rs" 21 4 21 7] arr <- ^ _12; - [#"../index_range.rs" 21 4 21 15] _11 <- ([#"../index_range.rs" 21 4 21 15] push0 _12 (4 : int32)); + [#"../index_range.rs" 21 4 21 15] _11 <- ([#"../index_range.rs" 21 4 21 15] push0 _12 ([#"../index_range.rs" 21 13 21 14] (4 : int32))); _12 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); goto BB6 } @@ -250,7 +251,8 @@ module IndexRange_TestRange requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model0 self) val invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -385,7 +387,8 @@ module IndexRange_TestRange predicate resolve_elswhere0 (self : Core_Ops_Range_Range_Type.t_range usize) (old' : Seq.seq int32) (fin : Seq.seq int32) = - [#"../../../../creusot-contracts/src/std/slice.rs" 149 8 152 9] forall i : int . 0 <= i /\ (i < UIntSize.to_int (Core_Ops_Range_Range_Type.range_start self) \/ UIntSize.to_int (Core_Ops_Range_Range_Type.range_end self) <= i) /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 149 8 152 9] forall i : int . 0 <= i /\ (i < UIntSize.to_int (Core_Ops_Range_Range_Type.range_start self) \/ UIntSize.to_int (Core_Ops_Range_Range_Type.range_end self) <= i) /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 (self : Core_Ops_Range_Range_Type.t_range usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -395,7 +398,8 @@ module IndexRange_TestRange requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) use seq_ext.SeqExt predicate has_value0 (self : Core_Ops_Range_Range_Type.t_range usize) (seq : Seq.seq int32) (out : slice int32) = [#"../../../../creusot-contracts/src/std/slice.rs" 143 20 143 67] SeqExt.subsequence seq (UIntSize.to_int (Core_Ops_Range_Range_Type.range_start self)) (UIntSize.to_int (Core_Ops_Range_Range_Type.range_end self)) = shallow_model6 out @@ -436,7 +440,8 @@ module IndexRange_TestRange val get0 (self : slice int32) (index : Core_Ops_Range_Range_Type.t_range usize) : Core_Option_Option_Type.t_option (slice int32) requires {inv2 self} requires {inv1 index} - ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) } + ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) + -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) } ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 253 18 253 55] in_bounds0 index (shallow_model3 self) \/ result = Core_Option_Option_Type.C_None } ensures { inv3 result } @@ -458,7 +463,8 @@ module IndexRange_TestRange ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve2 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -563,11 +569,11 @@ module IndexRange_TestRange goto BB0 } BB0 { - [#"../index_range.rs" 29 18 29 30] arr <- ([#"../index_range.rs" 29 18 29 30] create_arr0 ()); + [#"../index_range.rs" 29 18 29 30] arr <- ([#"../index_range.rs" 29 18 29 30] create_arr0 ([#"../index_range.rs" 29 18 29 30] ())); goto BB1 } BB1 { - [#"../index_range.rs" 34 17 34 21] _5 <- ([#"../index_range.rs" 34 17 34 21] Core_Ops_Range_Range_Type.C_Range (0 : usize) (2 : usize)); + [#"../index_range.rs" 34 17 34 21] _5 <- ([#"../index_range.rs" 34 17 34 21] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 34 17 34 18] (0 : usize)) ([#"../index_range.rs" 34 20 34 21] (2 : usize))); [#"../index_range.rs" 34 16 34 22] _3 <- ([#"../index_range.rs" 34 16 34 22] index0 arr _5); _5 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB2 @@ -578,7 +584,7 @@ module IndexRange_TestRange goto BB3 } BB3 { - [#"../index_range.rs" 35 12 35 24] _7 <- ([#"../index_range.rs" 35 12 35 24] _8 = (2 : usize)); + [#"../index_range.rs" 35 12 35 24] _7 <- ([#"../index_range.rs" 35 12 35 24] _8 = ([#"../index_range.rs" 35 23 35 24] (2 : usize))); _8 <- any usize; switch (_7) | False -> goto BB11 @@ -586,35 +592,35 @@ module IndexRange_TestRange end } BB4 { - [#"../index_range.rs" 35 30 35 31] _12 <- ([#"../index_range.rs" 35 30 35 31] (0 : usize)); + [#"../index_range.rs" 35 30 35 31] _12 <- ([#"../index_range.rs" 35 30 35 31] [#"../index_range.rs" 35 30 35 31] (0 : usize)); [#"../index_range.rs" 35 28 35 32] _13 <- ([#"../index_range.rs" 35 28 35 32] Slice.length s); [#"../index_range.rs" 35 28 35 32] _14 <- ([#"../index_range.rs" 35 28 35 32] _12 < _13); assert { [@expl:index in bounds] [#"../index_range.rs" 35 28 35 32] _14 }; goto BB5 } BB5 { - [#"../index_range.rs" 35 28 35 37] _10 <- ([#"../index_range.rs" 35 28 35 37] Slice.get s _12 = (0 : int32)); + [#"../index_range.rs" 35 28 35 37] _10 <- ([#"../index_range.rs" 35 28 35 37] Slice.get s _12 = ([#"../index_range.rs" 35 36 35 37] (0 : int32))); switch (_10) | False -> goto BB10 | True -> goto BB6 end } BB6 { - [#"../index_range.rs" 35 43 35 44] _17 <- ([#"../index_range.rs" 35 43 35 44] (1 : usize)); + [#"../index_range.rs" 35 43 35 44] _17 <- ([#"../index_range.rs" 35 43 35 44] [#"../index_range.rs" 35 43 35 44] (1 : usize)); [#"../index_range.rs" 35 41 35 45] _18 <- ([#"../index_range.rs" 35 41 35 45] Slice.length s); [#"../index_range.rs" 35 41 35 45] _19 <- ([#"../index_range.rs" 35 41 35 45] _17 < _18); assert { [@expl:index in bounds] [#"../index_range.rs" 35 41 35 45] _19 }; goto BB7 } BB7 { - [#"../index_range.rs" 35 41 35 50] _15 <- ([#"../index_range.rs" 35 41 35 50] Slice.get s _17 = (1 : int32)); + [#"../index_range.rs" 35 41 35 50] _15 <- ([#"../index_range.rs" 35 41 35 50] Slice.get s _17 = ([#"../index_range.rs" 35 49 35 50] (1 : int32))); switch (_15) | False -> goto BB9 | True -> goto BB8 end } BB8 { - [#"../index_range.rs" 37 17 37 21] _24 <- ([#"../index_range.rs" 37 17 37 21] Core_Ops_Range_Range_Type.C_Range (3 : usize) (5 : usize)); + [#"../index_range.rs" 37 17 37 21] _24 <- ([#"../index_range.rs" 37 17 37 21] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 37 17 37 18] (3 : usize)) ([#"../index_range.rs" 37 20 37 21] (5 : usize))); [#"../index_range.rs" 37 16 37 22] _22 <- ([#"../index_range.rs" 37 16 37 22] index0 arr _24); _24 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB13 @@ -641,7 +647,7 @@ module IndexRange_TestRange goto BB14 } BB14 { - [#"../index_range.rs" 38 12 38 24] _26 <- ([#"../index_range.rs" 38 12 38 24] _27 = (2 : usize)); + [#"../index_range.rs" 38 12 38 24] _26 <- ([#"../index_range.rs" 38 12 38 24] _27 = ([#"../index_range.rs" 38 23 38 24] (2 : usize))); _27 <- any usize; switch (_26) | False -> goto BB22 @@ -649,35 +655,35 @@ module IndexRange_TestRange end } BB15 { - [#"../index_range.rs" 38 30 38 31] _31 <- ([#"../index_range.rs" 38 30 38 31] (0 : usize)); + [#"../index_range.rs" 38 30 38 31] _31 <- ([#"../index_range.rs" 38 30 38 31] [#"../index_range.rs" 38 30 38 31] (0 : usize)); [#"../index_range.rs" 38 28 38 32] _32 <- ([#"../index_range.rs" 38 28 38 32] Slice.length s1); [#"../index_range.rs" 38 28 38 32] _33 <- ([#"../index_range.rs" 38 28 38 32] _31 < _32); assert { [@expl:index in bounds] [#"../index_range.rs" 38 28 38 32] _33 }; goto BB16 } BB16 { - [#"../index_range.rs" 38 28 38 37] _29 <- ([#"../index_range.rs" 38 28 38 37] Slice.get s1 _31 = (3 : int32)); + [#"../index_range.rs" 38 28 38 37] _29 <- ([#"../index_range.rs" 38 28 38 37] Slice.get s1 _31 = ([#"../index_range.rs" 38 36 38 37] (3 : int32))); switch (_29) | False -> goto BB21 | True -> goto BB17 end } BB17 { - [#"../index_range.rs" 38 43 38 44] _36 <- ([#"../index_range.rs" 38 43 38 44] (1 : usize)); + [#"../index_range.rs" 38 43 38 44] _36 <- ([#"../index_range.rs" 38 43 38 44] [#"../index_range.rs" 38 43 38 44] (1 : usize)); [#"../index_range.rs" 38 41 38 45] _37 <- ([#"../index_range.rs" 38 41 38 45] Slice.length s1); [#"../index_range.rs" 38 41 38 45] _38 <- ([#"../index_range.rs" 38 41 38 45] _36 < _37); assert { [@expl:index in bounds] [#"../index_range.rs" 38 41 38 45] _38 }; goto BB18 } BB18 { - [#"../index_range.rs" 38 41 38 50] _34 <- ([#"../index_range.rs" 38 41 38 50] Slice.get s1 _36 = (4 : int32)); + [#"../index_range.rs" 38 41 38 50] _34 <- ([#"../index_range.rs" 38 41 38 50] Slice.get s1 _36 = ([#"../index_range.rs" 38 49 38 50] (4 : int32))); switch (_34) | False -> goto BB20 | True -> goto BB19 end } BB19 { - [#"../index_range.rs" 43 16 43 20] _46 <- ([#"../index_range.rs" 43 16 43 20] Core_Ops_Range_Range_Type.C_Range (2 : usize) (2 : usize)); + [#"../index_range.rs" 43 16 43 20] _46 <- ([#"../index_range.rs" 43 16 43 20] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 43 16 43 17] (2 : usize)) ([#"../index_range.rs" 43 19 43 20] (2 : usize))); [#"../index_range.rs" 43 15 43 21] _44 <- ([#"../index_range.rs" 43 15 43 21] index0 arr _46); _46 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB24 @@ -703,7 +709,7 @@ module IndexRange_TestRange goto BB25 } BB25 { - [#"../index_range.rs" 43 12 43 32] _41 <- ([#"../index_range.rs" 43 12 43 32] _42 = (0 : usize)); + [#"../index_range.rs" 43 12 43 32] _41 <- ([#"../index_range.rs" 43 12 43 32] _42 = ([#"../index_range.rs" 43 31 43 32] (0 : usize))); _42 <- any usize; switch (_41) | False -> goto BB27 @@ -711,7 +717,7 @@ module IndexRange_TestRange end } BB26 { - [#"../index_range.rs" 45 16 45 20] _54 <- ([#"../index_range.rs" 45 16 45 20] Core_Ops_Range_Range_Type.C_Range (5 : usize) (5 : usize)); + [#"../index_range.rs" 45 16 45 20] _54 <- ([#"../index_range.rs" 45 16 45 20] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 45 16 45 17] (5 : usize)) ([#"../index_range.rs" 45 19 45 20] (5 : usize))); [#"../index_range.rs" 45 15 45 21] _52 <- ([#"../index_range.rs" 45 15 45 21] index0 arr _54); _54 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB28 @@ -726,7 +732,7 @@ module IndexRange_TestRange goto BB29 } BB29 { - [#"../index_range.rs" 45 12 45 32] _49 <- ([#"../index_range.rs" 45 12 45 32] _50 = (0 : usize)); + [#"../index_range.rs" 45 12 45 32] _49 <- ([#"../index_range.rs" 45 12 45 32] _50 = ([#"../index_range.rs" 45 31 45 32] (0 : usize))); _50 <- any usize; switch (_49) | False -> goto BB31 @@ -743,7 +749,7 @@ module IndexRange_TestRange absurd } BB32 { - [#"../index_range.rs" 50 20 50 24] _63 <- ([#"../index_range.rs" 50 20 50 24] Core_Ops_Range_Range_Type.C_Range (2 : usize) (6 : usize)); + [#"../index_range.rs" 50 20 50 24] _63 <- ([#"../index_range.rs" 50 20 50 24] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 50 20 50 21] (2 : usize)) ([#"../index_range.rs" 50 23 50 24] (6 : usize))); [#"../index_range.rs" 50 12 50 25] _59 <- ([#"../index_range.rs" 50 12 50 25] get0 _61 _63); _63 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB33 @@ -768,7 +774,7 @@ module IndexRange_TestRange absurd } BB37 { - [#"../index_range.rs" 52 20 52 24] _72 <- ([#"../index_range.rs" 52 20 52 24] Core_Ops_Range_Range_Type.C_Range (2 : usize) (1 : usize)); + [#"../index_range.rs" 52 20 52 24] _72 <- ([#"../index_range.rs" 52 20 52 24] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 52 20 52 21] (2 : usize)) ([#"../index_range.rs" 52 23 52 24] (1 : usize))); [#"../index_range.rs" 52 12 52 25] _68 <- ([#"../index_range.rs" 52 12 52 25] get0 _70 _72); _72 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB38 @@ -793,7 +799,7 @@ module IndexRange_TestRange absurd } BB42 { - [#"../index_range.rs" 54 20 54 24] _81 <- ([#"../index_range.rs" 54 20 54 24] Core_Ops_Range_Range_Type.C_Range (6 : usize) (6 : usize)); + [#"../index_range.rs" 54 20 54 24] _81 <- ([#"../index_range.rs" 54 20 54 24] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 54 20 54 21] (6 : usize)) ([#"../index_range.rs" 54 23 54 24] (6 : usize))); [#"../index_range.rs" 54 12 54 25] _77 <- ([#"../index_range.rs" 54 12 54 25] get0 _79 _81); _81 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB43 @@ -818,7 +824,7 @@ module IndexRange_TestRange absurd } BB47 { - [#"../index_range.rs" 56 20 56 26] _90 <- ([#"../index_range.rs" 56 20 56 26] Core_Ops_Range_Range_Type.C_Range (10 : usize) (10 : usize)); + [#"../index_range.rs" 56 20 56 26] _90 <- ([#"../index_range.rs" 56 20 56 26] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 56 20 56 22] (10 : usize)) ([#"../index_range.rs" 56 24 56 26] (10 : usize))); [#"../index_range.rs" 56 12 56 27] _86 <- ([#"../index_range.rs" 56 12 56 27] get0 _88 _90); _90 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB48 @@ -836,7 +842,7 @@ module IndexRange_TestRange BB50 { [#"../index_range.rs" 59 17 59 20] _94 <- Borrow.borrow_mut arr; [#"../index_range.rs" 59 17 59 20] arr <- ^ _94; - [#"../index_range.rs" 59 21 59 25] _95 <- ([#"../index_range.rs" 59 21 59 25] Core_Ops_Range_Range_Type.C_Range (1 : usize) (4 : usize)); + [#"../index_range.rs" 59 21 59 25] _95 <- ([#"../index_range.rs" 59 21 59 25] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 59 21 59 22] (1 : usize)) ([#"../index_range.rs" 59 24 59 25] (4 : usize))); [#"../index_range.rs" 59 20 59 26] _93 <- ([#"../index_range.rs" 59 20 59 26] index_mut0 _94 _95); _94 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); _95 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -854,7 +860,7 @@ module IndexRange_TestRange goto BB53 } BB53 { - [#"../index_range.rs" 60 12 60 24] _97 <- ([#"../index_range.rs" 60 12 60 24] _98 = (3 : usize)); + [#"../index_range.rs" 60 12 60 24] _97 <- ([#"../index_range.rs" 60 12 60 24] _98 = ([#"../index_range.rs" 60 23 60 24] (3 : usize))); _98 <- any usize; switch (_97) | False -> goto BB55 @@ -862,7 +868,7 @@ module IndexRange_TestRange end } BB54 { - [#"../index_range.rs" 61 6 61 7] _101 <- ([#"../index_range.rs" 61 6 61 7] (0 : usize)); + [#"../index_range.rs" 61 6 61 7] _101 <- ([#"../index_range.rs" 61 6 61 7] [#"../index_range.rs" 61 6 61 7] (0 : usize)); [#"../index_range.rs" 61 4 61 8] _102 <- ([#"../index_range.rs" 61 4 61 8] Slice.length ( * s2)); [#"../index_range.rs" 61 4 61 8] _103 <- ([#"../index_range.rs" 61 4 61 8] _101 < _102); assert { [@expl:index in bounds] [#"../index_range.rs" 61 4 61 8] _103 }; @@ -876,16 +882,16 @@ module IndexRange_TestRange absurd } BB56 { - [#"../index_range.rs" 61 4 61 13] s2 <- { s2 with current = Slice.set ( * s2) _101 ([#"../index_range.rs" 61 4 61 13] (-1 : int32)) ; }; - [#"../index_range.rs" 62 6 62 7] _104 <- ([#"../index_range.rs" 62 6 62 7] (1 : usize)); + [#"../index_range.rs" 61 4 61 13] s2 <- { s2 with current = Slice.set ( * s2) _101 ([#"../index_range.rs" 61 4 61 13] [#"../index_range.rs" 61 11 61 13] (-1 : int32)) ; }; + [#"../index_range.rs" 62 6 62 7] _104 <- ([#"../index_range.rs" 62 6 62 7] [#"../index_range.rs" 62 6 62 7] (1 : usize)); [#"../index_range.rs" 62 4 62 8] _105 <- ([#"../index_range.rs" 62 4 62 8] Slice.length ( * s2)); [#"../index_range.rs" 62 4 62 8] _106 <- ([#"../index_range.rs" 62 4 62 8] _104 < _105); assert { [@expl:index in bounds] [#"../index_range.rs" 62 4 62 8] _106 }; goto BB57 } BB57 { - [#"../index_range.rs" 62 4 62 13] s2 <- { s2 with current = Slice.set ( * s2) _104 ([#"../index_range.rs" 62 4 62 13] (-1 : int32)) ; }; - [#"../index_range.rs" 67 14 67 15] _110 <- ([#"../index_range.rs" 67 14 67 15] (2 : usize)); + [#"../index_range.rs" 62 4 62 13] s2 <- { s2 with current = Slice.set ( * s2) _104 ([#"../index_range.rs" 62 4 62 13] [#"../index_range.rs" 62 11 62 13] (-1 : int32)) ; }; + [#"../index_range.rs" 67 14 67 15] _110 <- ([#"../index_range.rs" 67 14 67 15] [#"../index_range.rs" 67 14 67 15] (2 : usize)); [#"../index_range.rs" 67 12 67 16] _111 <- ([#"../index_range.rs" 67 12 67 16] Slice.length ( * s2)); [#"../index_range.rs" 67 12 67 16] _112 <- ([#"../index_range.rs" 67 12 67 16] _110 < _111); assert { [@expl:index in bounds] [#"../index_range.rs" 67 12 67 16] _112 }; @@ -893,7 +899,7 @@ module IndexRange_TestRange } BB58 { assume { resolve1 s2 }; - [#"../index_range.rs" 67 12 67 21] _108 <- ([#"../index_range.rs" 67 12 67 21] Slice.get ( * s2) _110 = (3 : int32)); + [#"../index_range.rs" 67 12 67 21] _108 <- ([#"../index_range.rs" 67 12 67 21] Slice.get ( * s2) _110 = ([#"../index_range.rs" 67 20 67 21] (3 : int32))); assume { resolve1 _93 }; switch (_108) | False -> goto BB60 @@ -910,7 +916,7 @@ module IndexRange_TestRange absurd } BB61 { - [#"../index_range.rs" 69 12 69 26] _115 <- ([#"../index_range.rs" 69 12 69 26] _116 = (5 : usize)); + [#"../index_range.rs" 69 12 69 26] _115 <- ([#"../index_range.rs" 69 12 69 26] _116 = ([#"../index_range.rs" 69 25 69 26] (5 : usize))); _116 <- any usize; switch (_115) | False -> goto BB63 @@ -918,7 +924,7 @@ module IndexRange_TestRange end } BB62 { - [#"../index_range.rs" 70 15 70 18] _122 <- ([#"../index_range.rs" 70 15 70 18] index1 arr (0 : usize)); + [#"../index_range.rs" 70 15 70 18] _122 <- ([#"../index_range.rs" 70 15 70 18] index1 arr ([#"../index_range.rs" 70 16 70 17] (0 : usize))); goto BB64 } BB63 { @@ -927,14 +933,14 @@ module IndexRange_TestRange absurd } BB64 { - [#"../index_range.rs" 70 12 70 23] _120 <- ([#"../index_range.rs" 70 12 70 23] _122 = (0 : int32)); + [#"../index_range.rs" 70 12 70 23] _120 <- ([#"../index_range.rs" 70 12 70 23] _122 = ([#"../index_range.rs" 70 22 70 23] (0 : int32))); switch (_120) | False -> goto BB66 | True -> goto BB65 end } BB65 { - [#"../index_range.rs" 71 15 71 18] _128 <- ([#"../index_range.rs" 71 15 71 18] index1 arr (1 : usize)); + [#"../index_range.rs" 71 15 71 18] _128 <- ([#"../index_range.rs" 71 15 71 18] index1 arr ([#"../index_range.rs" 71 16 71 17] (1 : usize))); goto BB67 } BB66 { @@ -943,14 +949,14 @@ module IndexRange_TestRange absurd } BB67 { - [#"../index_range.rs" 71 12 71 24] _126 <- ([#"../index_range.rs" 71 12 71 24] _128 = (-1 : int32)); + [#"../index_range.rs" 71 12 71 24] _126 <- ([#"../index_range.rs" 71 12 71 24] _128 = ([#"../index_range.rs" 71 22 71 24] (-1 : int32))); switch (_126) | False -> goto BB69 | True -> goto BB68 end } BB68 { - [#"../index_range.rs" 72 15 72 18] _134 <- ([#"../index_range.rs" 72 15 72 18] index1 arr (2 : usize)); + [#"../index_range.rs" 72 15 72 18] _134 <- ([#"../index_range.rs" 72 15 72 18] index1 arr ([#"../index_range.rs" 72 16 72 17] (2 : usize))); goto BB70 } BB69 { @@ -959,14 +965,14 @@ module IndexRange_TestRange absurd } BB70 { - [#"../index_range.rs" 72 12 72 24] _132 <- ([#"../index_range.rs" 72 12 72 24] _134 = (-1 : int32)); + [#"../index_range.rs" 72 12 72 24] _132 <- ([#"../index_range.rs" 72 12 72 24] _134 = ([#"../index_range.rs" 72 22 72 24] (-1 : int32))); switch (_132) | False -> goto BB72 | True -> goto BB71 end } BB71 { - [#"../index_range.rs" 73 15 73 18] _140 <- ([#"../index_range.rs" 73 15 73 18] index1 arr (3 : usize)); + [#"../index_range.rs" 73 15 73 18] _140 <- ([#"../index_range.rs" 73 15 73 18] index1 arr ([#"../index_range.rs" 73 16 73 17] (3 : usize))); goto BB73 } BB72 { @@ -975,14 +981,14 @@ module IndexRange_TestRange absurd } BB73 { - [#"../index_range.rs" 73 12 73 23] _138 <- ([#"../index_range.rs" 73 12 73 23] _140 = (3 : int32)); + [#"../index_range.rs" 73 12 73 23] _138 <- ([#"../index_range.rs" 73 12 73 23] _140 = ([#"../index_range.rs" 73 22 73 23] (3 : int32))); switch (_138) | False -> goto BB75 | True -> goto BB74 end } BB74 { - [#"../index_range.rs" 74 15 74 18] _146 <- ([#"../index_range.rs" 74 15 74 18] index1 arr (4 : usize)); + [#"../index_range.rs" 74 15 74 18] _146 <- ([#"../index_range.rs" 74 15 74 18] index1 arr ([#"../index_range.rs" 74 16 74 17] (4 : usize))); goto BB76 } BB75 { @@ -992,14 +998,14 @@ module IndexRange_TestRange } BB76 { assume { resolve0 arr }; - [#"../index_range.rs" 74 12 74 23] _144 <- ([#"../index_range.rs" 74 12 74 23] _146 = (4 : int32)); + [#"../index_range.rs" 74 12 74 23] _144 <- ([#"../index_range.rs" 74 12 74 23] _146 = ([#"../index_range.rs" 74 22 74 23] (4 : int32))); switch (_144) | False -> goto BB78 | True -> goto BB77 end } BB77 { - [#"../index_range.rs" 27 20 75 1] _0 <- ([#"../index_range.rs" 27 20 75 1] ()); + [#"../index_range.rs" 27 20 75 1] _0 <- ([#"../index_range.rs" 27 20 75 1] [#"../index_range.rs" 27 20 75 1] ()); goto BB79 } BB78 { @@ -1061,7 +1067,8 @@ module IndexRange_TestRangeTo requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model0 self) val invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1196,7 +1203,8 @@ module IndexRange_TestRangeTo predicate resolve_elswhere0 (self : Core_Ops_Range_RangeTo_Type.t_rangeto usize) (old' : Seq.seq int32) (fin : Seq.seq int32) = - [#"../../../../creusot-contracts/src/std/slice.rs" 172 8 172 90] forall i : int . UIntSize.to_int (Core_Ops_Range_RangeTo_Type.rangeto_end self) <= i /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 172 8 172 90] forall i : int . UIntSize.to_int (Core_Ops_Range_RangeTo_Type.rangeto_end self) <= i /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 (self : Core_Ops_Range_RangeTo_Type.t_rangeto usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -1206,7 +1214,8 @@ module IndexRange_TestRangeTo requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) use seq_ext.SeqExt predicate has_value0 (self : Core_Ops_Range_RangeTo_Type.t_rangeto usize) (seq : Seq.seq int32) (out : slice int32) = [#"../../../../creusot-contracts/src/std/slice.rs" 166 20 166 57] SeqExt.subsequence seq 0 (UIntSize.to_int (Core_Ops_Range_RangeTo_Type.rangeto_end self)) = shallow_model6 out @@ -1247,7 +1256,8 @@ module IndexRange_TestRangeTo val get0 (self : slice int32) (index : Core_Ops_Range_RangeTo_Type.t_rangeto usize) : Core_Option_Option_Type.t_option (slice int32) requires {inv2 self} requires {inv1 index} - ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) } + ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) + -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) } ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 253 18 253 55] in_bounds0 index (shallow_model3 self) \/ result = Core_Option_Option_Type.C_None } ensures { inv3 result } @@ -1269,7 +1279,8 @@ module IndexRange_TestRangeTo ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve2 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -1345,11 +1356,11 @@ module IndexRange_TestRangeTo goto BB0 } BB0 { - [#"../index_range.rs" 80 18 80 30] arr <- ([#"../index_range.rs" 80 18 80 30] create_arr0 ()); + [#"../index_range.rs" 80 18 80 30] arr <- ([#"../index_range.rs" 80 18 80 30] create_arr0 ([#"../index_range.rs" 80 18 80 30] ())); goto BB1 } BB1 { - [#"../index_range.rs" 85 17 85 20] _5 <- ([#"../index_range.rs" 85 17 85 20] Core_Ops_Range_RangeTo_Type.C_RangeTo (2 : usize)); + [#"../index_range.rs" 85 17 85 20] _5 <- ([#"../index_range.rs" 85 17 85 20] Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 85 19 85 20] (2 : usize))); [#"../index_range.rs" 85 16 85 21] _3 <- ([#"../index_range.rs" 85 16 85 21] index0 arr _5); _5 <- any Core_Ops_Range_RangeTo_Type.t_rangeto usize; goto BB2 @@ -1360,7 +1371,7 @@ module IndexRange_TestRangeTo goto BB3 } BB3 { - [#"../index_range.rs" 86 12 86 24] _7 <- ([#"../index_range.rs" 86 12 86 24] _8 = (2 : usize)); + [#"../index_range.rs" 86 12 86 24] _7 <- ([#"../index_range.rs" 86 12 86 24] _8 = ([#"../index_range.rs" 86 23 86 24] (2 : usize))); _8 <- any usize; switch (_7) | False -> goto BB11 @@ -1368,35 +1379,35 @@ module IndexRange_TestRangeTo end } BB4 { - [#"../index_range.rs" 86 30 86 31] _12 <- ([#"../index_range.rs" 86 30 86 31] (0 : usize)); + [#"../index_range.rs" 86 30 86 31] _12 <- ([#"../index_range.rs" 86 30 86 31] [#"../index_range.rs" 86 30 86 31] (0 : usize)); [#"../index_range.rs" 86 28 86 32] _13 <- ([#"../index_range.rs" 86 28 86 32] Slice.length s); [#"../index_range.rs" 86 28 86 32] _14 <- ([#"../index_range.rs" 86 28 86 32] _12 < _13); assert { [@expl:index in bounds] [#"../index_range.rs" 86 28 86 32] _14 }; goto BB5 } BB5 { - [#"../index_range.rs" 86 28 86 37] _10 <- ([#"../index_range.rs" 86 28 86 37] Slice.get s _12 = (0 : int32)); + [#"../index_range.rs" 86 28 86 37] _10 <- ([#"../index_range.rs" 86 28 86 37] Slice.get s _12 = ([#"../index_range.rs" 86 36 86 37] (0 : int32))); switch (_10) | False -> goto BB10 | True -> goto BB6 end } BB6 { - [#"../index_range.rs" 86 43 86 44] _17 <- ([#"../index_range.rs" 86 43 86 44] (1 : usize)); + [#"../index_range.rs" 86 43 86 44] _17 <- ([#"../index_range.rs" 86 43 86 44] [#"../index_range.rs" 86 43 86 44] (1 : usize)); [#"../index_range.rs" 86 41 86 45] _18 <- ([#"../index_range.rs" 86 41 86 45] Slice.length s); [#"../index_range.rs" 86 41 86 45] _19 <- ([#"../index_range.rs" 86 41 86 45] _17 < _18); assert { [@expl:index in bounds] [#"../index_range.rs" 86 41 86 45] _19 }; goto BB7 } BB7 { - [#"../index_range.rs" 86 41 86 50] _15 <- ([#"../index_range.rs" 86 41 86 50] Slice.get s _17 = (1 : int32)); + [#"../index_range.rs" 86 41 86 50] _15 <- ([#"../index_range.rs" 86 41 86 50] Slice.get s _17 = ([#"../index_range.rs" 86 49 86 50] (1 : int32))); switch (_15) | False -> goto BB9 | True -> goto BB8 end } BB8 { - [#"../index_range.rs" 91 16 91 19] _27 <- ([#"../index_range.rs" 91 16 91 19] Core_Ops_Range_RangeTo_Type.C_RangeTo (0 : usize)); + [#"../index_range.rs" 91 16 91 19] _27 <- ([#"../index_range.rs" 91 16 91 19] Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 91 18 91 19] (0 : usize))); [#"../index_range.rs" 91 15 91 20] _25 <- ([#"../index_range.rs" 91 15 91 20] index0 arr _27); _27 <- any Core_Ops_Range_RangeTo_Type.t_rangeto usize; goto BB13 @@ -1422,7 +1433,7 @@ module IndexRange_TestRangeTo goto BB14 } BB14 { - [#"../index_range.rs" 91 12 91 31] _22 <- ([#"../index_range.rs" 91 12 91 31] _23 = (0 : usize)); + [#"../index_range.rs" 91 12 91 31] _22 <- ([#"../index_range.rs" 91 12 91 31] _23 = ([#"../index_range.rs" 91 30 91 31] (0 : usize))); _23 <- any usize; switch (_22) | False -> goto BB16 @@ -1439,7 +1450,7 @@ module IndexRange_TestRangeTo absurd } BB17 { - [#"../index_range.rs" 96 20 96 23] _36 <- ([#"../index_range.rs" 96 20 96 23] Core_Ops_Range_RangeTo_Type.C_RangeTo (6 : usize)); + [#"../index_range.rs" 96 20 96 23] _36 <- ([#"../index_range.rs" 96 20 96 23] Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 96 22 96 23] (6 : usize))); [#"../index_range.rs" 96 12 96 24] _32 <- ([#"../index_range.rs" 96 12 96 24] get0 _34 _36); _36 <- any Core_Ops_Range_RangeTo_Type.t_rangeto usize; goto BB18 @@ -1457,7 +1468,7 @@ module IndexRange_TestRangeTo BB20 { [#"../index_range.rs" 99 17 99 20] _40 <- Borrow.borrow_mut arr; [#"../index_range.rs" 99 17 99 20] arr <- ^ _40; - [#"../index_range.rs" 99 21 99 24] _41 <- ([#"../index_range.rs" 99 21 99 24] Core_Ops_Range_RangeTo_Type.C_RangeTo (3 : usize)); + [#"../index_range.rs" 99 21 99 24] _41 <- ([#"../index_range.rs" 99 21 99 24] Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 99 23 99 24] (3 : usize))); [#"../index_range.rs" 99 20 99 25] _39 <- ([#"../index_range.rs" 99 20 99 25] index_mut0 _40 _41); _40 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); _41 <- any Core_Ops_Range_RangeTo_Type.t_rangeto usize; @@ -1475,7 +1486,7 @@ module IndexRange_TestRangeTo goto BB23 } BB23 { - [#"../index_range.rs" 100 12 100 24] _43 <- ([#"../index_range.rs" 100 12 100 24] _44 = (3 : usize)); + [#"../index_range.rs" 100 12 100 24] _43 <- ([#"../index_range.rs" 100 12 100 24] _44 = ([#"../index_range.rs" 100 23 100 24] (3 : usize))); _44 <- any usize; switch (_43) | False -> goto BB25 @@ -1483,7 +1494,7 @@ module IndexRange_TestRangeTo end } BB24 { - [#"../index_range.rs" 101 6 101 7] _47 <- ([#"../index_range.rs" 101 6 101 7] (0 : usize)); + [#"../index_range.rs" 101 6 101 7] _47 <- ([#"../index_range.rs" 101 6 101 7] [#"../index_range.rs" 101 6 101 7] (0 : usize)); [#"../index_range.rs" 101 4 101 8] _48 <- ([#"../index_range.rs" 101 4 101 8] Slice.length ( * s1)); [#"../index_range.rs" 101 4 101 8] _49 <- ([#"../index_range.rs" 101 4 101 8] _47 < _48); assert { [@expl:index in bounds] [#"../index_range.rs" 101 4 101 8] _49 }; @@ -1497,16 +1508,16 @@ module IndexRange_TestRangeTo absurd } BB26 { - [#"../index_range.rs" 101 4 101 13] s1 <- { s1 with current = Slice.set ( * s1) _47 ([#"../index_range.rs" 101 4 101 13] (-1 : int32)) ; }; - [#"../index_range.rs" 102 6 102 7] _50 <- ([#"../index_range.rs" 102 6 102 7] (2 : usize)); + [#"../index_range.rs" 101 4 101 13] s1 <- { s1 with current = Slice.set ( * s1) _47 ([#"../index_range.rs" 101 4 101 13] [#"../index_range.rs" 101 11 101 13] (-1 : int32)) ; }; + [#"../index_range.rs" 102 6 102 7] _50 <- ([#"../index_range.rs" 102 6 102 7] [#"../index_range.rs" 102 6 102 7] (2 : usize)); [#"../index_range.rs" 102 4 102 8] _51 <- ([#"../index_range.rs" 102 4 102 8] Slice.length ( * s1)); [#"../index_range.rs" 102 4 102 8] _52 <- ([#"../index_range.rs" 102 4 102 8] _50 < _51); assert { [@expl:index in bounds] [#"../index_range.rs" 102 4 102 8] _52 }; goto BB27 } BB27 { - [#"../index_range.rs" 102 4 102 13] s1 <- { s1 with current = Slice.set ( * s1) _50 ([#"../index_range.rs" 102 4 102 13] (-1 : int32)) ; }; - [#"../index_range.rs" 104 14 104 15] _56 <- ([#"../index_range.rs" 104 14 104 15] (1 : usize)); + [#"../index_range.rs" 102 4 102 13] s1 <- { s1 with current = Slice.set ( * s1) _50 ([#"../index_range.rs" 102 4 102 13] [#"../index_range.rs" 102 11 102 13] (-1 : int32)) ; }; + [#"../index_range.rs" 104 14 104 15] _56 <- ([#"../index_range.rs" 104 14 104 15] [#"../index_range.rs" 104 14 104 15] (1 : usize)); [#"../index_range.rs" 104 12 104 16] _57 <- ([#"../index_range.rs" 104 12 104 16] Slice.length ( * s1)); [#"../index_range.rs" 104 12 104 16] _58 <- ([#"../index_range.rs" 104 12 104 16] _56 < _57); assert { [@expl:index in bounds] [#"../index_range.rs" 104 12 104 16] _58 }; @@ -1514,7 +1525,7 @@ module IndexRange_TestRangeTo } BB28 { assume { resolve1 s1 }; - [#"../index_range.rs" 104 12 104 21] _54 <- ([#"../index_range.rs" 104 12 104 21] Slice.get ( * s1) _56 = (1 : int32)); + [#"../index_range.rs" 104 12 104 21] _54 <- ([#"../index_range.rs" 104 12 104 21] Slice.get ( * s1) _56 = ([#"../index_range.rs" 104 20 104 21] (1 : int32))); assume { resolve1 _39 }; switch (_54) | False -> goto BB30 @@ -1531,7 +1542,7 @@ module IndexRange_TestRangeTo absurd } BB31 { - [#"../index_range.rs" 106 12 106 26] _61 <- ([#"../index_range.rs" 106 12 106 26] _62 = (5 : usize)); + [#"../index_range.rs" 106 12 106 26] _61 <- ([#"../index_range.rs" 106 12 106 26] _62 = ([#"../index_range.rs" 106 25 106 26] (5 : usize))); _62 <- any usize; switch (_61) | False -> goto BB33 @@ -1539,7 +1550,7 @@ module IndexRange_TestRangeTo end } BB32 { - [#"../index_range.rs" 107 15 107 18] _68 <- ([#"../index_range.rs" 107 15 107 18] index1 arr (0 : usize)); + [#"../index_range.rs" 107 15 107 18] _68 <- ([#"../index_range.rs" 107 15 107 18] index1 arr ([#"../index_range.rs" 107 16 107 17] (0 : usize))); goto BB34 } BB33 { @@ -1548,14 +1559,14 @@ module IndexRange_TestRangeTo absurd } BB34 { - [#"../index_range.rs" 107 12 107 24] _66 <- ([#"../index_range.rs" 107 12 107 24] _68 = (-1 : int32)); + [#"../index_range.rs" 107 12 107 24] _66 <- ([#"../index_range.rs" 107 12 107 24] _68 = ([#"../index_range.rs" 107 22 107 24] (-1 : int32))); switch (_66) | False -> goto BB36 | True -> goto BB35 end } BB35 { - [#"../index_range.rs" 108 15 108 18] _74 <- ([#"../index_range.rs" 108 15 108 18] index1 arr (1 : usize)); + [#"../index_range.rs" 108 15 108 18] _74 <- ([#"../index_range.rs" 108 15 108 18] index1 arr ([#"../index_range.rs" 108 16 108 17] (1 : usize))); goto BB37 } BB36 { @@ -1564,14 +1575,14 @@ module IndexRange_TestRangeTo absurd } BB37 { - [#"../index_range.rs" 108 12 108 23] _72 <- ([#"../index_range.rs" 108 12 108 23] _74 = (1 : int32)); + [#"../index_range.rs" 108 12 108 23] _72 <- ([#"../index_range.rs" 108 12 108 23] _74 = ([#"../index_range.rs" 108 22 108 23] (1 : int32))); switch (_72) | False -> goto BB39 | True -> goto BB38 end } BB38 { - [#"../index_range.rs" 109 15 109 18] _80 <- ([#"../index_range.rs" 109 15 109 18] index1 arr (2 : usize)); + [#"../index_range.rs" 109 15 109 18] _80 <- ([#"../index_range.rs" 109 15 109 18] index1 arr ([#"../index_range.rs" 109 16 109 17] (2 : usize))); goto BB40 } BB39 { @@ -1580,14 +1591,14 @@ module IndexRange_TestRangeTo absurd } BB40 { - [#"../index_range.rs" 109 12 109 24] _78 <- ([#"../index_range.rs" 109 12 109 24] _80 = (-1 : int32)); + [#"../index_range.rs" 109 12 109 24] _78 <- ([#"../index_range.rs" 109 12 109 24] _80 = ([#"../index_range.rs" 109 22 109 24] (-1 : int32))); switch (_78) | False -> goto BB42 | True -> goto BB41 end } BB41 { - [#"../index_range.rs" 110 15 110 18] _86 <- ([#"../index_range.rs" 110 15 110 18] index1 arr (3 : usize)); + [#"../index_range.rs" 110 15 110 18] _86 <- ([#"../index_range.rs" 110 15 110 18] index1 arr ([#"../index_range.rs" 110 16 110 17] (3 : usize))); goto BB43 } BB42 { @@ -1596,14 +1607,14 @@ module IndexRange_TestRangeTo absurd } BB43 { - [#"../index_range.rs" 110 12 110 23] _84 <- ([#"../index_range.rs" 110 12 110 23] _86 = (3 : int32)); + [#"../index_range.rs" 110 12 110 23] _84 <- ([#"../index_range.rs" 110 12 110 23] _86 = ([#"../index_range.rs" 110 22 110 23] (3 : int32))); switch (_84) | False -> goto BB45 | True -> goto BB44 end } BB44 { - [#"../index_range.rs" 111 15 111 18] _92 <- ([#"../index_range.rs" 111 15 111 18] index1 arr (4 : usize)); + [#"../index_range.rs" 111 15 111 18] _92 <- ([#"../index_range.rs" 111 15 111 18] index1 arr ([#"../index_range.rs" 111 16 111 17] (4 : usize))); goto BB46 } BB45 { @@ -1613,14 +1624,14 @@ module IndexRange_TestRangeTo } BB46 { assume { resolve0 arr }; - [#"../index_range.rs" 111 12 111 23] _90 <- ([#"../index_range.rs" 111 12 111 23] _92 = (4 : int32)); + [#"../index_range.rs" 111 12 111 23] _90 <- ([#"../index_range.rs" 111 12 111 23] _92 = ([#"../index_range.rs" 111 22 111 23] (4 : int32))); switch (_90) | False -> goto BB48 | True -> goto BB47 end } BB47 { - [#"../index_range.rs" 78 23 112 1] _0 <- ([#"../index_range.rs" 78 23 112 1] ()); + [#"../index_range.rs" 78 23 112 1] _0 <- ([#"../index_range.rs" 78 23 112 1] [#"../index_range.rs" 78 23 112 1] ()); goto BB49 } BB48 { @@ -1682,7 +1693,8 @@ module IndexRange_TestRangeFrom requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model0 self) val invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1817,7 +1829,8 @@ module IndexRange_TestRangeFrom predicate resolve_elswhere0 (self : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize) (old' : Seq.seq int32) (fin : Seq.seq int32) = - [#"../../../../creusot-contracts/src/std/slice.rs" 192 8 194 9] forall i : int . 0 <= i /\ i < UIntSize.to_int (Core_Ops_Range_RangeFrom_Type.rangefrom_start self) /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 192 8 194 9] forall i : int . 0 <= i /\ i < UIntSize.to_int (Core_Ops_Range_RangeFrom_Type.rangefrom_start self) /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 (self : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -1827,7 +1840,8 @@ module IndexRange_TestRangeFrom requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) use seq_ext.SeqExt predicate has_value0 (self : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize) (seq : Seq.seq int32) (out : slice int32) @@ -1870,7 +1884,8 @@ module IndexRange_TestRangeFrom val get0 (self : slice int32) (index : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize) : Core_Option_Option_Type.t_option (slice int32) requires {inv2 self} requires {inv1 index} - ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) } + ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) + -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) } ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 253 18 253 55] in_bounds0 index (shallow_model3 self) \/ result = Core_Option_Option_Type.C_None } ensures { inv3 result } @@ -1892,7 +1907,8 @@ module IndexRange_TestRangeFrom ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve2 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -1973,11 +1989,11 @@ module IndexRange_TestRangeFrom goto BB0 } BB0 { - [#"../index_range.rs" 117 18 117 30] arr <- ([#"../index_range.rs" 117 18 117 30] create_arr0 ()); + [#"../index_range.rs" 117 18 117 30] arr <- ([#"../index_range.rs" 117 18 117 30] create_arr0 ([#"../index_range.rs" 117 18 117 30] ())); goto BB1 } BB1 { - [#"../index_range.rs" 122 17 122 20] _5 <- ([#"../index_range.rs" 122 17 122 20] Core_Ops_Range_RangeFrom_Type.C_RangeFrom (3 : usize)); + [#"../index_range.rs" 122 17 122 20] _5 <- ([#"../index_range.rs" 122 17 122 20] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 122 17 122 18] (3 : usize))); [#"../index_range.rs" 122 16 122 21] _3 <- ([#"../index_range.rs" 122 16 122 21] index0 arr _5); _5 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize; goto BB2 @@ -1988,7 +2004,7 @@ module IndexRange_TestRangeFrom goto BB3 } BB3 { - [#"../index_range.rs" 123 12 123 24] _7 <- ([#"../index_range.rs" 123 12 123 24] _8 = (2 : usize)); + [#"../index_range.rs" 123 12 123 24] _7 <- ([#"../index_range.rs" 123 12 123 24] _8 = ([#"../index_range.rs" 123 23 123 24] (2 : usize))); _8 <- any usize; switch (_7) | False -> goto BB11 @@ -1996,35 +2012,35 @@ module IndexRange_TestRangeFrom end } BB4 { - [#"../index_range.rs" 123 30 123 31] _12 <- ([#"../index_range.rs" 123 30 123 31] (0 : usize)); + [#"../index_range.rs" 123 30 123 31] _12 <- ([#"../index_range.rs" 123 30 123 31] [#"../index_range.rs" 123 30 123 31] (0 : usize)); [#"../index_range.rs" 123 28 123 32] _13 <- ([#"../index_range.rs" 123 28 123 32] Slice.length s); [#"../index_range.rs" 123 28 123 32] _14 <- ([#"../index_range.rs" 123 28 123 32] _12 < _13); assert { [@expl:index in bounds] [#"../index_range.rs" 123 28 123 32] _14 }; goto BB5 } BB5 { - [#"../index_range.rs" 123 28 123 37] _10 <- ([#"../index_range.rs" 123 28 123 37] Slice.get s _12 = (3 : int32)); + [#"../index_range.rs" 123 28 123 37] _10 <- ([#"../index_range.rs" 123 28 123 37] Slice.get s _12 = ([#"../index_range.rs" 123 36 123 37] (3 : int32))); switch (_10) | False -> goto BB10 | True -> goto BB6 end } BB6 { - [#"../index_range.rs" 123 43 123 44] _17 <- ([#"../index_range.rs" 123 43 123 44] (1 : usize)); + [#"../index_range.rs" 123 43 123 44] _17 <- ([#"../index_range.rs" 123 43 123 44] [#"../index_range.rs" 123 43 123 44] (1 : usize)); [#"../index_range.rs" 123 41 123 45] _18 <- ([#"../index_range.rs" 123 41 123 45] Slice.length s); [#"../index_range.rs" 123 41 123 45] _19 <- ([#"../index_range.rs" 123 41 123 45] _17 < _18); assert { [@expl:index in bounds] [#"../index_range.rs" 123 41 123 45] _19 }; goto BB7 } BB7 { - [#"../index_range.rs" 123 41 123 50] _15 <- ([#"../index_range.rs" 123 41 123 50] Slice.get s _17 = (4 : int32)); + [#"../index_range.rs" 123 41 123 50] _15 <- ([#"../index_range.rs" 123 41 123 50] Slice.get s _17 = ([#"../index_range.rs" 123 49 123 50] (4 : int32))); switch (_15) | False -> goto BB9 | True -> goto BB8 end } BB8 { - [#"../index_range.rs" 128 16 128 19] _27 <- ([#"../index_range.rs" 128 16 128 19] Core_Ops_Range_RangeFrom_Type.C_RangeFrom (5 : usize)); + [#"../index_range.rs" 128 16 128 19] _27 <- ([#"../index_range.rs" 128 16 128 19] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 128 16 128 17] (5 : usize))); [#"../index_range.rs" 128 15 128 20] _25 <- ([#"../index_range.rs" 128 15 128 20] index0 arr _27); _27 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize; goto BB13 @@ -2050,7 +2066,7 @@ module IndexRange_TestRangeFrom goto BB14 } BB14 { - [#"../index_range.rs" 128 12 128 31] _22 <- ([#"../index_range.rs" 128 12 128 31] _23 = (0 : usize)); + [#"../index_range.rs" 128 12 128 31] _22 <- ([#"../index_range.rs" 128 12 128 31] _23 = ([#"../index_range.rs" 128 30 128 31] (0 : usize))); _23 <- any usize; switch (_22) | False -> goto BB16 @@ -2067,7 +2083,7 @@ module IndexRange_TestRangeFrom absurd } BB17 { - [#"../index_range.rs" 133 20 133 23] _36 <- ([#"../index_range.rs" 133 20 133 23] Core_Ops_Range_RangeFrom_Type.C_RangeFrom (6 : usize)); + [#"../index_range.rs" 133 20 133 23] _36 <- ([#"../index_range.rs" 133 20 133 23] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 133 20 133 21] (6 : usize))); [#"../index_range.rs" 133 12 133 24] _32 <- ([#"../index_range.rs" 133 12 133 24] get0 _34 _36); _36 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize; goto BB18 @@ -2092,7 +2108,7 @@ module IndexRange_TestRangeFrom absurd } BB22 { - [#"../index_range.rs" 135 20 135 24] _45 <- ([#"../index_range.rs" 135 20 135 24] Core_Ops_Range_RangeFrom_Type.C_RangeFrom (10 : usize)); + [#"../index_range.rs" 135 20 135 24] _45 <- ([#"../index_range.rs" 135 20 135 24] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 135 20 135 22] (10 : usize))); [#"../index_range.rs" 135 12 135 25] _41 <- ([#"../index_range.rs" 135 12 135 25] get0 _43 _45); _45 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize; goto BB23 @@ -2110,7 +2126,7 @@ module IndexRange_TestRangeFrom BB25 { [#"../index_range.rs" 138 17 138 20] _49 <- Borrow.borrow_mut arr; [#"../index_range.rs" 138 17 138 20] arr <- ^ _49; - [#"../index_range.rs" 138 21 138 24] _50 <- ([#"../index_range.rs" 138 21 138 24] Core_Ops_Range_RangeFrom_Type.C_RangeFrom (2 : usize)); + [#"../index_range.rs" 138 21 138 24] _50 <- ([#"../index_range.rs" 138 21 138 24] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 138 21 138 22] (2 : usize))); [#"../index_range.rs" 138 20 138 25] _48 <- ([#"../index_range.rs" 138 20 138 25] index_mut0 _49 _50); _49 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); _50 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize; @@ -2128,7 +2144,7 @@ module IndexRange_TestRangeFrom goto BB28 } BB28 { - [#"../index_range.rs" 139 12 139 24] _52 <- ([#"../index_range.rs" 139 12 139 24] _53 = (3 : usize)); + [#"../index_range.rs" 139 12 139 24] _52 <- ([#"../index_range.rs" 139 12 139 24] _53 = ([#"../index_range.rs" 139 23 139 24] (3 : usize))); _53 <- any usize; switch (_52) | False -> goto BB30 @@ -2136,7 +2152,7 @@ module IndexRange_TestRangeFrom end } BB29 { - [#"../index_range.rs" 140 6 140 7] _56 <- ([#"../index_range.rs" 140 6 140 7] (0 : usize)); + [#"../index_range.rs" 140 6 140 7] _56 <- ([#"../index_range.rs" 140 6 140 7] [#"../index_range.rs" 140 6 140 7] (0 : usize)); [#"../index_range.rs" 140 4 140 8] _57 <- ([#"../index_range.rs" 140 4 140 8] Slice.length ( * s1)); [#"../index_range.rs" 140 4 140 8] _58 <- ([#"../index_range.rs" 140 4 140 8] _56 < _57); assert { [@expl:index in bounds] [#"../index_range.rs" 140 4 140 8] _58 }; @@ -2150,16 +2166,16 @@ module IndexRange_TestRangeFrom absurd } BB31 { - [#"../index_range.rs" 140 4 140 13] s1 <- { s1 with current = Slice.set ( * s1) _56 ([#"../index_range.rs" 140 4 140 13] (-1 : int32)) ; }; - [#"../index_range.rs" 141 6 141 7] _59 <- ([#"../index_range.rs" 141 6 141 7] (1 : usize)); + [#"../index_range.rs" 140 4 140 13] s1 <- { s1 with current = Slice.set ( * s1) _56 ([#"../index_range.rs" 140 4 140 13] [#"../index_range.rs" 140 11 140 13] (-1 : int32)) ; }; + [#"../index_range.rs" 141 6 141 7] _59 <- ([#"../index_range.rs" 141 6 141 7] [#"../index_range.rs" 141 6 141 7] (1 : usize)); [#"../index_range.rs" 141 4 141 8] _60 <- ([#"../index_range.rs" 141 4 141 8] Slice.length ( * s1)); [#"../index_range.rs" 141 4 141 8] _61 <- ([#"../index_range.rs" 141 4 141 8] _59 < _60); assert { [@expl:index in bounds] [#"../index_range.rs" 141 4 141 8] _61 }; goto BB32 } BB32 { - [#"../index_range.rs" 141 4 141 13] s1 <- { s1 with current = Slice.set ( * s1) _59 ([#"../index_range.rs" 141 4 141 13] (-1 : int32)) ; }; - [#"../index_range.rs" 143 14 143 15] _65 <- ([#"../index_range.rs" 143 14 143 15] (2 : usize)); + [#"../index_range.rs" 141 4 141 13] s1 <- { s1 with current = Slice.set ( * s1) _59 ([#"../index_range.rs" 141 4 141 13] [#"../index_range.rs" 141 11 141 13] (-1 : int32)) ; }; + [#"../index_range.rs" 143 14 143 15] _65 <- ([#"../index_range.rs" 143 14 143 15] [#"../index_range.rs" 143 14 143 15] (2 : usize)); [#"../index_range.rs" 143 12 143 16] _66 <- ([#"../index_range.rs" 143 12 143 16] Slice.length ( * s1)); [#"../index_range.rs" 143 12 143 16] _67 <- ([#"../index_range.rs" 143 12 143 16] _65 < _66); assert { [@expl:index in bounds] [#"../index_range.rs" 143 12 143 16] _67 }; @@ -2167,7 +2183,7 @@ module IndexRange_TestRangeFrom } BB33 { assume { resolve1 s1 }; - [#"../index_range.rs" 143 12 143 21] _63 <- ([#"../index_range.rs" 143 12 143 21] Slice.get ( * s1) _65 = (4 : int32)); + [#"../index_range.rs" 143 12 143 21] _63 <- ([#"../index_range.rs" 143 12 143 21] Slice.get ( * s1) _65 = ([#"../index_range.rs" 143 20 143 21] (4 : int32))); assume { resolve1 _48 }; switch (_63) | False -> goto BB35 @@ -2184,7 +2200,7 @@ module IndexRange_TestRangeFrom absurd } BB36 { - [#"../index_range.rs" 145 12 145 26] _70 <- ([#"../index_range.rs" 145 12 145 26] _71 = (5 : usize)); + [#"../index_range.rs" 145 12 145 26] _70 <- ([#"../index_range.rs" 145 12 145 26] _71 = ([#"../index_range.rs" 145 25 145 26] (5 : usize))); _71 <- any usize; switch (_70) | False -> goto BB38 @@ -2192,7 +2208,7 @@ module IndexRange_TestRangeFrom end } BB37 { - [#"../index_range.rs" 146 15 146 18] _77 <- ([#"../index_range.rs" 146 15 146 18] index1 arr (0 : usize)); + [#"../index_range.rs" 146 15 146 18] _77 <- ([#"../index_range.rs" 146 15 146 18] index1 arr ([#"../index_range.rs" 146 16 146 17] (0 : usize))); goto BB39 } BB38 { @@ -2201,14 +2217,14 @@ module IndexRange_TestRangeFrom absurd } BB39 { - [#"../index_range.rs" 146 12 146 23] _75 <- ([#"../index_range.rs" 146 12 146 23] _77 = (0 : int32)); + [#"../index_range.rs" 146 12 146 23] _75 <- ([#"../index_range.rs" 146 12 146 23] _77 = ([#"../index_range.rs" 146 22 146 23] (0 : int32))); switch (_75) | False -> goto BB41 | True -> goto BB40 end } BB40 { - [#"../index_range.rs" 147 15 147 18] _83 <- ([#"../index_range.rs" 147 15 147 18] index1 arr (1 : usize)); + [#"../index_range.rs" 147 15 147 18] _83 <- ([#"../index_range.rs" 147 15 147 18] index1 arr ([#"../index_range.rs" 147 16 147 17] (1 : usize))); goto BB42 } BB41 { @@ -2217,14 +2233,14 @@ module IndexRange_TestRangeFrom absurd } BB42 { - [#"../index_range.rs" 147 12 147 23] _81 <- ([#"../index_range.rs" 147 12 147 23] _83 = (1 : int32)); + [#"../index_range.rs" 147 12 147 23] _81 <- ([#"../index_range.rs" 147 12 147 23] _83 = ([#"../index_range.rs" 147 22 147 23] (1 : int32))); switch (_81) | False -> goto BB44 | True -> goto BB43 end } BB43 { - [#"../index_range.rs" 148 15 148 18] _89 <- ([#"../index_range.rs" 148 15 148 18] index1 arr (2 : usize)); + [#"../index_range.rs" 148 15 148 18] _89 <- ([#"../index_range.rs" 148 15 148 18] index1 arr ([#"../index_range.rs" 148 16 148 17] (2 : usize))); goto BB45 } BB44 { @@ -2233,14 +2249,14 @@ module IndexRange_TestRangeFrom absurd } BB45 { - [#"../index_range.rs" 148 12 148 24] _87 <- ([#"../index_range.rs" 148 12 148 24] _89 = (-1 : int32)); + [#"../index_range.rs" 148 12 148 24] _87 <- ([#"../index_range.rs" 148 12 148 24] _89 = ([#"../index_range.rs" 148 22 148 24] (-1 : int32))); switch (_87) | False -> goto BB47 | True -> goto BB46 end } BB46 { - [#"../index_range.rs" 149 15 149 18] _95 <- ([#"../index_range.rs" 149 15 149 18] index1 arr (3 : usize)); + [#"../index_range.rs" 149 15 149 18] _95 <- ([#"../index_range.rs" 149 15 149 18] index1 arr ([#"../index_range.rs" 149 16 149 17] (3 : usize))); goto BB48 } BB47 { @@ -2249,14 +2265,14 @@ module IndexRange_TestRangeFrom absurd } BB48 { - [#"../index_range.rs" 149 12 149 24] _93 <- ([#"../index_range.rs" 149 12 149 24] _95 = (-1 : int32)); + [#"../index_range.rs" 149 12 149 24] _93 <- ([#"../index_range.rs" 149 12 149 24] _95 = ([#"../index_range.rs" 149 22 149 24] (-1 : int32))); switch (_93) | False -> goto BB50 | True -> goto BB49 end } BB49 { - [#"../index_range.rs" 150 15 150 18] _101 <- ([#"../index_range.rs" 150 15 150 18] index1 arr (4 : usize)); + [#"../index_range.rs" 150 15 150 18] _101 <- ([#"../index_range.rs" 150 15 150 18] index1 arr ([#"../index_range.rs" 150 16 150 17] (4 : usize))); goto BB51 } BB50 { @@ -2266,14 +2282,14 @@ module IndexRange_TestRangeFrom } BB51 { assume { resolve0 arr }; - [#"../index_range.rs" 150 12 150 23] _99 <- ([#"../index_range.rs" 150 12 150 23] _101 = (4 : int32)); + [#"../index_range.rs" 150 12 150 23] _99 <- ([#"../index_range.rs" 150 12 150 23] _101 = ([#"../index_range.rs" 150 22 150 23] (4 : int32))); switch (_99) | False -> goto BB53 | True -> goto BB52 end } BB52 { - [#"../index_range.rs" 115 25 151 1] _0 <- ([#"../index_range.rs" 115 25 151 1] ()); + [#"../index_range.rs" 115 25 151 1] _0 <- ([#"../index_range.rs" 115 25 151 1] [#"../index_range.rs" 115 25 151 1] ()); goto BB54 } BB53 { @@ -2331,7 +2347,8 @@ module IndexRange_TestRangeFull requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model0 self) val invariant7 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -2455,7 +2472,8 @@ module IndexRange_TestRangeFull requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) predicate has_value0 (self : Core_Ops_Range_RangeFull_Type.t_rangefull) (seq : Seq.seq int32) (out : slice int32) = [#"../../../../creusot-contracts/src/std/slice.rs" 208 20 208 31] seq = shallow_model6 out val has_value0 (self : Core_Ops_Range_RangeFull_Type.t_rangefull) (seq : Seq.seq int32) (out : slice int32) : bool @@ -2496,7 +2514,8 @@ module IndexRange_TestRangeFull ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve2 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -2578,7 +2597,7 @@ module IndexRange_TestRangeFull goto BB0 } BB0 { - [#"../index_range.rs" 156 18 156 30] arr <- ([#"../index_range.rs" 156 18 156 30] create_arr0 ()); + [#"../index_range.rs" 156 18 156 30] arr <- ([#"../index_range.rs" 156 18 156 30] create_arr0 ([#"../index_range.rs" 156 18 156 30] ())); goto BB1 } BB1 { @@ -2593,7 +2612,7 @@ module IndexRange_TestRangeFull goto BB3 } BB3 { - [#"../index_range.rs" 162 12 162 24] _7 <- ([#"../index_range.rs" 162 12 162 24] _8 = (5 : usize)); + [#"../index_range.rs" 162 12 162 24] _7 <- ([#"../index_range.rs" 162 12 162 24] _8 = ([#"../index_range.rs" 162 23 162 24] (5 : usize))); _8 <- any usize; switch (_7) | False -> goto BB20 @@ -2601,70 +2620,70 @@ module IndexRange_TestRangeFull end } BB4 { - [#"../index_range.rs" 162 30 162 31] _12 <- ([#"../index_range.rs" 162 30 162 31] (0 : usize)); + [#"../index_range.rs" 162 30 162 31] _12 <- ([#"../index_range.rs" 162 30 162 31] [#"../index_range.rs" 162 30 162 31] (0 : usize)); [#"../index_range.rs" 162 28 162 32] _13 <- ([#"../index_range.rs" 162 28 162 32] Slice.length s); [#"../index_range.rs" 162 28 162 32] _14 <- ([#"../index_range.rs" 162 28 162 32] _12 < _13); assert { [@expl:index in bounds] [#"../index_range.rs" 162 28 162 32] _14 }; goto BB5 } BB5 { - [#"../index_range.rs" 162 28 162 37] _10 <- ([#"../index_range.rs" 162 28 162 37] Slice.get s _12 = (0 : int32)); + [#"../index_range.rs" 162 28 162 37] _10 <- ([#"../index_range.rs" 162 28 162 37] Slice.get s _12 = ([#"../index_range.rs" 162 36 162 37] (0 : int32))); switch (_10) | False -> goto BB19 | True -> goto BB6 end } BB6 { - [#"../index_range.rs" 162 43 162 44] _17 <- ([#"../index_range.rs" 162 43 162 44] (1 : usize)); + [#"../index_range.rs" 162 43 162 44] _17 <- ([#"../index_range.rs" 162 43 162 44] [#"../index_range.rs" 162 43 162 44] (1 : usize)); [#"../index_range.rs" 162 41 162 45] _18 <- ([#"../index_range.rs" 162 41 162 45] Slice.length s); [#"../index_range.rs" 162 41 162 45] _19 <- ([#"../index_range.rs" 162 41 162 45] _17 < _18); assert { [@expl:index in bounds] [#"../index_range.rs" 162 41 162 45] _19 }; goto BB7 } BB7 { - [#"../index_range.rs" 162 41 162 50] _15 <- ([#"../index_range.rs" 162 41 162 50] Slice.get s _17 = (1 : int32)); + [#"../index_range.rs" 162 41 162 50] _15 <- ([#"../index_range.rs" 162 41 162 50] Slice.get s _17 = ([#"../index_range.rs" 162 49 162 50] (1 : int32))); switch (_15) | False -> goto BB18 | True -> goto BB8 end } BB8 { - [#"../index_range.rs" 162 56 162 57] _22 <- ([#"../index_range.rs" 162 56 162 57] (2 : usize)); + [#"../index_range.rs" 162 56 162 57] _22 <- ([#"../index_range.rs" 162 56 162 57] [#"../index_range.rs" 162 56 162 57] (2 : usize)); [#"../index_range.rs" 162 54 162 58] _23 <- ([#"../index_range.rs" 162 54 162 58] Slice.length s); [#"../index_range.rs" 162 54 162 58] _24 <- ([#"../index_range.rs" 162 54 162 58] _22 < _23); assert { [@expl:index in bounds] [#"../index_range.rs" 162 54 162 58] _24 }; goto BB9 } BB9 { - [#"../index_range.rs" 162 54 162 63] _20 <- ([#"../index_range.rs" 162 54 162 63] Slice.get s _22 = (2 : int32)); + [#"../index_range.rs" 162 54 162 63] _20 <- ([#"../index_range.rs" 162 54 162 63] Slice.get s _22 = ([#"../index_range.rs" 162 62 162 63] (2 : int32))); switch (_20) | False -> goto BB17 | True -> goto BB10 end } BB10 { - [#"../index_range.rs" 162 69 162 70] _27 <- ([#"../index_range.rs" 162 69 162 70] (3 : usize)); + [#"../index_range.rs" 162 69 162 70] _27 <- ([#"../index_range.rs" 162 69 162 70] [#"../index_range.rs" 162 69 162 70] (3 : usize)); [#"../index_range.rs" 162 67 162 71] _28 <- ([#"../index_range.rs" 162 67 162 71] Slice.length s); [#"../index_range.rs" 162 67 162 71] _29 <- ([#"../index_range.rs" 162 67 162 71] _27 < _28); assert { [@expl:index in bounds] [#"../index_range.rs" 162 67 162 71] _29 }; goto BB11 } BB11 { - [#"../index_range.rs" 162 67 162 76] _25 <- ([#"../index_range.rs" 162 67 162 76] Slice.get s _27 = (3 : int32)); + [#"../index_range.rs" 162 67 162 76] _25 <- ([#"../index_range.rs" 162 67 162 76] Slice.get s _27 = ([#"../index_range.rs" 162 75 162 76] (3 : int32))); switch (_25) | False -> goto BB16 | True -> goto BB12 end } BB12 { - [#"../index_range.rs" 162 82 162 83] _32 <- ([#"../index_range.rs" 162 82 162 83] (4 : usize)); + [#"../index_range.rs" 162 82 162 83] _32 <- ([#"../index_range.rs" 162 82 162 83] [#"../index_range.rs" 162 82 162 83] (4 : usize)); [#"../index_range.rs" 162 80 162 84] _33 <- ([#"../index_range.rs" 162 80 162 84] Slice.length s); [#"../index_range.rs" 162 80 162 84] _34 <- ([#"../index_range.rs" 162 80 162 84] _32 < _33); assert { [@expl:index in bounds] [#"../index_range.rs" 162 80 162 84] _34 }; goto BB13 } BB13 { - [#"../index_range.rs" 162 80 162 89] _30 <- ([#"../index_range.rs" 162 80 162 89] Slice.get s _32 = (4 : int32)); + [#"../index_range.rs" 162 80 162 89] _30 <- ([#"../index_range.rs" 162 80 162 89] Slice.get s _32 = ([#"../index_range.rs" 162 88 162 89] (4 : int32))); switch (_30) | False -> goto BB15 | True -> goto BB14 @@ -2714,7 +2733,7 @@ module IndexRange_TestRangeFull goto BB23 } BB23 { - [#"../index_range.rs" 166 12 166 24] _41 <- ([#"../index_range.rs" 166 12 166 24] _42 = (5 : usize)); + [#"../index_range.rs" 166 12 166 24] _41 <- ([#"../index_range.rs" 166 12 166 24] _42 = ([#"../index_range.rs" 166 23 166 24] (5 : usize))); _42 <- any usize; switch (_41) | False -> goto BB25 @@ -2722,7 +2741,7 @@ module IndexRange_TestRangeFull end } BB24 { - [#"../index_range.rs" 167 6 167 7] _45 <- ([#"../index_range.rs" 167 6 167 7] (1 : usize)); + [#"../index_range.rs" 167 6 167 7] _45 <- ([#"../index_range.rs" 167 6 167 7] [#"../index_range.rs" 167 6 167 7] (1 : usize)); [#"../index_range.rs" 167 4 167 8] _46 <- ([#"../index_range.rs" 167 4 167 8] Slice.length ( * s1)); [#"../index_range.rs" 167 4 167 8] _47 <- ([#"../index_range.rs" 167 4 167 8] _45 < _46); assert { [@expl:index in bounds] [#"../index_range.rs" 167 4 167 8] _47 }; @@ -2736,22 +2755,22 @@ module IndexRange_TestRangeFull absurd } BB26 { - [#"../index_range.rs" 167 4 167 13] s1 <- { s1 with current = Slice.set ( * s1) _45 ([#"../index_range.rs" 167 4 167 13] (-1 : int32)) ; }; - [#"../index_range.rs" 168 6 168 7] _48 <- ([#"../index_range.rs" 168 6 168 7] (3 : usize)); + [#"../index_range.rs" 167 4 167 13] s1 <- { s1 with current = Slice.set ( * s1) _45 ([#"../index_range.rs" 167 4 167 13] [#"../index_range.rs" 167 11 167 13] (-1 : int32)) ; }; + [#"../index_range.rs" 168 6 168 7] _48 <- ([#"../index_range.rs" 168 6 168 7] [#"../index_range.rs" 168 6 168 7] (3 : usize)); [#"../index_range.rs" 168 4 168 8] _49 <- ([#"../index_range.rs" 168 4 168 8] Slice.length ( * s1)); [#"../index_range.rs" 168 4 168 8] _50 <- ([#"../index_range.rs" 168 4 168 8] _48 < _49); assert { [@expl:index in bounds] [#"../index_range.rs" 168 4 168 8] _50 }; goto BB27 } BB27 { - [#"../index_range.rs" 168 4 168 13] s1 <- { s1 with current = Slice.set ( * s1) _48 ([#"../index_range.rs" 168 4 168 13] (-1 : int32)) ; }; + [#"../index_range.rs" 168 4 168 13] s1 <- { s1 with current = Slice.set ( * s1) _48 ([#"../index_range.rs" 168 4 168 13] [#"../index_range.rs" 168 11 168 13] (-1 : int32)) ; }; assume { resolve1 s1 }; assume { resolve1 _37 }; [#"../index_range.rs" 170 12 170 21] _53 <- ([#"../index_range.rs" 170 12 170 21] len1 arr); goto BB28 } BB28 { - [#"../index_range.rs" 170 12 170 26] _52 <- ([#"../index_range.rs" 170 12 170 26] _53 = (5 : usize)); + [#"../index_range.rs" 170 12 170 26] _52 <- ([#"../index_range.rs" 170 12 170 26] _53 = ([#"../index_range.rs" 170 25 170 26] (5 : usize))); _53 <- any usize; switch (_52) | False -> goto BB30 @@ -2759,7 +2778,7 @@ module IndexRange_TestRangeFull end } BB29 { - [#"../index_range.rs" 171 15 171 18] _59 <- ([#"../index_range.rs" 171 15 171 18] index1 arr (0 : usize)); + [#"../index_range.rs" 171 15 171 18] _59 <- ([#"../index_range.rs" 171 15 171 18] index1 arr ([#"../index_range.rs" 171 16 171 17] (0 : usize))); goto BB31 } BB30 { @@ -2768,14 +2787,14 @@ module IndexRange_TestRangeFull absurd } BB31 { - [#"../index_range.rs" 171 12 171 23] _57 <- ([#"../index_range.rs" 171 12 171 23] _59 = (0 : int32)); + [#"../index_range.rs" 171 12 171 23] _57 <- ([#"../index_range.rs" 171 12 171 23] _59 = ([#"../index_range.rs" 171 22 171 23] (0 : int32))); switch (_57) | False -> goto BB33 | True -> goto BB32 end } BB32 { - [#"../index_range.rs" 172 15 172 18] _65 <- ([#"../index_range.rs" 172 15 172 18] index1 arr (1 : usize)); + [#"../index_range.rs" 172 15 172 18] _65 <- ([#"../index_range.rs" 172 15 172 18] index1 arr ([#"../index_range.rs" 172 16 172 17] (1 : usize))); goto BB34 } BB33 { @@ -2784,14 +2803,14 @@ module IndexRange_TestRangeFull absurd } BB34 { - [#"../index_range.rs" 172 12 172 24] _63 <- ([#"../index_range.rs" 172 12 172 24] _65 = (-1 : int32)); + [#"../index_range.rs" 172 12 172 24] _63 <- ([#"../index_range.rs" 172 12 172 24] _65 = ([#"../index_range.rs" 172 22 172 24] (-1 : int32))); switch (_63) | False -> goto BB36 | True -> goto BB35 end } BB35 { - [#"../index_range.rs" 173 15 173 18] _71 <- ([#"../index_range.rs" 173 15 173 18] index1 arr (2 : usize)); + [#"../index_range.rs" 173 15 173 18] _71 <- ([#"../index_range.rs" 173 15 173 18] index1 arr ([#"../index_range.rs" 173 16 173 17] (2 : usize))); goto BB37 } BB36 { @@ -2800,14 +2819,14 @@ module IndexRange_TestRangeFull absurd } BB37 { - [#"../index_range.rs" 173 12 173 23] _69 <- ([#"../index_range.rs" 173 12 173 23] _71 = (2 : int32)); + [#"../index_range.rs" 173 12 173 23] _69 <- ([#"../index_range.rs" 173 12 173 23] _71 = ([#"../index_range.rs" 173 22 173 23] (2 : int32))); switch (_69) | False -> goto BB39 | True -> goto BB38 end } BB38 { - [#"../index_range.rs" 174 15 174 18] _77 <- ([#"../index_range.rs" 174 15 174 18] index1 arr (3 : usize)); + [#"../index_range.rs" 174 15 174 18] _77 <- ([#"../index_range.rs" 174 15 174 18] index1 arr ([#"../index_range.rs" 174 16 174 17] (3 : usize))); goto BB40 } BB39 { @@ -2816,14 +2835,14 @@ module IndexRange_TestRangeFull absurd } BB40 { - [#"../index_range.rs" 174 12 174 24] _75 <- ([#"../index_range.rs" 174 12 174 24] _77 = (-1 : int32)); + [#"../index_range.rs" 174 12 174 24] _75 <- ([#"../index_range.rs" 174 12 174 24] _77 = ([#"../index_range.rs" 174 22 174 24] (-1 : int32))); switch (_75) | False -> goto BB42 | True -> goto BB41 end } BB41 { - [#"../index_range.rs" 175 15 175 18] _83 <- ([#"../index_range.rs" 175 15 175 18] index1 arr (4 : usize)); + [#"../index_range.rs" 175 15 175 18] _83 <- ([#"../index_range.rs" 175 15 175 18] index1 arr ([#"../index_range.rs" 175 16 175 17] (4 : usize))); goto BB43 } BB42 { @@ -2833,14 +2852,14 @@ module IndexRange_TestRangeFull } BB43 { assume { resolve0 arr }; - [#"../index_range.rs" 175 12 175 23] _81 <- ([#"../index_range.rs" 175 12 175 23] _83 = (4 : int32)); + [#"../index_range.rs" 175 12 175 23] _81 <- ([#"../index_range.rs" 175 12 175 23] _83 = ([#"../index_range.rs" 175 22 175 23] (4 : int32))); switch (_81) | False -> goto BB45 | True -> goto BB44 end } BB44 { - [#"../index_range.rs" 154 25 176 1] _0 <- ([#"../index_range.rs" 154 25 176 1] ()); + [#"../index_range.rs" 154 25 176 1] _0 <- ([#"../index_range.rs" 154 25 176 1] [#"../index_range.rs" 154 25 176 1] ()); goto BB46 } BB45 { @@ -2902,7 +2921,8 @@ module IndexRange_TestRangeToInclusive requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model0 self) val invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -3037,7 +3057,8 @@ module IndexRange_TestRangeToInclusive predicate resolve_elswhere0 (self : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize) (old' : Seq.seq int32) (fin : Seq.seq int32) = - [#"../../../../creusot-contracts/src/std/slice.rs" 234 8 234 89] forall i : int . UIntSize.to_int (Core_Ops_Range_RangeToInclusive_Type.rangetoinclusive_end self) < i /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 234 8 234 89] forall i : int . UIntSize.to_int (Core_Ops_Range_RangeToInclusive_Type.rangetoinclusive_end self) < i /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 (self : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -3047,7 +3068,8 @@ module IndexRange_TestRangeToInclusive requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) use seq_ext.SeqExt predicate has_value0 (self : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize) (seq : Seq.seq int32) (out : slice int32) @@ -3090,7 +3112,8 @@ module IndexRange_TestRangeToInclusive val get0 (self : slice int32) (index : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize) : Core_Option_Option_Type.t_option (slice int32) requires {inv2 self} requires {inv1 index} - ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) } + ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) + -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) } ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 253 18 253 55] in_bounds0 index (shallow_model3 self) \/ result = Core_Option_Option_Type.C_None } ensures { inv3 result } @@ -3112,7 +3135,8 @@ module IndexRange_TestRangeToInclusive ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve2 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -3185,11 +3209,11 @@ module IndexRange_TestRangeToInclusive goto BB0 } BB0 { - [#"../index_range.rs" 181 18 181 30] arr <- ([#"../index_range.rs" 181 18 181 30] create_arr0 ()); + [#"../index_range.rs" 181 18 181 30] arr <- ([#"../index_range.rs" 181 18 181 30] create_arr0 ([#"../index_range.rs" 181 18 181 30] ())); goto BB1 } BB1 { - [#"../index_range.rs" 186 17 186 21] _5 <- ([#"../index_range.rs" 186 17 186 21] Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive (1 : usize)); + [#"../index_range.rs" 186 17 186 21] _5 <- ([#"../index_range.rs" 186 17 186 21] Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive ([#"../index_range.rs" 186 20 186 21] (1 : usize))); [#"../index_range.rs" 186 16 186 22] _3 <- ([#"../index_range.rs" 186 16 186 22] index0 arr _5); _5 <- any Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize; goto BB2 @@ -3200,7 +3224,7 @@ module IndexRange_TestRangeToInclusive goto BB3 } BB3 { - [#"../index_range.rs" 187 12 187 24] _7 <- ([#"../index_range.rs" 187 12 187 24] _8 = (2 : usize)); + [#"../index_range.rs" 187 12 187 24] _7 <- ([#"../index_range.rs" 187 12 187 24] _8 = ([#"../index_range.rs" 187 23 187 24] (2 : usize))); _8 <- any usize; switch (_7) | False -> goto BB11 @@ -3208,28 +3232,28 @@ module IndexRange_TestRangeToInclusive end } BB4 { - [#"../index_range.rs" 187 30 187 31] _12 <- ([#"../index_range.rs" 187 30 187 31] (0 : usize)); + [#"../index_range.rs" 187 30 187 31] _12 <- ([#"../index_range.rs" 187 30 187 31] [#"../index_range.rs" 187 30 187 31] (0 : usize)); [#"../index_range.rs" 187 28 187 32] _13 <- ([#"../index_range.rs" 187 28 187 32] Slice.length s); [#"../index_range.rs" 187 28 187 32] _14 <- ([#"../index_range.rs" 187 28 187 32] _12 < _13); assert { [@expl:index in bounds] [#"../index_range.rs" 187 28 187 32] _14 }; goto BB5 } BB5 { - [#"../index_range.rs" 187 28 187 37] _10 <- ([#"../index_range.rs" 187 28 187 37] Slice.get s _12 = (0 : int32)); + [#"../index_range.rs" 187 28 187 37] _10 <- ([#"../index_range.rs" 187 28 187 37] Slice.get s _12 = ([#"../index_range.rs" 187 36 187 37] (0 : int32))); switch (_10) | False -> goto BB10 | True -> goto BB6 end } BB6 { - [#"../index_range.rs" 187 43 187 44] _17 <- ([#"../index_range.rs" 187 43 187 44] (1 : usize)); + [#"../index_range.rs" 187 43 187 44] _17 <- ([#"../index_range.rs" 187 43 187 44] [#"../index_range.rs" 187 43 187 44] (1 : usize)); [#"../index_range.rs" 187 41 187 45] _18 <- ([#"../index_range.rs" 187 41 187 45] Slice.length s); [#"../index_range.rs" 187 41 187 45] _19 <- ([#"../index_range.rs" 187 41 187 45] _17 < _18); assert { [@expl:index in bounds] [#"../index_range.rs" 187 41 187 45] _19 }; goto BB7 } BB7 { - [#"../index_range.rs" 187 41 187 50] _15 <- ([#"../index_range.rs" 187 41 187 50] Slice.get s _17 = (1 : int32)); + [#"../index_range.rs" 187 41 187 50] _15 <- ([#"../index_range.rs" 187 41 187 50] Slice.get s _17 = ([#"../index_range.rs" 187 49 187 50] (1 : int32))); switch (_15) | False -> goto BB9 | True -> goto BB8 @@ -3256,7 +3280,7 @@ module IndexRange_TestRangeToInclusive absurd } BB13 { - [#"../index_range.rs" 192 20 192 24] _28 <- ([#"../index_range.rs" 192 20 192 24] Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive (5 : usize)); + [#"../index_range.rs" 192 20 192 24] _28 <- ([#"../index_range.rs" 192 20 192 24] Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive ([#"../index_range.rs" 192 23 192 24] (5 : usize))); [#"../index_range.rs" 192 12 192 25] _24 <- ([#"../index_range.rs" 192 12 192 25] get0 _26 _28); _28 <- any Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize; goto BB14 @@ -3274,7 +3298,7 @@ module IndexRange_TestRangeToInclusive BB16 { [#"../index_range.rs" 195 17 195 20] _32 <- Borrow.borrow_mut arr; [#"../index_range.rs" 195 17 195 20] arr <- ^ _32; - [#"../index_range.rs" 195 21 195 25] _33 <- ([#"../index_range.rs" 195 21 195 25] Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive (2 : usize)); + [#"../index_range.rs" 195 21 195 25] _33 <- ([#"../index_range.rs" 195 21 195 25] Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive ([#"../index_range.rs" 195 24 195 25] (2 : usize))); [#"../index_range.rs" 195 20 195 26] _31 <- ([#"../index_range.rs" 195 20 195 26] index_mut0 _32 _33); _32 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); _33 <- any Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize; @@ -3292,7 +3316,7 @@ module IndexRange_TestRangeToInclusive goto BB19 } BB19 { - [#"../index_range.rs" 196 12 196 24] _35 <- ([#"../index_range.rs" 196 12 196 24] _36 = (3 : usize)); + [#"../index_range.rs" 196 12 196 24] _35 <- ([#"../index_range.rs" 196 12 196 24] _36 = ([#"../index_range.rs" 196 23 196 24] (3 : usize))); _36 <- any usize; switch (_35) | False -> goto BB21 @@ -3300,7 +3324,7 @@ module IndexRange_TestRangeToInclusive end } BB20 { - [#"../index_range.rs" 197 6 197 7] _39 <- ([#"../index_range.rs" 197 6 197 7] (0 : usize)); + [#"../index_range.rs" 197 6 197 7] _39 <- ([#"../index_range.rs" 197 6 197 7] [#"../index_range.rs" 197 6 197 7] (0 : usize)); [#"../index_range.rs" 197 4 197 8] _40 <- ([#"../index_range.rs" 197 4 197 8] Slice.length ( * s1)); [#"../index_range.rs" 197 4 197 8] _41 <- ([#"../index_range.rs" 197 4 197 8] _39 < _40); assert { [@expl:index in bounds] [#"../index_range.rs" 197 4 197 8] _41 }; @@ -3314,16 +3338,16 @@ module IndexRange_TestRangeToInclusive absurd } BB22 { - [#"../index_range.rs" 197 4 197 13] s1 <- { s1 with current = Slice.set ( * s1) _39 ([#"../index_range.rs" 197 4 197 13] (-1 : int32)) ; }; - [#"../index_range.rs" 198 6 198 7] _42 <- ([#"../index_range.rs" 198 6 198 7] (2 : usize)); + [#"../index_range.rs" 197 4 197 13] s1 <- { s1 with current = Slice.set ( * s1) _39 ([#"../index_range.rs" 197 4 197 13] [#"../index_range.rs" 197 11 197 13] (-1 : int32)) ; }; + [#"../index_range.rs" 198 6 198 7] _42 <- ([#"../index_range.rs" 198 6 198 7] [#"../index_range.rs" 198 6 198 7] (2 : usize)); [#"../index_range.rs" 198 4 198 8] _43 <- ([#"../index_range.rs" 198 4 198 8] Slice.length ( * s1)); [#"../index_range.rs" 198 4 198 8] _44 <- ([#"../index_range.rs" 198 4 198 8] _42 < _43); assert { [@expl:index in bounds] [#"../index_range.rs" 198 4 198 8] _44 }; goto BB23 } BB23 { - [#"../index_range.rs" 198 4 198 13] s1 <- { s1 with current = Slice.set ( * s1) _42 ([#"../index_range.rs" 198 4 198 13] (-1 : int32)) ; }; - [#"../index_range.rs" 200 14 200 15] _48 <- ([#"../index_range.rs" 200 14 200 15] (1 : usize)); + [#"../index_range.rs" 198 4 198 13] s1 <- { s1 with current = Slice.set ( * s1) _42 ([#"../index_range.rs" 198 4 198 13] [#"../index_range.rs" 198 11 198 13] (-1 : int32)) ; }; + [#"../index_range.rs" 200 14 200 15] _48 <- ([#"../index_range.rs" 200 14 200 15] [#"../index_range.rs" 200 14 200 15] (1 : usize)); [#"../index_range.rs" 200 12 200 16] _49 <- ([#"../index_range.rs" 200 12 200 16] Slice.length ( * s1)); [#"../index_range.rs" 200 12 200 16] _50 <- ([#"../index_range.rs" 200 12 200 16] _48 < _49); assert { [@expl:index in bounds] [#"../index_range.rs" 200 12 200 16] _50 }; @@ -3331,7 +3355,7 @@ module IndexRange_TestRangeToInclusive } BB24 { assume { resolve1 s1 }; - [#"../index_range.rs" 200 12 200 21] _46 <- ([#"../index_range.rs" 200 12 200 21] Slice.get ( * s1) _48 = (1 : int32)); + [#"../index_range.rs" 200 12 200 21] _46 <- ([#"../index_range.rs" 200 12 200 21] Slice.get ( * s1) _48 = ([#"../index_range.rs" 200 20 200 21] (1 : int32))); assume { resolve1 _31 }; switch (_46) | False -> goto BB26 @@ -3348,7 +3372,7 @@ module IndexRange_TestRangeToInclusive absurd } BB27 { - [#"../index_range.rs" 202 12 202 26] _53 <- ([#"../index_range.rs" 202 12 202 26] _54 = (5 : usize)); + [#"../index_range.rs" 202 12 202 26] _53 <- ([#"../index_range.rs" 202 12 202 26] _54 = ([#"../index_range.rs" 202 25 202 26] (5 : usize))); _54 <- any usize; switch (_53) | False -> goto BB29 @@ -3356,7 +3380,7 @@ module IndexRange_TestRangeToInclusive end } BB28 { - [#"../index_range.rs" 203 15 203 18] _60 <- ([#"../index_range.rs" 203 15 203 18] index1 arr (0 : usize)); + [#"../index_range.rs" 203 15 203 18] _60 <- ([#"../index_range.rs" 203 15 203 18] index1 arr ([#"../index_range.rs" 203 16 203 17] (0 : usize))); goto BB30 } BB29 { @@ -3365,14 +3389,14 @@ module IndexRange_TestRangeToInclusive absurd } BB30 { - [#"../index_range.rs" 203 12 203 24] _58 <- ([#"../index_range.rs" 203 12 203 24] _60 = (-1 : int32)); + [#"../index_range.rs" 203 12 203 24] _58 <- ([#"../index_range.rs" 203 12 203 24] _60 = ([#"../index_range.rs" 203 22 203 24] (-1 : int32))); switch (_58) | False -> goto BB32 | True -> goto BB31 end } BB31 { - [#"../index_range.rs" 204 15 204 18] _66 <- ([#"../index_range.rs" 204 15 204 18] index1 arr (1 : usize)); + [#"../index_range.rs" 204 15 204 18] _66 <- ([#"../index_range.rs" 204 15 204 18] index1 arr ([#"../index_range.rs" 204 16 204 17] (1 : usize))); goto BB33 } BB32 { @@ -3381,14 +3405,14 @@ module IndexRange_TestRangeToInclusive absurd } BB33 { - [#"../index_range.rs" 204 12 204 23] _64 <- ([#"../index_range.rs" 204 12 204 23] _66 = (1 : int32)); + [#"../index_range.rs" 204 12 204 23] _64 <- ([#"../index_range.rs" 204 12 204 23] _66 = ([#"../index_range.rs" 204 22 204 23] (1 : int32))); switch (_64) | False -> goto BB35 | True -> goto BB34 end } BB34 { - [#"../index_range.rs" 205 15 205 18] _72 <- ([#"../index_range.rs" 205 15 205 18] index1 arr (2 : usize)); + [#"../index_range.rs" 205 15 205 18] _72 <- ([#"../index_range.rs" 205 15 205 18] index1 arr ([#"../index_range.rs" 205 16 205 17] (2 : usize))); goto BB36 } BB35 { @@ -3397,14 +3421,14 @@ module IndexRange_TestRangeToInclusive absurd } BB36 { - [#"../index_range.rs" 205 12 205 24] _70 <- ([#"../index_range.rs" 205 12 205 24] _72 = (-1 : int32)); + [#"../index_range.rs" 205 12 205 24] _70 <- ([#"../index_range.rs" 205 12 205 24] _72 = ([#"../index_range.rs" 205 22 205 24] (-1 : int32))); switch (_70) | False -> goto BB38 | True -> goto BB37 end } BB37 { - [#"../index_range.rs" 206 15 206 18] _78 <- ([#"../index_range.rs" 206 15 206 18] index1 arr (3 : usize)); + [#"../index_range.rs" 206 15 206 18] _78 <- ([#"../index_range.rs" 206 15 206 18] index1 arr ([#"../index_range.rs" 206 16 206 17] (3 : usize))); goto BB39 } BB38 { @@ -3413,14 +3437,14 @@ module IndexRange_TestRangeToInclusive absurd } BB39 { - [#"../index_range.rs" 206 12 206 23] _76 <- ([#"../index_range.rs" 206 12 206 23] _78 = (3 : int32)); + [#"../index_range.rs" 206 12 206 23] _76 <- ([#"../index_range.rs" 206 12 206 23] _78 = ([#"../index_range.rs" 206 22 206 23] (3 : int32))); switch (_76) | False -> goto BB41 | True -> goto BB40 end } BB40 { - [#"../index_range.rs" 207 15 207 18] _84 <- ([#"../index_range.rs" 207 15 207 18] index1 arr (4 : usize)); + [#"../index_range.rs" 207 15 207 18] _84 <- ([#"../index_range.rs" 207 15 207 18] index1 arr ([#"../index_range.rs" 207 16 207 17] (4 : usize))); goto BB42 } BB41 { @@ -3430,14 +3454,14 @@ module IndexRange_TestRangeToInclusive } BB42 { assume { resolve0 arr }; - [#"../index_range.rs" 207 12 207 23] _82 <- ([#"../index_range.rs" 207 12 207 23] _84 = (4 : int32)); + [#"../index_range.rs" 207 12 207 23] _82 <- ([#"../index_range.rs" 207 12 207 23] _84 = ([#"../index_range.rs" 207 22 207 23] (4 : int32))); switch (_82) | False -> goto BB44 | True -> goto BB43 end } BB43 { - [#"../index_range.rs" 179 33 208 1] _0 <- ([#"../index_range.rs" 179 33 208 1] ()); + [#"../index_range.rs" 179 33 208 1] _0 <- ([#"../index_range.rs" 179 33 208 1] [#"../index_range.rs" 179 33 208 1] ()); goto BB45 } BB44 { diff --git a/creusot/tests/should_succeed/inplace_list_reversal.mlcfg b/creusot/tests/should_succeed/inplace_list_reversal.mlcfg index bd092d55a1..1faa54ed21 100644 --- a/creusot/tests/should_succeed/inplace_list_reversal.mlcfg +++ b/creusot/tests/should_succeed/inplace_list_reversal.mlcfg @@ -187,7 +187,7 @@ module InplaceListReversal_Rev goto BB23 } BB23 { - [#"../inplace_list_reversal.rs" 24 31 36 1] _0 <- ([#"../inplace_list_reversal.rs" 24 31 36 1] ()); + [#"../inplace_list_reversal.rs" 24 31 36 1] _0 <- ([#"../inplace_list_reversal.rs" 24 31 36 1] [#"../inplace_list_reversal.rs" 24 31 36 1] ()); goto BB24 } BB24 { diff --git a/creusot/tests/should_succeed/instant.mlcfg b/creusot/tests/should_succeed/instant.mlcfg index 86a7c76238..ce4b8c6105 100644 --- a/creusot/tests/should_succeed/instant.mlcfg +++ b/creusot/tests/should_succeed/instant.mlcfg @@ -201,7 +201,9 @@ module Instant_TestInstant requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv4 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv4 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv4 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : () val antisym20 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -209,7 +211,10 @@ module Instant_TestInstant requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv4 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv4 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv4 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : () val antisym10 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -217,7 +222,10 @@ module Instant_TestInstant requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv4 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv4 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv4 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) (z : Core_Option_Option_Type.t_option int) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) (z : Core_Option_Option_Type.t_option int) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -228,13 +236,19 @@ module Instant_TestInstant requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv4 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int, z : Core_Option_Option_Type.t_option int, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv4 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int, z : Core_Option_Option_Type.t_option int, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv4 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv4 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv4 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : Core_Option_Option_Type.t_option int) : () val refl0 (x : Core_Option_Option_Type.t_option int) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv4 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv4 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool = [#"../../../../creusot-contracts/src/logic/ord.rs" 41 20 41 56] cmp_log0 self o = Core_Cmp_Ordering_Type.C_Greater val gt_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool @@ -246,7 +260,9 @@ module Instant_TestInstant requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv4 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv4 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv4 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log1 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool = [#"../../../../creusot-contracts/src/logic/ord.rs" 31 20 31 53] cmp_log0 self o <> Core_Cmp_Ordering_Type.C_Less val ge_log1 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool @@ -258,7 +274,9 @@ module Instant_TestInstant requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv4 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log1 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv4 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv4 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log1 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool = [#"../../../../creusot-contracts/src/logic/ord.rs" 21 20 21 53] cmp_log0 self o = Core_Cmp_Ordering_Type.C_Less val lt_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool @@ -270,7 +288,9 @@ module Instant_TestInstant requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv4 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv4 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv4 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool = [#"../../../../creusot-contracts/src/logic/ord.rs" 11 20 11 56] cmp_log0 self o <> Core_Cmp_Ordering_Type.C_Greater val le_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool @@ -282,7 +302,9 @@ module Instant_TestInstant requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv4 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv4 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv4 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant0 (self : Core_Time_Duration_Type.t_duration) = [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Time_Duration_Type.t_duration) : bool @@ -318,8 +340,10 @@ module Instant_TestInstant ensures { result = shallow_model3 self } val saturating_duration_since0 (self : Std_Time_Instant_Type.t_instant) (earlier : Std_Time_Instant_Type.t_instant) : Core_Time_Duration_Type.t_duration - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 157 16 157 60] shallow_model3 self > shallow_model0 earlier -> shallow_model1 result > 0 } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 158 16 158 62] shallow_model3 self <= shallow_model0 earlier -> shallow_model1 result = 0 } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 157 16 157 60] shallow_model3 self > shallow_model0 earlier + -> shallow_model1 result > 0 } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 158 16 158 62] shallow_model3 self <= shallow_model0 earlier + -> shallow_model1 result = 0 } val is_none0 (self : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration)) : bool requires {inv3 self} @@ -330,12 +354,16 @@ module Instant_TestInstant ensures { [#"../../../../creusot-contracts/src/std/option.rs" 33 26 33 51] result = (self <> Core_Option_Option_Type.C_None) } val checked_duration_since0 (self : Std_Time_Instant_Type.t_instant) (earlier : Std_Time_Instant_Type.t_instant) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration) - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 153 16 153 64] shallow_model3 self >= shallow_model0 earlier -> result <> Core_Option_Option_Type.C_None } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 154 16 154 63] shallow_model3 self < shallow_model0 earlier -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 153 16 153 64] shallow_model3 self >= shallow_model0 earlier + -> result <> Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 154 16 154 63] shallow_model3 self < shallow_model0 earlier + -> result = Core_Option_Option_Type.C_None } val duration_since0 (self : Std_Time_Instant_Type.t_instant) (earlier : Std_Time_Instant_Type.t_instant) : Core_Time_Duration_Type.t_duration - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 149 16 149 60] shallow_model3 self > shallow_model0 earlier -> shallow_model1 result > 0 } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 150 16 150 62] shallow_model3 self <= shallow_model0 earlier -> shallow_model1 result = 0 } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 149 16 149 60] shallow_model3 self > shallow_model0 earlier + -> shallow_model1 result > 0 } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 150 16 150 62] shallow_model3 self <= shallow_model0 earlier + -> shallow_model1 result = 0 } use int.Int function deep_model3 (self : Core_Time_Duration_Type.t_duration) : int @@ -357,12 +385,16 @@ module Instant_TestInstant ensures { [#"../../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75] result = (deep_model0 self = deep_model0 other) } val sub1 (self : Std_Time_Instant_Type.t_instant) (other : Std_Time_Instant_Type.t_instant) : Core_Time_Duration_Type.t_duration - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 199 8 199 50] shallow_model0 self > shallow_model0 other -> shallow_model1 result > 0 } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 200 8 200 52] shallow_model0 self <= shallow_model0 other -> shallow_model1 result = 0 } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 199 8 199 50] shallow_model0 self > shallow_model0 other + -> shallow_model1 result > 0 } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 200 8 200 52] shallow_model0 self <= shallow_model0 other + -> shallow_model1 result = 0 } val sub0 (self : Std_Time_Instant_Type.t_instant) (other : Core_Time_Duration_Type.t_duration) : Std_Time_Instant_Type.t_instant - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 193 8 193 50] shallow_model1 other = 0 -> shallow_model0 self = shallow_model0 result } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 194 8 194 48] shallow_model1 other > 0 -> shallow_model0 self > shallow_model0 result } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 193 8 193 50] shallow_model1 other = 0 + -> shallow_model0 self = shallow_model0 result } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 194 8 194 48] shallow_model1 other > 0 + -> shallow_model0 self > shallow_model0 result } function deep_model4 (self : Std_Time_Instant_Type.t_instant) : int val deep_model4 (self : Std_Time_Instant_Type.t_instant) : int @@ -380,12 +412,16 @@ module Instant_TestInstant ensures { result = deep_model1 self } val checked_sub0 (self : Std_Time_Instant_Type.t_instant) (duration : Core_Time_Duration_Type.t_duration) : Core_Option_Option_Type.t_option (Std_Time_Instant_Type.t_instant) - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 165 16 165 81] shallow_model1 duration = 0 -> deep_model1 result = Core_Option_Option_Type.C_Some (shallow_model3 self) } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 166 16 166 97] shallow_model1 duration > 0 /\ result <> Core_Option_Option_Type.C_None -> gt_log0 (Core_Option_Option_Type.C_Some (shallow_model3 self)) (deep_model1 result) } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 165 16 165 81] shallow_model1 duration = 0 + -> deep_model1 result = Core_Option_Option_Type.C_Some (shallow_model3 self) } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 166 16 166 97] shallow_model1 duration > 0 /\ result <> Core_Option_Option_Type.C_None + -> gt_log0 (Core_Option_Option_Type.C_Some (shallow_model3 self)) (deep_model1 result) } val add0 (self : Std_Time_Instant_Type.t_instant) (other : Core_Time_Duration_Type.t_duration) : Std_Time_Instant_Type.t_instant - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 187 8 187 50] shallow_model1 other = 0 -> shallow_model0 self = shallow_model0 result } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 188 8 188 48] shallow_model1 other > 0 -> shallow_model0 self < shallow_model0 result } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 187 8 187 50] shallow_model1 other = 0 + -> shallow_model0 self = shallow_model0 result } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 188 8 188 48] shallow_model1 other > 0 + -> shallow_model0 self < shallow_model0 result } function deep_model2 (self : Std_Time_Instant_Type.t_instant) : int = [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model4 self @@ -402,8 +438,10 @@ module Instant_TestInstant ensures { inv2 result } val checked_add0 (self : Std_Time_Instant_Type.t_instant) (duration : Core_Time_Duration_Type.t_duration) : Core_Option_Option_Type.t_option (Std_Time_Instant_Type.t_instant) - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 161 16 161 81] shallow_model1 duration = 0 -> deep_model1 result = Core_Option_Option_Type.C_Some (shallow_model3 self) } - ensures { [#"../../../../creusot-contracts/src/std/time.rs" 162 16 162 97] shallow_model1 duration > 0 /\ result <> Core_Option_Option_Type.C_None -> lt_log0 (Core_Option_Option_Type.C_Some (shallow_model3 self)) (deep_model1 result) } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 161 16 161 81] shallow_model1 duration = 0 + -> deep_model1 result = Core_Option_Option_Type.C_Some (shallow_model3 self) } + ensures { [#"../../../../creusot-contracts/src/std/time.rs" 162 16 162 97] shallow_model1 duration > 0 /\ result <> Core_Option_Option_Type.C_None + -> lt_log0 (Core_Option_Option_Type.C_Some (shallow_model3 self)) (deep_model1 result) } use int.Int val ge0 (self : Core_Time_Duration_Type.t_duration) (other : Core_Time_Duration_Type.t_duration) : bool @@ -463,11 +501,11 @@ module Instant_TestInstant goto BB0 } BB0 { - [#"../instant.rs" 8 18 8 32] instant <- ([#"../instant.rs" 8 18 8 32] now0 ()); + [#"../instant.rs" 8 18 8 32] instant <- ([#"../instant.rs" 8 18 8 32] now0 ([#"../instant.rs" 8 18 8 32] ())); goto BB1 } BB1 { - [#"../instant.rs" 9 19 9 41] zero_dur <- ([#"../instant.rs" 9 19 9 41] from_secs0 (0 : uint64)); + [#"../instant.rs" 9 19 9 41] zero_dur <- ([#"../instant.rs" 9 19 9 41] from_secs0 ([#"../instant.rs" 9 39 9 40] (0 : uint64))); goto BB2 } BB2 { @@ -526,7 +564,7 @@ module Instant_TestInstant end } BB14 { - [#"../instant.rs" 14 24 14 46] three_seconds <- ([#"../instant.rs" 14 24 14 46] from_secs0 (3 : uint64)); + [#"../instant.rs" 14 24 14 46] three_seconds <- ([#"../instant.rs" 14 24 14 46] from_secs0 ([#"../instant.rs" 14 44 14 45] (3 : uint64))); goto BB16 } BB15 { @@ -748,7 +786,7 @@ module Instant_TestInstant end } BB63 { - [#"../instant.rs" 7 22 34 1] _0 <- ([#"../instant.rs" 7 22 34 1] ()); + [#"../instant.rs" 7 22 34 1] _0 <- ([#"../instant.rs" 7 22 34 1] [#"../instant.rs" 7 22 34 1] ()); return _0 } BB64 { diff --git a/creusot/tests/should_succeed/invariant_moves.mlcfg b/creusot/tests/should_succeed/invariant_moves.mlcfg index 17c84d3f3d..e8632bd56b 100644 --- a/creusot/tests/should_succeed/invariant_moves.mlcfg +++ b/creusot/tests/should_succeed/invariant_moves.mlcfg @@ -74,7 +74,8 @@ module InvariantMoves_TestInvariantMove requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -117,7 +118,8 @@ module InvariantMoves_TestInvariantMove ensures { result = index_logic0 self ix } predicate resolve1 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve2 (index_logic0 self i) val resolve1 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve1 self } @@ -188,7 +190,7 @@ module InvariantMoves_TestInvariantMove } BB7 { assume { resolve1 x }; - [#"../invariant_moves.rs" 7 4 7 45] _0 <- ([#"../invariant_moves.rs" 7 4 7 45] ()); + [#"../invariant_moves.rs" 7 4 7 45] _0 <- ([#"../invariant_moves.rs" 7 4 7 45] [#"../invariant_moves.rs" 7 4 7 45] ()); goto BB8 } BB8 { diff --git a/creusot/tests/should_succeed/ite_normalize.mlcfg b/creusot/tests/should_succeed/ite_normalize.mlcfg index 783cbb19b4..bc16d1b8af 100644 --- a/creusot/tests/should_succeed/ite_normalize.mlcfg +++ b/creusot/tests/should_succeed/ite_normalize.mlcfg @@ -771,7 +771,8 @@ module IteNormalize_Impl5_SimplifyHelper val insert0 [#"../ite_normalize.rs" 28 4 30 15] (self : borrowed (IteNormalize_BTreeMap_Type.t_btreemap usize bool)) (key : usize) (value : bool) : Core_Option_Option_Type.t_option bool requires {[#"../ite_normalize.rs" 28 25 28 28] inv3 key} requires {[#"../ite_normalize.rs" 28 33 28 38] inv4 value} - ensures { [#"../ite_normalize.rs" 27 4 27 125] forall i : int . inv5 i -> Map.get (shallow_model0 ( ^ self)) i = (if i = deep_model1 key then + ensures { [#"../ite_normalize.rs" 27 4 27 125] forall i : int . inv5 i + -> Map.get (shallow_model0 ( ^ self)) i = (if i = deep_model1 key then Core_Option_Option_Type.C_Some value else Map.get (shallow_model3 self) i @@ -805,13 +806,17 @@ module IteNormalize_Impl5_SimplifyHelper val get0 [#"../ite_normalize.rs" 19 4 21 15] (self : IteNormalize_BTreeMap_Type.t_btreemap usize bool) (key : usize) : Core_Option_Option_Type.t_option bool requires {[#"../ite_normalize.rs" 19 25 19 28] inv0 key} - ensures { [#"../ite_normalize.rs" 17 4 17 70] result = Core_Option_Option_Type.C_None -> Map.get (shallow_model2 self) (deep_model0 key) = Core_Option_Option_Type.C_None } - ensures { [#"../ite_normalize.rs" 18 4 18 91] forall v : bool . inv1 v -> result = Core_Option_Option_Type.C_Some v -> Map.get (shallow_model2 self) (deep_model0 key) = Core_Option_Option_Type.C_Some v } + ensures { [#"../ite_normalize.rs" 17 4 17 70] result = Core_Option_Option_Type.C_None + -> Map.get (shallow_model2 self) (deep_model0 key) = Core_Option_Option_Type.C_None } + ensures { [#"../ite_normalize.rs" 18 4 18 91] forall v : bool . inv1 v + -> result = Core_Option_Option_Type.C_Some v + -> Map.get (shallow_model2 self) (deep_model0 key) = Core_Option_Option_Type.C_Some v } ensures { [#"../ite_normalize.rs" 19 40 19 53] inv2 result } let rec cfg simplify_helper [#"../ite_normalize.rs" 189 4 189 66] [@cfg:stackify] [@cfg:subregion_analysis] (self : IteNormalize_Expr_Type.t_expr) (state : IteNormalize_BTreeMap_Type.t_btreemap usize bool) : IteNormalize_Expr_Type.t_expr requires {[#"../ite_normalize.rs" 185 15 185 35] is_normalized0 self} - ensures { [#"../ite_normalize.rs" 186 4 186 107] forall i : usize . (exists v : bool . Map.get (shallow_model0 state) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v) -> does_not_contain0 result i } + ensures { [#"../ite_normalize.rs" 186 4 186 107] forall i : usize . (exists v : bool . Map.get (shallow_model0 state) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v) + -> does_not_contain0 result i } ensures { [#"../ite_normalize.rs" 187 14 187 36] is_simplified0 result } variant {[#"../ite_normalize.rs" 188 14 188 18] self} @@ -953,7 +958,7 @@ module IteNormalize_Impl5_SimplifyHelper BB20 { [#"../ite_normalize.rs" 203 28 203 35] _27 <- Borrow.borrow_mut state_t; [#"../ite_normalize.rs" 203 28 203 35] state_t <- ^ _27; - [#"../ite_normalize.rs" 203 28 203 51] _26 <- ([#"../ite_normalize.rs" 203 28 203 51] insert0 _27 v true); + [#"../ite_normalize.rs" 203 28 203 51] _26 <- ([#"../ite_normalize.rs" 203 28 203 51] insert0 _27 v ([#"../ite_normalize.rs" 203 46 203 50] true)); _27 <- any borrowed (IteNormalize_BTreeMap_Type.t_btreemap usize bool); goto BB21 } @@ -971,7 +976,7 @@ module IteNormalize_Impl5_SimplifyHelper BB23 { [#"../ite_normalize.rs" 208 28 208 35] _35 <- Borrow.borrow_mut state_e; [#"../ite_normalize.rs" 208 28 208 35] state_e <- ^ _35; - [#"../ite_normalize.rs" 208 28 208 52] _34 <- ([#"../ite_normalize.rs" 208 28 208 52] insert0 _35 v false); + [#"../ite_normalize.rs" 208 28 208 52] _34 <- ([#"../ite_normalize.rs" 208 28 208 52] insert0 _35 v ([#"../ite_normalize.rs" 208 46 208 51] false)); _35 <- any borrowed (IteNormalize_BTreeMap_Type.t_btreemap usize bool); goto BB24 } @@ -1142,7 +1147,8 @@ module IteNormalize_Impl5_Simplify val simplify_helper0 [#"../ite_normalize.rs" 189 4 189 66] (self : IteNormalize_Expr_Type.t_expr) (state : IteNormalize_BTreeMap_Type.t_btreemap usize bool) : IteNormalize_Expr_Type.t_expr requires {[#"../ite_normalize.rs" 185 15 185 35] is_normalized0 self} - ensures { [#"../ite_normalize.rs" 186 4 186 107] forall i : usize . (exists v : bool . Map.get (shallow_model0 state) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v) -> does_not_contain0 result i } + ensures { [#"../ite_normalize.rs" 186 4 186 107] forall i : usize . (exists v : bool . Map.get (shallow_model0 state) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v) + -> does_not_contain0 result i } ensures { [#"../ite_normalize.rs" 187 14 187 36] is_simplified0 result } val new0 [#"../ite_normalize.rs" 12 4 12 20] (_1 : ()) : IteNormalize_BTreeMap_Type.t_btreemap usize bool @@ -1161,7 +1167,7 @@ module IteNormalize_Impl5_Simplify goto BB1 } BB1 { - [#"../ite_normalize.rs" 182 29 182 44] _5 <- ([#"../ite_normalize.rs" 182 29 182 44] new0 ()); + [#"../ite_normalize.rs" 182 29 182 44] _5 <- ([#"../ite_normalize.rs" 182 29 182 44] new0 ([#"../ite_normalize.rs" 182 29 182 44] ())); goto BB2 } BB2 { @@ -1201,7 +1207,8 @@ module IteNormalize_Impl1 axiom inv0 : forall x : IteNormalize_BTreeMap_Type.t_btreemap k v . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../ite_normalize.rs" 39 4 39 27] forall self : IteNormalize_BTreeMap_Type.t_btreemap k v . inv0 self -> (forall result : IteNormalize_BTreeMap_Type.t_btreemap k v . self = result -> inv1 result /\ result = self) + goal clone'_refn : [#"../ite_normalize.rs" 39 4 39 27] forall self : IteNormalize_BTreeMap_Type.t_btreemap k v . inv0 self + -> (forall result : IteNormalize_BTreeMap_Type.t_btreemap k v . self = result -> inv1 result /\ result = self) end module IteNormalize_Impl6 use IteNormalize_Expr_Type as IteNormalize_Expr_Type @@ -1226,7 +1233,8 @@ module IteNormalize_Impl6 axiom inv0 : forall x : IteNormalize_Expr_Type.t_expr . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../ite_normalize.rs" 55 9 55 14] forall self : IteNormalize_Expr_Type.t_expr . inv0 self -> (forall result : IteNormalize_Expr_Type.t_expr . result = self -> inv1 result /\ result = self) + goal clone'_refn : [#"../ite_normalize.rs" 55 9 55 14] forall self : IteNormalize_Expr_Type.t_expr . inv0 self + -> (forall result : IteNormalize_Expr_Type.t_expr . result = self -> inv1 result /\ result = self) end module IteNormalize_Impl2 type k @@ -1259,7 +1267,8 @@ module IteNormalize_Impl3 axiom inv0 : forall x : usize . inv0 x = true use prelude.Int - goal from_refn : [#"../ite_normalize.rs" 80 4 80 29] forall value : usize . inv0 value -> (forall result : IteNormalize_Expr_Type.t_expr . inv1 result) + goal from_refn : [#"../ite_normalize.rs" 80 4 80 29] forall value : usize . inv0 value + -> (forall result : IteNormalize_Expr_Type.t_expr . inv1 result) end module IteNormalize_Impl4 use IteNormalize_Expr_Type as IteNormalize_Expr_Type @@ -1283,5 +1292,6 @@ module IteNormalize_Impl4 ensures { result = inv0 _x } axiom inv0 : forall x : bool . inv0 x = true - goal from_refn : [#"../ite_normalize.rs" 86 4 86 28] forall value : bool . inv0 value -> (forall result : IteNormalize_Expr_Type.t_expr . inv1 result) + goal from_refn : [#"../ite_normalize.rs" 86 4 86 28] forall value : bool . inv0 value + -> (forall result : IteNormalize_Expr_Type.t_expr . inv1 result) end diff --git a/creusot/tests/should_succeed/iterators/01_range.mlcfg b/creusot/tests/should_succeed/iterators/01_range.mlcfg index 7976094f5a..cbd437911f 100644 --- a/creusot/tests/should_succeed/iterators/01_range.mlcfg +++ b/creusot/tests/should_succeed/iterators/01_range.mlcfg @@ -25,7 +25,9 @@ module C01Range_Impl0_ProducesRefl_Impl predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) = - [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) + [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 + -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool ensures { result = produces0 self visited o } @@ -46,7 +48,9 @@ module C01Range_Impl0_ProducesTrans_Impl predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) = - [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) + [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 + -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool ensures { result = produces0 self visited o } @@ -57,7 +61,9 @@ module C01Range_Impl0_ProducesTrans_Impl constant c : C01Range_Range_Type.t_range function produces_trans [#"../01_range.rs" 51 4 51 90] (a : C01Range_Range_Type.t_range) (ab : Seq.seq isize) (b : C01Range_Range_Type.t_range) (bc : Seq.seq isize) (c : C01Range_Range_Type.t_range) : () - goal vc_produces_trans : ([#"../01_range.rs" 49 15 49 32] produces0 b bc c) -> ([#"../01_range.rs" 48 15 48 32] produces0 a ab b) -> ([#"../01_range.rs" 50 14 50 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../01_range.rs" 49 15 49 32] produces0 b bc c) + -> ([#"../01_range.rs" 48 15 48 32] produces0 a ab b) + -> ([#"../01_range.rs" 50 14 50 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -81,7 +87,9 @@ module C01Range_Impl0_Next predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) = - [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) + [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 + -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool ensures { result = produces0 self visited o } @@ -126,7 +134,7 @@ module C01Range_Impl0_Next } BB2 { [#"../01_range.rs" 61 20 61 30] r <- ([#"../01_range.rs" 61 20 61 30] C01Range_Range_Type.range_start ( * self)); - [#"../01_range.rs" 62 12 62 27] self <- { self with current = (let C01Range_Range_Type.C_Range x0 x1 = * self in C01Range_Range_Type.C_Range ([#"../01_range.rs" 62 12 62 27] C01Range_Range_Type.range_start ( * self) + (1 : isize)) x1) ; }; + [#"../01_range.rs" 62 12 62 27] self <- { self with current = (let C01Range_Range_Type.C_Range x0 x1 = * self in C01Range_Range_Type.C_Range ([#"../01_range.rs" 62 12 62 27] C01Range_Range_Type.range_start ( * self) + ([#"../01_range.rs" 62 26 62 27] (1 : isize))) x1) ; }; assume { resolve0 self }; [#"../01_range.rs" 63 12 63 19] _0 <- ([#"../01_range.rs" 63 12 63 19] Core_Option_Option_Type.C_Some r); goto BB3 @@ -166,7 +174,9 @@ module C01Range_SumRange predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) = - [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) + [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 + -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool ensures { result = produces0 self visited o } @@ -179,7 +189,9 @@ module C01Range_SumRange requires {[#"../01_range.rs" 49 15 49 32] produces0 b bc c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : C01Range_Range_Type.t_range, ab : Seq.seq isize, b : C01Range_Range_Type.t_range, bc : Seq.seq isize, c : C01Range_Range_Type.t_range . ([#"../01_range.rs" 48 15 48 32] produces0 a ab b) -> ([#"../01_range.rs" 49 15 49 32] produces0 b bc c) -> ([#"../01_range.rs" 50 14 50 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : C01Range_Range_Type.t_range, ab : Seq.seq isize, b : C01Range_Range_Type.t_range, bc : Seq.seq isize, c : C01Range_Range_Type.t_range . ([#"../01_range.rs" 48 15 48 32] produces0 a ab b) + -> ([#"../01_range.rs" 49 15 49 32] produces0 b bc c) + -> ([#"../01_range.rs" 50 14 50 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../01_range.rs" 44 4 44 26] (self : C01Range_Range_Type.t_range) : () = [#"../01_range.rs" 41 4 41 10] () @@ -245,8 +257,8 @@ module C01Range_SumRange goto BB0 } BB0 { - [#"../01_range.rs" 78 16 78 17] i <- ([#"../01_range.rs" 78 16 78 17] (0 : isize)); - [#"../01_range.rs" 79 17 79 43] _6 <- ([#"../01_range.rs" 79 17 79 43] C01Range_Range_Type.C_Range (0 : isize) n); + [#"../01_range.rs" 78 16 78 17] i <- ([#"../01_range.rs" 78 16 78 17] [#"../01_range.rs" 78 16 78 17] (0 : isize)); + [#"../01_range.rs" 79 17 79 43] _6 <- ([#"../01_range.rs" 79 17 79 43] C01Range_Range_Type.C_Range ([#"../01_range.rs" 79 32 79 33] (0 : isize)) n); [#"../01_range.rs" 79 17 79 55] it <- ([#"../01_range.rs" 79 17 79 55] into_iter0 _6); _6 <- any C01Range_Range_Type.t_range; goto BB1 @@ -300,7 +312,7 @@ module C01Range_SumRange BB11 { [#"../01_range.rs" 88 16 88 75] produced <- ([#"../01_range.rs" 88 16 88 75] _21); _21 <- any Snapshot.snap_ty (Seq.seq isize); - [#"../01_range.rs" 89 16 89 22] i <- ([#"../01_range.rs" 89 16 89 22] i + (1 : isize)); + [#"../01_range.rs" 89 16 89 22] i <- ([#"../01_range.rs" 89 16 89 22] i + ([#"../01_range.rs" 89 21 89 22] (1 : isize))); goto BB4 } @@ -371,18 +383,25 @@ module C01Range_Impl0 predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) = - [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) + [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 + -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i) val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool ensures { result = produces0 self visited o } use seq.Seq - goal produces_refl_refn : [#"../01_range.rs" 44 4 44 26] forall self : C01Range_Range_Type.t_range . inv0 self -> (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal next_refn : [#"../01_range.rs" 57 4 57 39] forall self : borrowed (C01Range_Range_Type.t_range) . inv1 self -> (forall result : Core_Option_Option_Type.t_option isize . match result with + goal produces_refl_refn : [#"../01_range.rs" 44 4 44 26] forall self : C01Range_Range_Type.t_range . inv0 self + -> (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal next_refn : [#"../01_range.rs" 57 4 57 39] forall self : borrowed (C01Range_Range_Type.t_range) . inv1 self + -> (forall result : Core_Option_Option_Type.t_option isize . match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv2 result /\ match result with + end + -> inv2 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) - goal produces_trans_refn : [#"../01_range.rs" 51 4 51 90] forall a : C01Range_Range_Type.t_range . forall ab : Seq.seq isize . forall b : C01Range_Range_Type.t_range . forall bc : Seq.seq isize . forall c : C01Range_Range_Type.t_range . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) + goal produces_trans_refn : [#"../01_range.rs" 51 4 51 90] forall a : C01Range_Range_Type.t_range . forall ab : Seq.seq isize . forall b : C01Range_Range_Type.t_range . forall bc : Seq.seq isize . forall c : C01Range_Range_Type.t_range . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) end diff --git a/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg b/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg index 87a643ebf1..06bbe2d2b1 100644 --- a/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg +++ b/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg @@ -63,7 +63,8 @@ module C02IterMut_Impl1_ProducesRefl_Impl requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type predicate invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) = [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model1 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model1 ( * C02IterMut_IterMut_Type.itermut_inner self)) @@ -96,18 +97,23 @@ module C02IterMut_Impl1_ProducesRefl_Impl requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv1 self} ensures { result = to_mut_seq0 self } - axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv2 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self)) + axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv2 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self)) predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) = - [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) + [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) + -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) : bool ensures { result = produces0 self visited tl } use seq.Seq constant self : C02IterMut_IterMut_Type.t_itermut t function produces_refl [#"../02_iter_mut.rs" 50 4 50 26] (self : C02IterMut_IterMut_Type.t_itermut t) : () - goal vc_produces_refl : ([#"../02_iter_mut.rs" 50 21 50 25] inv0 self) -> ([#"../02_iter_mut.rs" 49 14 49 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../02_iter_mut.rs" 50 21 50 25] inv0 self) + -> ([#"../02_iter_mut.rs" 49 14 49 45] produces0 self (Seq.empty ) self) end module C02IterMut_Impl1_ProducesTrans_Impl type t @@ -162,7 +168,8 @@ module C02IterMut_Impl1_ProducesTrans_Impl requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type predicate invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) = [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model1 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model1 ( * C02IterMut_IterMut_Type.itermut_inner self)) @@ -195,11 +202,15 @@ module C02IterMut_Impl1_ProducesTrans_Impl requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self} ensures { result = to_mut_seq0 self } - axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv1 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self)) + axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv1 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self)) predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) = - [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) + [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) + -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) : bool ensures { result = produces0 self visited tl } @@ -210,7 +221,14 @@ module C02IterMut_Impl1_ProducesTrans_Impl constant c : C02IterMut_IterMut_Type.t_itermut t function produces_trans [#"../02_iter_mut.rs" 57 4 57 90] (a : C02IterMut_IterMut_Type.t_itermut t) (ab : Seq.seq (borrowed t)) (b : C02IterMut_IterMut_Type.t_itermut t) (bc : Seq.seq (borrowed t)) (c : C02IterMut_IterMut_Type.t_itermut t) : () - goal vc_produces_trans : ([#"../02_iter_mut.rs" 57 82 57 83] inv0 c) -> ([#"../02_iter_mut.rs" 57 61 57 63] inv1 bc) -> ([#"../02_iter_mut.rs" 57 52 57 53] inv0 b) -> ([#"../02_iter_mut.rs" 57 31 57 33] inv1 ab) -> ([#"../02_iter_mut.rs" 57 22 57 23] inv0 a) -> ([#"../02_iter_mut.rs" 55 15 55 32] produces0 b bc c) -> ([#"../02_iter_mut.rs" 54 15 54 32] produces0 a ab b) -> ([#"../02_iter_mut.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../02_iter_mut.rs" 57 82 57 83] inv0 c) + -> ([#"../02_iter_mut.rs" 57 61 57 63] inv1 bc) + -> ([#"../02_iter_mut.rs" 57 52 57 53] inv0 b) + -> ([#"../02_iter_mut.rs" 57 31 57 33] inv1 ab) + -> ([#"../02_iter_mut.rs" 57 22 57 23] inv0 a) + -> ([#"../02_iter_mut.rs" 55 15 55 32] produces0 b bc c) + -> ([#"../02_iter_mut.rs" 54 15 54 32] produces0 a ab b) + -> ([#"../02_iter_mut.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -261,7 +279,8 @@ module C02IterMut_Impl1_Next requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type predicate invariant6 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) = [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model0 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model0 ( * C02IterMut_IterMut_Type.itermut_inner self)) @@ -337,11 +356,15 @@ module C02IterMut_Impl1_Next requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv0 self} ensures { result = to_mut_seq0 self } - axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv7 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> ^ Seq.get (to_mut_seq0 self) i = index_logic0 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> * Seq.get (to_mut_seq0 self) i = index_logic0 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model1 self)) + axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv7 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> ^ Seq.get (to_mut_seq0 self) i = index_logic0 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> * Seq.get (to_mut_seq0 self) i = index_logic0 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model1 self)) predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) = - [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner self)) -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) + [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner self)) + -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) : bool ensures { result = produces0 self visited tl } @@ -451,7 +474,8 @@ module C02IterMut_Impl2_IntoIter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type predicate invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) = [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model0 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model0 ( * C02IterMut_IterMut_Type.itermut_inner self)) @@ -572,7 +596,8 @@ module C02IterMut_IterMut requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type predicate invariant4 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) = [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model2 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model2 ( * C02IterMut_IterMut_Type.itermut_inner self)) @@ -616,7 +641,8 @@ module C02IterMut_IterMut requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model3 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -777,7 +803,8 @@ module C02IterMut_AllZero requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model1 self) val invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -829,7 +856,8 @@ module C02IterMut_AllZero requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : slice usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : slice usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) function index_logic4 [@inline:trivial] (self : slice usize) (ix : int) : usize = [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model4 self) ix val index_logic4 [@inline:trivial] (self : slice usize) (ix : int) : usize @@ -846,11 +874,15 @@ module C02IterMut_AllZero requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv7 self} ensures { result = to_mut_seq0 self } - axiom to_mut_seq0_spec : forall self : borrowed (slice usize) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv8 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> ^ Seq.get (to_mut_seq0 self) i = index_logic4 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> * Seq.get (to_mut_seq0 self) i = index_logic4 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model3 self)) + axiom to_mut_seq0_spec : forall self : borrowed (slice usize) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv8 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> ^ Seq.get (to_mut_seq0 self) i = index_logic4 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> * Seq.get (to_mut_seq0 self) i = index_logic4 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model3 self)) predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut usize) (visited : Seq.seq (borrowed usize)) (tl : C02IterMut_IterMut_Type.t_itermut usize) = - [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner self)) -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) + [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner self)) + -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut usize) (visited : Seq.seq (borrowed usize)) (tl : C02IterMut_IterMut_Type.t_itermut usize) : bool ensures { result = produces0 self visited tl } @@ -868,7 +900,14 @@ module C02IterMut_AllZero requires {[#"../02_iter_mut.rs" 57 82 57 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : C02IterMut_IterMut_Type.t_itermut usize, ab : Seq.seq (borrowed usize), b : C02IterMut_IterMut_Type.t_itermut usize, bc : Seq.seq (borrowed usize), c : C02IterMut_IterMut_Type.t_itermut usize . ([#"../02_iter_mut.rs" 54 15 54 32] produces0 a ab b) -> ([#"../02_iter_mut.rs" 55 15 55 32] produces0 b bc c) -> ([#"../02_iter_mut.rs" 57 22 57 23] inv0 a) -> ([#"../02_iter_mut.rs" 57 31 57 33] inv8 ab) -> ([#"../02_iter_mut.rs" 57 52 57 53] inv0 b) -> ([#"../02_iter_mut.rs" 57 61 57 63] inv8 bc) -> ([#"../02_iter_mut.rs" 57 82 57 83] inv0 c) -> ([#"../02_iter_mut.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : C02IterMut_IterMut_Type.t_itermut usize, ab : Seq.seq (borrowed usize), b : C02IterMut_IterMut_Type.t_itermut usize, bc : Seq.seq (borrowed usize), c : C02IterMut_IterMut_Type.t_itermut usize . ([#"../02_iter_mut.rs" 54 15 54 32] produces0 a ab b) + -> ([#"../02_iter_mut.rs" 55 15 55 32] produces0 b bc c) + -> ([#"../02_iter_mut.rs" 57 22 57 23] inv0 a) + -> ([#"../02_iter_mut.rs" 57 31 57 33] inv8 ab) + -> ([#"../02_iter_mut.rs" 57 52 57 53] inv0 b) + -> ([#"../02_iter_mut.rs" 57 61 57 63] inv8 bc) + -> ([#"../02_iter_mut.rs" 57 82 57 83] inv0 c) + -> ([#"../02_iter_mut.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../02_iter_mut.rs" 50 4 50 26] (self : C02IterMut_IterMut_Type.t_itermut usize) : () = [#"../02_iter_mut.rs" 47 4 47 10] () @@ -876,7 +915,8 @@ module C02IterMut_AllZero requires {[#"../02_iter_mut.rs" 50 21 50 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : C02IterMut_IterMut_Type.t_itermut usize . ([#"../02_iter_mut.rs" 50 21 50 25] inv0 self) -> ([#"../02_iter_mut.rs" 49 14 49 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : C02IterMut_IterMut_Type.t_itermut usize . ([#"../02_iter_mut.rs" 50 21 50 25] inv0 self) + -> ([#"../02_iter_mut.rs" 49 14 49 45] produces0 self (Seq.empty ) self) predicate invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut usize) = [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model4 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model4 ( * C02IterMut_IterMut_Type.itermut_inner self)) val invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut usize) : bool @@ -957,7 +997,8 @@ module C02IterMut_AllZero let rec cfg all_zero [#"../02_iter_mut.rs" 84 0 84 35] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : () ensures { [#"../02_iter_mut.rs" 82 10 82 33] Seq.length (shallow_model1 ( ^ v)) = Seq.length (shallow_model2 v) } - ensures { [#"../02_iter_mut.rs" 83 0 83 66] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 v) -> UIntSize.to_int (index_logic1 ( ^ v) i) = 0 } + ensures { [#"../02_iter_mut.rs" 83 0 83 66] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 v) + -> UIntSize.to_int (index_logic1 ( ^ v) i) = 0 } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -1000,7 +1041,8 @@ module C02IterMut_AllZero BB5 { invariant { [#"../02_iter_mut.rs" 88 16 88 23] inv0 it }; invariant { [#"../02_iter_mut.rs" 89 16 89 55] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) it }; - invariant { [#"../02_iter_mut.rs" 88 4 88 25] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced) -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 }; + invariant { [#"../02_iter_mut.rs" 88 4 88 25] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced) + -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 }; goto BB6 } BB6 { @@ -1018,7 +1060,7 @@ module C02IterMut_AllZero end } BB8 { - [#"../02_iter_mut.rs" 97 20 97 25] _0 <- ([#"../02_iter_mut.rs" 97 20 97 25] ()); + [#"../02_iter_mut.rs" 97 20 97 25] _0 <- ([#"../02_iter_mut.rs" 97 20 97 25] [#"../02_iter_mut.rs" 97 20 97 25] ()); assume { resolve1 v }; return _0 } @@ -1039,7 +1081,7 @@ module C02IterMut_AllZero BB12 { [#"../02_iter_mut.rs" 94 16 94 75] produced <- ([#"../02_iter_mut.rs" 94 16 94 75] _19); _19 <- any Snapshot.snap_ty (Seq.seq (borrowed usize)); - [#"../02_iter_mut.rs" 95 16 95 22] x <- { x with current = ([#"../02_iter_mut.rs" 95 16 95 22] (0 : usize)) ; }; + [#"../02_iter_mut.rs" 95 16 95 22] x <- { x with current = ([#"../02_iter_mut.rs" 95 16 95 22] [#"../02_iter_mut.rs" 95 21 95 22] (0 : usize)) ; }; assume { resolve0 x }; goto BB5 } @@ -1101,7 +1143,8 @@ module C02IterMut_Impl1 requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv5 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type predicate invariant2 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) = [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model1 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model1 ( * C02IterMut_IterMut_Type.itermut_inner self)) @@ -1155,11 +1198,15 @@ module C02IterMut_Impl1 requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv4 self} ensures { result = to_mut_seq0 self } - axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv3 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self)) + axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv3 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self)) predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) = - [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) + [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) + -> * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\ ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i = ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i) val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) : bool ensures { result = produces0 self visited tl } @@ -1176,13 +1223,18 @@ module C02IterMut_Impl1 val completed0 [#"../02_iter_mut.rs" 31 4 31 35] (self : borrowed (C02IterMut_IterMut_Type.t_itermut t)) : bool ensures { result = completed0 self } - goal next_refn : [#"../02_iter_mut.rs" 63 4 63 44] forall self : borrowed (C02IterMut_IterMut_Type.t_itermut t) . inv0 self -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option (borrowed t) . inv1 result /\ match result with + goal next_refn : [#"../02_iter_mut.rs" 63 4 63 44] forall self : borrowed (C02IterMut_IterMut_Type.t_itermut t) . inv0 self + -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option (borrowed t) . inv1 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv1 result /\ match result with + end + -> inv1 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) - goal produces_refl_refn : [#"../02_iter_mut.rs" 50 4 50 26] forall self : C02IterMut_IterMut_Type.t_itermut t . inv2 self -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal produces_trans_refn : [#"../02_iter_mut.rs" 57 4 57 90] forall a : C02IterMut_IterMut_Type.t_itermut t . forall ab : Seq.seq (borrowed t) . forall b : C02IterMut_IterMut_Type.t_itermut t . forall bc : Seq.seq (borrowed t) . forall c : C02IterMut_IterMut_Type.t_itermut t . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) + goal produces_refl_refn : [#"../02_iter_mut.rs" 50 4 50 26] forall self : C02IterMut_IterMut_Type.t_itermut t . inv2 self + -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal produces_trans_refn : [#"../02_iter_mut.rs" 57 4 57 90] forall a : C02IterMut_IterMut_Type.t_itermut t . forall ab : Seq.seq (borrowed t) . forall b : C02IterMut_IterMut_Type.t_itermut t . forall bc : Seq.seq (borrowed t) . forall c : C02IterMut_IterMut_Type.t_itermut t . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b + -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) end diff --git a/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg b/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg index 1ba4247c45..738bfa46eb 100644 --- a/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg +++ b/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg @@ -96,7 +96,8 @@ module C03StdIterators_SliceIter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv7 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv7 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) function index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t = [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model3 self) ix val index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t @@ -118,7 +119,9 @@ module C03StdIterators_SliceIter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv0 self} ensures { result = to_ref_seq0 self } - axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv5 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic1 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model1 self)) + axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv5 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) + -> Seq.get (to_ref_seq0 self) i = index_logic1 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model1 self)) function shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t val shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t ensures { result = shallow_model2 self } @@ -141,7 +144,11 @@ module C03StdIterators_SliceIter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv5 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv5 ab) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter t) : () = [#"../../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] () @@ -268,7 +275,7 @@ module C03StdIterators_SliceIter goto BB0 } BB0 { - [#"../03_std_iterators.rs" 7 16 7 17] i <- ([#"../03_std_iterators.rs" 7 16 7 17] (0 : usize)); + [#"../03_std_iterators.rs" 7 16 7 17] i <- ([#"../03_std_iterators.rs" 7 16 7 17] [#"../03_std_iterators.rs" 7 16 7 17] (0 : usize)); assert { [@expl:type invariant] inv0 slice }; assume { resolve0 slice }; [#"../03_std_iterators.rs" 9 13 9 25] _7 <- ([#"../03_std_iterators.rs" 9 13 9 25] iter0 slice); @@ -346,7 +353,7 @@ module C03StdIterators_SliceIter assume { resolve2 produced }; assert { [@expl:type invariant] inv4 __creusot_proc_iter_elem }; assume { resolve5 __creusot_proc_iter_elem }; - [#"../03_std_iterators.rs" 10 8 10 14] i <- ([#"../03_std_iterators.rs" 10 8 10 14] i + (1 : usize)); + [#"../03_std_iterators.rs" 10 8 10 14] i <- ([#"../03_std_iterators.rs" 10 8 10 14] i + ([#"../03_std_iterators.rs" 10 13 10 14] (1 : usize))); goto BB5 } @@ -418,7 +425,8 @@ module C03StdIterators_VecIter requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model3 self) val invariant7 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -472,7 +480,8 @@ module C03StdIterators_VecIter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) function index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t = [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model6 self) ix val index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t @@ -490,7 +499,9 @@ module C03StdIterators_VecIter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv6 self} ensures { result = to_ref_seq0 self } - axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv5 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic1 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model4 self)) + axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv5 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) + -> Seq.get (to_ref_seq0 self) i = index_logic1 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model4 self)) function shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t val shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t ensures { result = shallow_model2 self } @@ -513,7 +524,11 @@ module C03StdIterators_VecIter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv5 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv5 ab) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter t) : () = [#"../../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] () @@ -645,7 +660,7 @@ module C03StdIterators_VecIter goto BB0 } BB0 { - [#"../03_std_iterators.rs" 18 16 18 17] i <- ([#"../03_std_iterators.rs" 18 16 18 17] (0 : usize)); + [#"../03_std_iterators.rs" 18 16 18 17] i <- ([#"../03_std_iterators.rs" 18 16 18 17] [#"../03_std_iterators.rs" 18 16 18 17] (0 : usize)); assert { [@expl:type invariant] inv0 vec }; assume { resolve0 vec }; [#"../03_std_iterators.rs" 19 4 19 38] iter <- ([#"../03_std_iterators.rs" 19 4 19 38] into_iter0 vec); @@ -718,7 +733,7 @@ module C03StdIterators_VecIter assume { resolve2 produced }; assert { [@expl:type invariant] inv4 __creusot_proc_iter_elem }; assume { resolve5 __creusot_proc_iter_elem }; - [#"../03_std_iterators.rs" 21 8 21 14] i <- ([#"../03_std_iterators.rs" 21 8 21 14] i + (1 : usize)); + [#"../03_std_iterators.rs" 21 8 21 14] i <- ([#"../03_std_iterators.rs" 21 8 21 14] i + ([#"../03_std_iterators.rs" 21 13 21 14] (1 : usize))); goto BB4 } @@ -783,7 +798,8 @@ module C03StdIterators_AllZero requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model1 self) val invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -830,7 +846,8 @@ module C03StdIterators_AllZero requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : slice usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : slice usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) function index_logic4 [@inline:trivial] (self : slice usize) (ix : int) : usize = [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model4 self) ix val index_logic4 [@inline:trivial] (self : slice usize) (ix : int) : usize @@ -848,7 +865,10 @@ module C03StdIterators_AllZero requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self} ensures { result = to_mut_seq0 self } - axiom to_mut_seq0_spec : forall self : borrowed (slice usize) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv7 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> ^ Seq.get (to_mut_seq0 self) i = index_logic4 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) -> * Seq.get (to_mut_seq0 self) i = index_logic4 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model3 self)) + axiom to_mut_seq0_spec : forall self : borrowed (slice usize) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv7 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> ^ Seq.get (to_mut_seq0 self) i = index_logic4 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) + -> * Seq.get (to_mut_seq0 self) i = index_logic4 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model3 self)) function shallow_model5 (self : Core_Slice_Iter_IterMut_Type.t_itermut usize) : borrowed (slice usize) val shallow_model5 (self : Core_Slice_Iter_IterMut_Type.t_itermut usize) : borrowed (slice usize) ensures { result = shallow_model5 self } @@ -872,7 +892,11 @@ module C03StdIterators_AllZero requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 449 61 449 63] inv7 bc} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Slice_Iter_IterMut_Type.t_itermut usize, ab : Seq.seq (borrowed usize), b : Core_Slice_Iter_IterMut_Type.t_itermut usize, bc : Seq.seq (borrowed usize), c : Core_Slice_Iter_IterMut_Type.t_itermut usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 446 15 446 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 447 15 447 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 449 31 449 33] inv7 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 449 61 449 63] inv7 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 448 14 448 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Slice_Iter_IterMut_Type.t_itermut usize, ab : Seq.seq (borrowed usize), b : Core_Slice_Iter_IterMut_Type.t_itermut usize, bc : Seq.seq (borrowed usize), c : Core_Slice_Iter_IterMut_Type.t_itermut usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 446 15 446 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 447 15 447 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 449 31 449 33] inv7 ab) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 449 61 449 63] inv7 bc) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 448 14 448 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Slice_Iter_IterMut_Type.t_itermut usize) : () = [#"../../../../../creusot-contracts/src/std/slice.rs" 439 4 439 10] () @@ -991,7 +1015,8 @@ module C03StdIterators_AllZero let rec cfg all_zero [#"../03_std_iterators.rs" 28 0 28 35] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : () ensures { [#"../03_std_iterators.rs" 26 10 26 33] Seq.length (shallow_model1 ( ^ v)) = Seq.length (shallow_model2 v) } - ensures { [#"../03_std_iterators.rs" 27 0 27 66] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 v) -> UIntSize.to_int (index_logic1 ( ^ v) i) = 0 } + ensures { [#"../03_std_iterators.rs" 27 0 27 66] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 v) + -> UIntSize.to_int (index_logic1 ( ^ v) i) = 0 } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -1046,7 +1071,8 @@ module C03StdIterators_AllZero BB6 { invariant { [#"../03_std_iterators.rs" 29 4 29 87] inv0 iter }; invariant { [#"../03_std_iterators.rs" 29 4 29 87] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; - invariant { [#"../03_std_iterators.rs" 29 4 29 87] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced) -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 }; + invariant { [#"../03_std_iterators.rs" 29 4 29 87] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced) + -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 }; goto BB7 } BB7 { @@ -1067,7 +1093,7 @@ module C03StdIterators_AllZero } BB9 { assume { resolve3 iter }; - [#"../03_std_iterators.rs" 29 4 29 87] _0 <- ([#"../03_std_iterators.rs" 29 4 29 87] ()); + [#"../03_std_iterators.rs" 29 4 29 87] _0 <- ([#"../03_std_iterators.rs" 29 4 29 87] [#"../03_std_iterators.rs" 29 4 29 87] ()); assume { resolve4 v }; return _0 } @@ -1091,7 +1117,7 @@ module C03StdIterators_AllZero _22 <- any Snapshot.snap_ty (Seq.seq (borrowed usize)); [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); __creusot_proc_iter_elem <- any borrowed usize; - [#"../03_std_iterators.rs" 31 8 31 14] x <- { x with current = ([#"../03_std_iterators.rs" 31 8 31 14] (0 : usize)) ; }; + [#"../03_std_iterators.rs" 31 8 31 14] x <- { x with current = ([#"../03_std_iterators.rs" 31 8 31 14] [#"../03_std_iterators.rs" 31 13 31 14] (0 : usize)) ; }; assume { resolve2 x }; goto BB6 } @@ -1149,14 +1175,22 @@ module C03StdIterators_SkipTake requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c} ensures { result = produces_trans2 a ab b bc c } - axiom produces_trans2_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces2 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces2 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces2 a (Seq.(++) ab bc) c) + axiom produces_trans2_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces2 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces2 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv6 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv6 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces2 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl2 (self : i) : () val produces_refl2 (self : i) : () requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self} ensures { result = produces_refl2 self } - axiom produces_refl2_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces2 self (Seq.empty ) self) + axiom produces_refl2_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces2 self (Seq.empty ) self) use Core_Iter_Adapters_Take_Take_Type as Core_Iter_Adapters_Take_Take_Type predicate inv3 (_x : Core_Iter_Adapters_Take_Take_Type.t_take i) val inv3 (_x : Core_Iter_Adapters_Take_Take_Type.t_take i) : bool @@ -1177,7 +1211,8 @@ module C03StdIterators_SkipTake requires {[#"../../../../../creusot-contracts/src/std/iter/take.rs" 34 9 34 13] inv3 self} ensures { result = n0 self } - axiom n0_spec : forall self : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 34 9 34 13] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 33 14 33 50] n0 self >= 0 /\ n0 self <= UIntSize.to_int max0) + axiom n0_spec : forall self : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 34 9 34 13] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 33 14 33 50] n0 self >= 0 /\ n0 self <= UIntSize.to_int max0) predicate produces1 (self : Core_Iter_Adapters_Take_Take_Type.t_take i) (visited : Seq.seq item0) (o : Core_Iter_Adapters_Take_Take_Type.t_take i) = @@ -1197,13 +1232,21 @@ module C03StdIterators_SkipTake requires {[#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 82 78 83] inv3 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : Core_Iter_Adapters_Take_Take_Type.t_take i, ab : Seq.seq item0, b : Core_Iter_Adapters_Take_Take_Type.t_take i, bc : Seq.seq item0, c : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 75 15 75 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 22 78 23] inv3 a) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 31 78 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 52 78 53] inv3 b) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 61 78 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 82 78 83] inv3 c) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 77 14 77 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : Core_Iter_Adapters_Take_Take_Type.t_take i, ab : Seq.seq item0, b : Core_Iter_Adapters_Take_Take_Type.t_take i, bc : Seq.seq item0, c : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 75 15 75 32] produces1 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32] produces1 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 22 78 23] inv3 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 31 78 33] inv6 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 52 78 53] inv3 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 61 78 63] inv6 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 82 78 83] inv3 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 77 14 77 42] produces1 a (Seq.(++) ab bc) c) function produces_refl1 (self : Core_Iter_Adapters_Take_Take_Type.t_take i) : () val produces_refl1 (self : Core_Iter_Adapters_Take_Take_Type.t_take i) : () requires {[#"../../../../../creusot-contracts/src/std/iter/take.rs" 71 21 71 25] inv3 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 71 21 71 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 70 14 70 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 71 21 71 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 70 14 70 45] produces1 self (Seq.empty ) self) predicate invariant6 (self : Seq.seq item0) val invariant6 (self : Seq.seq item0) : bool ensures { result = invariant6 self } @@ -1238,11 +1281,13 @@ module C03StdIterators_SkipTake requires {[#"../../../../../creusot-contracts/src/std/iter/skip.rs" 23 9 23 13] inv0 self} ensures { result = n1 self } - axiom n1_spec : forall self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 23 9 23 13] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 22 14 22 50] n1 self >= 0 /\ n1 self <= UIntSize.to_int max0) + axiom n1_spec : forall self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 23 9 23 13] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 22 14 22 50] n1 self >= 0 /\ n1 self <= UIntSize.to_int max0) predicate produces0 (self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) (visited : Seq.seq item0) (o : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) = - [#"../../../../../creusot-contracts/src/std/iter/skip.rs" 57 8 64 9] visited = Seq.empty /\ self = o \/ n1 o = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv6 s /\ Seq.length s = n1 self /\ produces1 (iter1 self) (Seq.(++) s visited) (iter1 o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve3 (Seq.get s i))) + [#"../../../../../creusot-contracts/src/std/iter/skip.rs" 57 8 64 9] visited = Seq.empty /\ self = o \/ n1 o = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv6 s /\ Seq.length s = n1 self /\ produces1 (iter1 self) (Seq.(++) s visited) (iter1 o) /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> resolve3 (Seq.get s i))) val produces0 (self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) (visited : Seq.seq item0) (o : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) : bool ensures { result = produces0 self visited o } @@ -1258,14 +1303,22 @@ module C03StdIterators_SkipTake requires {[#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 82 77 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i), ab : Seq.seq item0, b : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i), bc : Seq.seq item0, c : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 74 15 74 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 75 15 75 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 22 77 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 31 77 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 52 77 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 61 77 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 82 77 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 76 14 76 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i), ab : Seq.seq item0, b : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i), bc : Seq.seq item0, c : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 74 15 74 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 75 15 75 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 22 77 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 31 77 33] inv6 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 52 77 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 61 77 63] inv6 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 82 77 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 76 14 76 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 (self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) : () val produces_refl0 (self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) : () requires {[#"../../../../../creusot-contracts/src/std/iter/skip.rs" 70 21 70 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 70 21 70 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 69 14 69 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 70 21 70 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 69 14 69 45] produces0 self (Seq.empty ) self) predicate invariant4 (self : borrowed (Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i))) val invariant4 (self : borrowed (Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i))) : bool @@ -1329,7 +1382,8 @@ module C03StdIterators_SkipTake requires {[#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 21 26 25] inv5 self} ensures { result = iter_mut0 self } - axiom iter_mut0_spec : forall self : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 21 26 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 4 26 36] inv7 (iter_mut0 self)) && ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 25 14 25 68] iter0 ( * self) = * iter_mut0 self /\ iter0 ( ^ self) = ^ iter_mut0 self) + axiom iter_mut0_spec : forall self : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 21 26 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 4 26 36] inv7 (iter_mut0 self)) && ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 25 14 25 68] iter0 ( * self) = * iter_mut0 self /\ iter0 ( ^ self) = ^ iter_mut0 self) predicate resolve5 (self : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve5 (self : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i)) : bool @@ -1343,7 +1397,8 @@ module C03StdIterators_SkipTake predicate completed0 (self : borrowed (Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i))) = - [#"../../../../../creusot-contracts/src/std/iter/skip.rs" 43 8 51 9] n1 ( ^ self) = 0 /\ (exists i : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i) . exists s : Seq.seq item0 . inv5 i /\ inv6 s /\ Seq.length s <= n1 ( * self) /\ produces1 (iter1 ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve3 (Seq.get s i)) /\ completed1 i /\ ^ i = iter1 ( ^ self)) + [#"../../../../../creusot-contracts/src/std/iter/skip.rs" 43 8 51 9] n1 ( ^ self) = 0 /\ (exists i : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i) . exists s : Seq.seq item0 . inv5 i /\ inv6 s /\ Seq.length s <= n1 ( * self) /\ produces1 (iter1 ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> resolve3 (Seq.get s i)) /\ completed1 i /\ ^ i = iter1 ( ^ self)) val completed0 (self : borrowed (Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i))) : bool ensures { result = completed0 self } @@ -1409,7 +1464,7 @@ module C03StdIterators_SkipTake goto BB5 } BB5 { - [#"../03_std_iterators.rs" 35 49 39 1] _0 <- ([#"../03_std_iterators.rs" 35 49 39 1] ()); + [#"../03_std_iterators.rs" 35 49 39 1] _0 <- ([#"../03_std_iterators.rs" 35 49 39 1] [#"../03_std_iterators.rs" 35 49 39 1] ()); goto BB6 } BB6 { @@ -1477,7 +1532,7 @@ module C03StdIterators_Counter_Closure0 goto BB0 } BB0 { - [#"../03_std_iterators.rs" 50 16 50 24] _1 <- { _1 with current = (let C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 x0 = * _1 in C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 ({ (field_00 ( * _1)) with current = ([#"../03_std_iterators.rs" 50 16 50 24] * field_00 ( * _1) + (1 : usize)) ; })) ; }; + [#"../03_std_iterators.rs" 50 16 50 24] _1 <- { _1 with current = (let C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 x0 = * _1 in C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 ({ (field_00 ( * _1)) with current = ([#"../03_std_iterators.rs" 50 16 50 24] * field_00 ( * _1) + ([#"../03_std_iterators.rs" 50 23 50 24] (1 : usize))) ; })) ; }; assume { resolve0 _1 }; [#"../03_std_iterators.rs" 51 16 51 18] res1 <- ([#"../03_std_iterators.rs" 51 16 51 18] x); [#"../03_std_iterators.rs" 47 12 47 67] res <- ([#"../03_std_iterators.rs" 47 12 47 67] res1); @@ -1606,7 +1661,8 @@ module C03StdIterators_Counter requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant8 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model0 self) val invariant8 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1655,7 +1711,8 @@ module C03StdIterators_Counter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv14 self} ensures { result = shallow_model5 self } - axiom shallow_model5_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv14 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model5 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) + axiom shallow_model5_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv14 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model5 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) function index_logic4 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 = [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model5 self) ix val index_logic4 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 @@ -1675,7 +1732,9 @@ module C03StdIterators_Counter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self} ensures { result = to_ref_seq0 self } - axiom to_ref_seq0_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv9 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic4 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model2 self)) + axiom to_ref_seq0_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv9 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) + -> Seq.get (to_ref_seq0 self) i = index_logic4 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model2 self)) function shallow_model4 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : slice uint32 val shallow_model4 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : slice uint32 ensures { result = shallow_model4 self } @@ -1690,11 +1749,13 @@ module C03StdIterators_Counter predicate produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (visited : Seq.seq uint32) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq uint32 . inv9 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq uint32 . inv9 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ else * Seq.get fs 0 = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self /\ ^ Seq.get fs (Seq.length visited - 1) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (visited : Seq.seq uint32) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool ensures { result = produces1 self visited succ } @@ -1710,7 +1771,14 @@ module C03StdIterators_Counter requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv5 c} ensures { result = produces_trans2 a ab b bc c } - axiom produces_trans2_spec : forall a : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, ab : Seq.seq uint32, b : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, bc : Seq.seq uint32, c : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 22 31 23] inv5 a) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 31 31 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 52 31 53] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 61 31 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans2_spec : forall a : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, ab : Seq.seq uint32, b : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, bc : Seq.seq uint32, c : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32] produces1 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32] produces1 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 22 31 23] inv5 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 31 31 33] inv6 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 52 31 53] inv5 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 61 31 63] inv6 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv5 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl2 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : () @@ -1718,7 +1786,8 @@ module C03StdIterators_Counter requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv5 self} ensures { result = produces_refl2 self } - axiom produces_refl2_spec : forall self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45] produces1 self (Seq.empty ) self) + axiom produces_refl2_spec : forall self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45] produces1 self (Seq.empty ) self) predicate invariant7 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0)) = @@ -1750,7 +1819,8 @@ module C03StdIterators_Counter predicate next_precondition0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (produced : Seq.seq uint32) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i + -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (produced : Seq.seq uint32) : bool ensures { result = next_precondition0 iter func produced } @@ -1758,7 +1828,16 @@ module C03StdIterators_Counter predicate preservation0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall b : uint32 . forall f : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv11 b -> inv12 f -> inv3 e2 -> inv3 e1 -> inv9 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall b : uint32 . forall f : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i + -> inv11 b + -> inv12 f + -> inv3 e2 + -> inv3 e1 + -> inv9 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool ensures { result = preservation0 iter func } @@ -1775,7 +1854,11 @@ module C03StdIterators_Counter requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv9 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : Core_Slice_Iter_Iter_Type.t_iter uint32, func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, produced : Seq.seq uint32 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 24 121 28] inv2 iter) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 33 121 37] inv4 func) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv9 produced) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 120 4 120 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : Core_Slice_Iter_Iter_Type.t_iter uint32, func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, produced : Seq.seq uint32 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 24 121 28] inv2 iter) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 33 121 37] inv4 func) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv9 produced) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 120 4 120 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) function shallow_model6 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) : slice uint32 = [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model4 ( * self) val shallow_model6 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) : slice uint32 @@ -1792,7 +1875,9 @@ module C03StdIterators_Counter ensures { result = completed1 self } predicate reinitialize0 (_1 : ()) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 148 8 153 9] forall func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall iter : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32) . inv4 func -> inv10 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 148 8 153 9] forall func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall iter : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32) . inv4 func + -> inv10 iter + -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -1821,7 +1906,11 @@ module C03StdIterators_Counter requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv9 bc} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv9 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv9 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv9 ab) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv9 bc) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) function produces_refl1 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : () = [#"../../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] () val produces_refl1 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : () @@ -1868,13 +1957,21 @@ module C03StdIterators_Counter requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv9 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv9 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv9 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv9 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : () val produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : () requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) use seq.Seq predicate resolve2 (self : uint32) = [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true @@ -1889,7 +1986,8 @@ module C03StdIterators_Counter ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve2 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -1934,7 +2032,8 @@ module C03StdIterators_Counter ensures { inv8 result } val map_inv0 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 - requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 141] forall i2 : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i2 -> inv3 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} + requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 141] forall i2 : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i2 + -> inv3 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 44 15 44 51] reinitialize0 ()} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 45 15 45 70] preservation0 self func} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 21 47 25] inv2 self} @@ -1972,7 +2071,7 @@ module C03StdIterators_Counter goto BB0 } BB0 { - [#"../03_std_iterators.rs" 42 18 42 19] cnt <- ([#"../03_std_iterators.rs" 42 18 42 19] (0 : usize)); + [#"../03_std_iterators.rs" 42 18 42 19] cnt <- ([#"../03_std_iterators.rs" 42 18 42 19] [#"../03_std_iterators.rs" 42 18 42 19] (0 : usize)); [#"../03_std_iterators.rs" 44 22 45 15] _7 <- ([#"../03_std_iterators.rs" 44 22 45 15] deref0 v); goto BB1 } @@ -2010,7 +2109,7 @@ module C03StdIterators_Counter goto BB7 } BB7 { - [#"../03_std_iterators.rs" 41 28 59 1] _0 <- ([#"../03_std_iterators.rs" 41 28 59 1] ()); + [#"../03_std_iterators.rs" 41 28 59 1] _0 <- ([#"../03_std_iterators.rs" 41 28 59 1] [#"../03_std_iterators.rs" 41 28 59 1] ()); goto BB8 } BB8 { @@ -2088,7 +2187,9 @@ module C03StdIterators_SumRange predicate produces0 (self : Core_Ops_Range_Range_Type.t_range isize) (visited : Seq.seq isize) (o : Core_Ops_Range_Range_Type.t_range isize) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range isize) (visited : Seq.seq isize) (o : Core_Ops_Range_Range_Type.t_range isize) : bool ensures { result = produces0 self visited o } @@ -2104,14 +2205,22 @@ module C03StdIterators_SumRange requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range isize, ab : Seq.seq isize, b : Core_Ops_Range_Range_Type.t_range isize, bc : Seq.seq isize, c : Core_Ops_Range_Range_Type.t_range isize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range isize, ab : Seq.seq isize, b : Core_Ops_Range_Range_Type.t_range isize, bc : Seq.seq isize, c : Core_Ops_Range_Range_Type.t_range isize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range isize) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range isize) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range isize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range isize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range isize) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Ops_Range_Range_Type.t_range isize) : bool @@ -2182,8 +2291,8 @@ module C03StdIterators_SumRange goto BB0 } BB0 { - [#"../03_std_iterators.rs" 64 16 64 17] i <- ([#"../03_std_iterators.rs" 64 16 64 17] (0 : isize)); - [#"../03_std_iterators.rs" 66 13 66 17] _7 <- ([#"../03_std_iterators.rs" 66 13 66 17] Core_Ops_Range_Range_Type.C_Range (0 : isize) n); + [#"../03_std_iterators.rs" 64 16 64 17] i <- ([#"../03_std_iterators.rs" 64 16 64 17] [#"../03_std_iterators.rs" 64 16 64 17] (0 : isize)); + [#"../03_std_iterators.rs" 66 13 66 17] _7 <- ([#"../03_std_iterators.rs" 66 13 66 17] Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 66 13 66 14] (0 : isize)) n); [#"../03_std_iterators.rs" 65 4 65 48] iter <- ([#"../03_std_iterators.rs" 65 4 65 48] into_iter0 _7); _7 <- any Core_Ops_Range_Range_Type.t_range isize; goto BB1 @@ -2240,7 +2349,7 @@ module C03StdIterators_SumRange BB11 { [#"../03_std_iterators.rs" 65 4 65 48] produced <- ([#"../03_std_iterators.rs" 65 4 65 48] _22); _22 <- any Snapshot.snap_ty (Seq.seq isize); - [#"../03_std_iterators.rs" 67 8 67 14] i <- ([#"../03_std_iterators.rs" 67 8 67 14] i + (1 : isize)); + [#"../03_std_iterators.rs" 67 8 67 14] i <- ([#"../03_std_iterators.rs" 67 8 67 14] i + ([#"../03_std_iterators.rs" 67 13 67 14] (1 : isize))); goto BB4 } @@ -2310,7 +2419,9 @@ module C03StdIterators_EnumerateRange predicate produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces1 self visited o } @@ -2326,14 +2437,22 @@ module C03StdIterators_EnumerateRange requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv2 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv2 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv2 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv2 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv2 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv2 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self) predicate invariant3 (self : Seq.seq usize) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant3 (self : Seq.seq usize) : bool @@ -2381,7 +2500,8 @@ module C03StdIterators_EnumerateRange predicate produces0 (self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) (visited : Seq.seq (usize, usize)) (o : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) = - [#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 62 8 67 9] Seq.length visited = n0 o - n0 self /\ (exists s : Seq.seq usize . inv3 s /\ produces1 (iter0 self) s (iter0 o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n0 self + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) + [#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 62 8 67 9] Seq.length visited = n0 o - n0 self /\ (exists s : Seq.seq usize . inv3 s /\ produces1 (iter0 self) s (iter0 o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n0 self + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) val produces0 (self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) (visited : Seq.seq (usize, usize)) (o : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) : bool ensures { result = produces0 self visited o } @@ -2397,7 +2517,14 @@ module C03StdIterators_EnumerateRange requires {[#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 82 80 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize), ab : Seq.seq (usize, usize), b : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize), bc : Seq.seq (usize, usize), c : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 77 15 77 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 78 15 78 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 22 80 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 31 80 33] inv5 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 52 80 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 61 80 63] inv5 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 82 80 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 79 14 79 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize), ab : Seq.seq (usize, usize), b : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize), bc : Seq.seq (usize, usize), c : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 77 15 77 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 78 15 78 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 22 80 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 31 80 33] inv5 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 52 80 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 61 80 63] inv5 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 82 80 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 79 14 79 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) : () @@ -2405,7 +2532,8 @@ module C03StdIterators_EnumerateRange requires {[#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 73 21 73 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 73 21 73 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 72 14 72 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 73 21 73 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 72 14 72 45] produces0 self (Seq.empty ) self) predicate resolve5 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve5 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool @@ -2529,7 +2657,7 @@ module C03StdIterators_EnumerateRange goto BB0 } BB0 { - [#"../03_std_iterators.rs" 74 19 74 26] _3 <- ([#"../03_std_iterators.rs" 74 19 74 26] Core_Ops_Range_Range_Type.C_Range (0 : usize) (10 : usize)); + [#"../03_std_iterators.rs" 74 19 74 26] _3 <- ([#"../03_std_iterators.rs" 74 19 74 26] Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 74 20 74 21] (0 : usize)) ([#"../03_std_iterators.rs" 74 23 74 25] (10 : usize))); [#"../03_std_iterators.rs" 74 19 74 38] _2 <- ([#"../03_std_iterators.rs" 74 19 74 38] enumerate0 _3); _3 <- any Core_Ops_Range_Range_Type.t_range usize; goto BB1 @@ -2553,7 +2681,8 @@ module C03StdIterators_EnumerateRange BB5 { invariant { [#"../03_std_iterators.rs" 73 4 73 96] inv0 iter }; invariant { [#"../03_std_iterators.rs" 73 4 73 96] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; - invariant { [#"../03_std_iterators.rs" 73 4 73 96] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced) -> (let (a, _) = index_logic0 produced i in a) = (let (_, a) = index_logic0 produced i in a) }; + invariant { [#"../03_std_iterators.rs" 73 4 73 96] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced) + -> (let (a, _) = index_logic0 produced i in a) = (let (_, a) = index_logic0 produced i in a) }; goto BB6 } BB6 { @@ -2578,7 +2707,7 @@ module C03StdIterators_EnumerateRange BB8 { assert { [@expl:type invariant] inv0 iter }; assume { resolve2 iter }; - [#"../03_std_iterators.rs" 73 4 73 96] _0 <- ([#"../03_std_iterators.rs" 73 4 73 96] ()); + [#"../03_std_iterators.rs" 73 4 73 96] _0 <- ([#"../03_std_iterators.rs" 73 4 73 96] [#"../03_std_iterators.rs" 73 4 73 96] ()); return _0 } BB9 { @@ -2706,7 +2835,9 @@ module C03StdIterators_MyReverse predicate produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces1 self visited o } @@ -2722,14 +2853,22 @@ module C03StdIterators_MyReverse requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv5 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv5 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv5 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv6 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv5 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv6 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv5 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv5 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self) predicate invariant6 (self : Seq.seq usize) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant6 (self : Seq.seq usize) : bool @@ -2791,7 +2930,8 @@ module C03StdIterators_MyReverse predicate produces0 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) (visited : Seq.seq (usize, usize)) (o : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) = - [#"../../../../../creusot-contracts/src/std/iter/zip.rs" 44 8 50 9] exists p2 : Seq.seq usize . exists p1 : Seq.seq usize . inv6 p2 /\ inv6 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (itera0 self) p1 (itera0 o) /\ produces1 (iterb0 self) p2 (iterb0 o) + [#"../../../../../creusot-contracts/src/std/iter/zip.rs" 44 8 50 9] exists p2 : Seq.seq usize . exists p1 : Seq.seq usize . inv6 p2 /\ inv6 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (itera0 self) p1 (itera0 o) /\ produces1 (iterb0 self) p2 (iterb0 o) val produces0 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) (visited : Seq.seq (usize, usize)) (o : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) : bool ensures { result = produces0 self visited o } @@ -2807,7 +2947,14 @@ module C03StdIterators_MyReverse requires {[#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 82 63 83] inv1 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize), ab : Seq.seq (usize, usize), b : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize), bc : Seq.seq (usize, usize), c : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 22 63 23] inv1 a) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 31 63 33] inv10 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 52 63 53] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 61 63 63] inv10 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 82 63 83] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize), ab : Seq.seq (usize, usize), b : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize), bc : Seq.seq (usize, usize), c : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 22 63 23] inv1 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 31 63 33] inv10 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 52 63 53] inv1 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 61 63 63] inv10 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 82 63 83] inv1 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) : () @@ -2815,7 +2962,8 @@ module C03StdIterators_MyReverse requires {[#"../../../../../creusot-contracts/src/std/iter/zip.rs" 56 21 56 25] inv1 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 56 21 56 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 56 21 56 25] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45] produces0 self (Seq.empty ) self) predicate invariant1 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) = @@ -2845,7 +2993,8 @@ module C03StdIterators_MyReverse requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate resolve3 (self : borrowed (slice t)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve3 (self : borrowed (slice t)) : bool @@ -2911,12 +3060,12 @@ module C03StdIterators_MyReverse predicate equiv_reverse_range0 [#"../03_std_iterators.rs" 87 0 87 81] (s1 : Seq.seq t) (s2 : Seq.seq t) (l : int) (u : int) (n : int) = - [#"../03_std_iterators.rs" 88 4 90 5] forall i : int . l <= i /\ i < u -> Seq.get s1 i = Seq.get s2 (n - i) + [#"../03_std_iterators.rs" 88 4 90 5] forall i : int . l <= i /\ i < u -> Seq.get s1 i = Seq.get s2 (n - i) val equiv_reverse_range0 [#"../03_std_iterators.rs" 87 0 87 81] (s1 : Seq.seq t) (s2 : Seq.seq t) (l : int) (u : int) (n : int) : bool ensures { result = equiv_reverse_range0 s1 s2 l u n } predicate equiv_range0 [#"../03_std_iterators.rs" 80 0 80 65] (s1 : Seq.seq t) (s2 : Seq.seq t) (l : int) (u : int) = - [#"../03_std_iterators.rs" 81 4 83 5] forall i : int . l <= i /\ i < u -> Seq.get s1 i = Seq.get s2 i + [#"../03_std_iterators.rs" 81 4 83 5] forall i : int . l <= i /\ i < u -> Seq.get s1 i = Seq.get s2 i val equiv_range0 [#"../03_std_iterators.rs" 80 0 80 65] (s1 : Seq.seq t) (s2 : Seq.seq t) (l : int) (u : int) : bool ensures { result = equiv_range0 s1 s2 l u } @@ -3034,21 +3183,21 @@ module C03StdIterators_MyReverse BB2 { assert { [@expl:type invariant] inv0 old_v }; assume { resolve0 old_v }; - [#"../03_std_iterators.rs" 101 22 101 27] _12 <- ([#"../03_std_iterators.rs" 101 22 101 27] (2 : usize) = (0 : usize)); + [#"../03_std_iterators.rs" 101 22 101 27] _12 <- ([#"../03_std_iterators.rs" 101 22 101 27] ([#"../03_std_iterators.rs" 101 26 101 27] (2 : usize)) = ([#"../03_std_iterators.rs" 101 22 101 27] (0 : usize))); assert { [@expl:division by zero] [#"../03_std_iterators.rs" 101 22 101 27] not _12 }; goto BB3 } BB3 { - [#"../03_std_iterators.rs" 101 22 101 27] _10 <- ([#"../03_std_iterators.rs" 101 22 101 27] n / (2 : usize)); - [#"../03_std_iterators.rs" 101 18 101 28] _9 <- ([#"../03_std_iterators.rs" 101 18 101 28] Core_Ops_Range_Range_Type.C_Range (0 : usize) _10); + [#"../03_std_iterators.rs" 101 22 101 27] _10 <- ([#"../03_std_iterators.rs" 101 22 101 27] n / ([#"../03_std_iterators.rs" 101 26 101 27] (2 : usize))); + [#"../03_std_iterators.rs" 101 18 101 28] _9 <- ([#"../03_std_iterators.rs" 101 18 101 28] Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 101 19 101 20] (0 : usize)) _10); _10 <- any usize; - [#"../03_std_iterators.rs" 101 36 101 41] _16 <- ([#"../03_std_iterators.rs" 101 36 101 41] (2 : usize) = (0 : usize)); + [#"../03_std_iterators.rs" 101 36 101 41] _16 <- ([#"../03_std_iterators.rs" 101 36 101 41] ([#"../03_std_iterators.rs" 101 40 101 41] (2 : usize)) = ([#"../03_std_iterators.rs" 101 36 101 41] (0 : usize))); assert { [@expl:division by zero] [#"../03_std_iterators.rs" 101 36 101 41] not _16 }; goto BB4 } BB4 { - [#"../03_std_iterators.rs" 101 36 101 41] _14 <- ([#"../03_std_iterators.rs" 101 36 101 41] n / (2 : usize)); - [#"../03_std_iterators.rs" 101 33 101 41] _13 <- ([#"../03_std_iterators.rs" 101 33 101 41] Core_Ops_Range_Range_Type.C_Range (0 : usize) _14); + [#"../03_std_iterators.rs" 101 36 101 41] _14 <- ([#"../03_std_iterators.rs" 101 36 101 41] n / ([#"../03_std_iterators.rs" 101 40 101 41] (2 : usize))); + [#"../03_std_iterators.rs" 101 33 101 41] _13 <- ([#"../03_std_iterators.rs" 101 33 101 41] Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 101 33 101 34] (0 : usize)) _14); _14 <- any usize; [#"../03_std_iterators.rs" 101 18 101 42] _8 <- ([#"../03_std_iterators.rs" 101 18 101 42] zip0 _9 _13); _9 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -3099,7 +3248,7 @@ module C03StdIterators_MyReverse BB12 { assert { [@expl:type invariant] inv3 slice }; assume { resolve3 slice }; - [#"../03_std_iterators.rs" 97 4 97 36] _0 <- ([#"../03_std_iterators.rs" 97 4 97 36] ()); + [#"../03_std_iterators.rs" 97 4 97 36] _0 <- ([#"../03_std_iterators.rs" 97 4 97 36] [#"../03_std_iterators.rs" 97 4 97 36] ()); return _0 } BB13 { @@ -3126,7 +3275,7 @@ module C03StdIterators_MyReverse [#"../03_std_iterators.rs" 102 8 102 13] slice <- { slice with current = ( ^ _38) ; }; assume { inv2 ( ^ _38) }; [#"../03_std_iterators.rs" 102 22 102 27] _41 <- ([#"../03_std_iterators.rs" 102 22 102 27] n - j); - [#"../03_std_iterators.rs" 102 22 102 31] _40 <- ([#"../03_std_iterators.rs" 102 22 102 31] _41 - (1 : usize)); + [#"../03_std_iterators.rs" 102 22 102 31] _40 <- ([#"../03_std_iterators.rs" 102 22 102 31] _41 - ([#"../03_std_iterators.rs" 102 30 102 31] (1 : usize))); _41 <- any usize; [#"../03_std_iterators.rs" 102 8 102 32] _37 <- ([#"../03_std_iterators.rs" 102 8 102 32] swap0 _38 i _40); _38 <- any borrowed (slice t); diff --git a/creusot/tests/should_succeed/iterators/04_skip.mlcfg b/creusot/tests/should_succeed/iterators/04_skip.mlcfg index dae14f3d07..761a674266 100644 --- a/creusot/tests/should_succeed/iterators/04_skip.mlcfg +++ b/creusot/tests/should_succeed/iterators/04_skip.mlcfg @@ -53,14 +53,21 @@ module C04Skip_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) use C04Skip_Skip_Type as C04Skip_Skip_Type predicate invariant0 (self : C04Skip_Skip_Type.t_skip i) val invariant0 (self : C04Skip_Skip_Type.t_skip i) : bool @@ -82,13 +89,15 @@ module C04Skip_Impl0_ProducesRefl_Impl predicate produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) = - [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve0 (Seq.get s i))) + [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> resolve0 (Seq.get s i))) val produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) : bool ensures { result = produces0 self visited o } constant self : C04Skip_Skip_Type.t_skip i function produces_refl [#"../04_skip.rs" 50 4 50 26] (self : C04Skip_Skip_Type.t_skip i) : () - goal vc_produces_refl : ([#"../04_skip.rs" 50 21 50 25] inv0 self) -> ([#"../04_skip.rs" 49 14 49 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../04_skip.rs" 50 21 50 25] inv0 self) + -> ([#"../04_skip.rs" 49 14 49 45] produces0 self (Seq.empty ) self) end module C04Skip_Impl0_ProducesTrans_Impl type i @@ -124,14 +133,21 @@ module C04Skip_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Seq.seq item0) val invariant1 (self : Seq.seq item0) : bool ensures { result = invariant1 self } @@ -158,7 +174,8 @@ module C04Skip_Impl0_ProducesTrans_Impl predicate produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) = - [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve0 (Seq.get s i))) + [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> resolve0 (Seq.get s i))) val produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) : bool ensures { result = produces0 self visited o } @@ -169,7 +186,14 @@ module C04Skip_Impl0_ProducesTrans_Impl constant c : C04Skip_Skip_Type.t_skip i function produces_trans [#"../04_skip.rs" 57 4 57 90] (a : C04Skip_Skip_Type.t_skip i) (ab : Seq.seq item0) (b : C04Skip_Skip_Type.t_skip i) (bc : Seq.seq item0) (c : C04Skip_Skip_Type.t_skip i) : () - goal vc_produces_trans : ([#"../04_skip.rs" 57 82 57 83] inv0 c) -> ([#"../04_skip.rs" 57 61 57 63] inv1 bc) -> ([#"../04_skip.rs" 57 52 57 53] inv0 b) -> ([#"../04_skip.rs" 57 31 57 33] inv1 ab) -> ([#"../04_skip.rs" 57 22 57 23] inv0 a) -> ([#"../04_skip.rs" 55 15 55 32] produces0 b bc c) -> ([#"../04_skip.rs" 54 15 54 32] produces0 a ab b) -> ([#"../04_skip.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../04_skip.rs" 57 82 57 83] inv0 c) + -> ([#"../04_skip.rs" 57 61 57 63] inv1 bc) + -> ([#"../04_skip.rs" 57 52 57 53] inv0 b) + -> ([#"../04_skip.rs" 57 31 57 33] inv1 ab) + -> ([#"../04_skip.rs" 57 22 57 23] inv0 a) + -> ([#"../04_skip.rs" 55 15 55 32] produces0 b bc c) + -> ([#"../04_skip.rs" 54 15 54 32] produces0 a ab b) + -> ([#"../04_skip.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -281,14 +305,21 @@ module C04Skip_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv9 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv9 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv3 a) + -> ([#"../common.rs" 21 31 21 33] inv9 ab) + -> ([#"../common.rs" 21 52 21 53] inv3 b) + -> ([#"../common.rs" 21 61 21 63] inv9 bc) + -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) use prelude.Snapshot predicate invariant1 (self : Snapshot.snap_ty (Seq.seq item0)) val invariant1 (self : Snapshot.snap_ty (Seq.seq item0)) : bool @@ -319,7 +350,8 @@ module C04Skip_Impl0_Next predicate produces1 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) = - [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv9 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces0 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve3 (Seq.get s i))) + [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv9 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces0 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> resolve3 (Seq.get s i))) val produces1 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) : bool ensures { result = produces1 self visited o } @@ -328,7 +360,8 @@ module C04Skip_Impl0_Next ensures { result = completed1 self } predicate completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) = - [#"../04_skip.rs" 23 8 31 9] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( ^ self)) = 0 /\ (exists i : borrowed i . exists s : Seq.seq item0 . inv8 i /\ inv9 s /\ Seq.length s <= UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) /\ produces0 (C04Skip_Skip_Type.skip_iter ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve3 (Seq.get s i)) /\ completed1 i /\ ^ i = C04Skip_Skip_Type.skip_iter ( ^ self)) + [#"../04_skip.rs" 23 8 31 9] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( ^ self)) = 0 /\ (exists i : borrowed i . exists s : Seq.seq item0 . inv8 i /\ inv9 s /\ Seq.length s <= UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) /\ produces0 (C04Skip_Skip_Type.skip_iter ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> resolve3 (Seq.get s i)) /\ completed1 i /\ ^ i = C04Skip_Skip_Type.skip_iter ( ^ self)) val completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) : bool ensures { result = completed0 self } @@ -436,7 +469,8 @@ module C04Skip_Impl0_Next BB4 { invariant { [#"../04_skip.rs" 67 20 67 53] Seq.length (Snapshot.inner skipped) + UIntSize.to_int n = UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * Snapshot.inner old_self)) }; invariant { [#"../04_skip.rs" 67 8 67 55] produces0 (C04Skip_Skip_Type.skip_iter ( * Snapshot.inner old_self)) (Snapshot.inner skipped) (C04Skip_Skip_Type.skip_iter ( * self)) }; - invariant { [#"../04_skip.rs" 67 8 67 55] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner skipped) -> resolve3 (index_logic0 skipped i) }; + invariant { [#"../04_skip.rs" 67 8 67 55] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner skipped) + -> resolve3 (index_logic0 skipped i) }; invariant { [#"../04_skip.rs" 70 20 70 35] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) = 0 }; invariant { [#"../04_skip.rs" 71 20 71 29] inv2 self }; goto BB5 @@ -450,7 +484,7 @@ module C04Skip_Impl0_Next goto BB6 } BB6 { - [#"../04_skip.rs" 74 15 74 21] _20 <- ([#"../04_skip.rs" 74 15 74 21] n = (0 : usize)); + [#"../04_skip.rs" 74 15 74 21] _20 <- ([#"../04_skip.rs" 74 15 74 21] n = ([#"../04_skip.rs" 74 20 74 21] (0 : usize))); switch (_20) | False -> goto BB8 | True -> goto BB7 @@ -494,7 +528,7 @@ module C04Skip_Impl0_Next _25 <- any Snapshot.snap_ty (Seq.seq item0); assert { [@expl:type invariant] inv1 skipped }; assume { resolve2 skipped }; - [#"../04_skip.rs" 79 16 79 22] n <- ([#"../04_skip.rs" 79 16 79 22] n - (1 : usize)); + [#"../04_skip.rs" 79 16 79 22] n <- ([#"../04_skip.rs" 79 16 79 22] n - ([#"../04_skip.rs" 79 21 79 22] (1 : usize))); goto BB13 } BB13 { @@ -581,7 +615,8 @@ module C04Skip_Impl0 use seq.Seq use prelude.UIntSize predicate completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) = - [#"../04_skip.rs" 23 8 31 9] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( ^ self)) = 0 /\ (exists i : borrowed i . exists s : Seq.seq item0 . inv4 i /\ inv1 s /\ Seq.length s <= UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) /\ produces1 (C04Skip_Skip_Type.skip_iter ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve0 (Seq.get s i)) /\ completed1 i /\ ^ i = C04Skip_Skip_Type.skip_iter ( ^ self)) + [#"../04_skip.rs" 23 8 31 9] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( ^ self)) = 0 /\ (exists i : borrowed i . exists s : Seq.seq item0 . inv4 i /\ inv1 s /\ Seq.length s <= UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) /\ produces1 (C04Skip_Skip_Type.skip_iter ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> resolve0 (Seq.get s i)) /\ completed1 i /\ ^ i = C04Skip_Skip_Type.skip_iter ( ^ self)) val completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) : bool ensures { result = completed0 self } @@ -591,16 +626,22 @@ module C04Skip_Impl0 predicate produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) = - [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve0 (Seq.get s i))) + [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> resolve0 (Seq.get s i))) val produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) : bool ensures { result = produces0 self visited o } - goal produces_trans_refn : [#"../04_skip.rs" 57 4 57 90] forall a : C04Skip_Skip_Type.t_skip i . forall ab : Seq.seq item0 . forall b : C04Skip_Skip_Type.t_skip i . forall bc : Seq.seq item0 . forall c : C04Skip_Skip_Type.t_skip i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal produces_refl_refn : [#"../04_skip.rs" 50 4 50 26] forall self : C04Skip_Skip_Type.t_skip i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal next_refn : [#"../04_skip.rs" 63 4 63 41] forall self : borrowed (C04Skip_Skip_Type.t_skip i) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv3 result /\ match result with + goal produces_trans_refn : [#"../04_skip.rs" 57 4 57 90] forall a : C04Skip_Skip_Type.t_skip i . forall ab : Seq.seq item0 . forall b : C04Skip_Skip_Type.t_skip i . forall bc : Seq.seq item0 . forall c : C04Skip_Skip_Type.t_skip i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal produces_refl_refn : [#"../04_skip.rs" 50 4 50 26] forall self : C04Skip_Skip_Type.t_skip i . inv0 self + -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal next_refn : [#"../04_skip.rs" 63 4 63 41] forall self : borrowed (C04Skip_Skip_Type.t_skip i) . inv2 self + -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv3 result /\ match result with + end + -> inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) diff --git a/creusot/tests/should_succeed/iterators/05_map.mlcfg b/creusot/tests/should_succeed/iterators/05_map.mlcfg index 9eb4c7f24d..1aa3b53e9d 100644 --- a/creusot/tests/should_succeed/iterators/05_map.mlcfg +++ b/creusot/tests/should_succeed/iterators/05_map.mlcfg @@ -117,14 +117,21 @@ module C05Map_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv3 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv3 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate resolve0 (self : f) val resolve0 (self : f) : bool ensures { result = resolve0 self } @@ -144,7 +151,10 @@ module C05Map_Impl0_ProducesRefl_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv5 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv5 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -158,13 +168,19 @@ module C05Map_Impl0_ProducesRefl_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv4 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv4 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -173,20 +189,33 @@ module C05Map_Impl0_ProducesRefl_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate precondition0 (self : f) (_2 : item0) val precondition0 (self : f) (_2 : item0) : bool ensures { result = precondition0 self _2 } use seq.Seq predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) = - [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv3 i -> inv9 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e) + [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv3 i + -> inv9 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e) val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool ensures { result = next_precondition0 iter func } use seq.Seq predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) = - [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv7 b -> inv5 f -> inv9 e2 -> inv9 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) + [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i + -> inv7 b + -> inv5 f + -> inv9 e2 + -> inv9 e1 + -> inv1 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } @@ -195,7 +224,8 @@ module C05Map_Impl0_ProducesRefl_Impl ensures { result = completed0 self } predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) = - [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv4 func -> inv8 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func + [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv4 func + -> inv8 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -222,18 +252,21 @@ module C05Map_Impl0_ProducesRefl_Impl predicate produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) = - [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ else * Seq.get fs 0 = C05Map_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool ensures { result = produces0 self visited succ } use seq.Seq constant self : C05Map_Map_Type.t_map i b f function produces_refl [#"../05_map.rs" 29 4 29 26] (self : C05Map_Map_Type.t_map i b f) : () - goal vc_produces_refl : ([#"../05_map.rs" 29 21 29 25] inv0 self) -> ([#"../05_map.rs" 28 14 28 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../05_map.rs" 29 21 29 25] inv0 self) + -> ([#"../05_map.rs" 28 14 28 45] produces0 self (Seq.empty ) self) end module C05Map_Impl0_ProducesTrans_Impl type i @@ -340,14 +373,21 @@ module C05Map_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv4 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv4 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv4 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv4 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate resolve0 (self : f) val resolve0 (self : f) : bool ensures { result = resolve0 self } @@ -367,7 +407,10 @@ module C05Map_Impl0_ProducesTrans_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -381,13 +424,19 @@ module C05Map_Impl0_ProducesTrans_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv5 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -396,7 +445,11 @@ module C05Map_Impl0_ProducesTrans_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant1 (self : Seq.seq b) val invariant1 (self : Seq.seq b) : bool ensures { result = invariant1 self } @@ -412,13 +465,22 @@ module C05Map_Impl0_ProducesTrans_Impl use seq.Seq predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) = - [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv4 i -> inv10 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e) + [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv4 i + -> inv10 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e) val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool ensures { result = next_precondition0 iter func } use seq.Seq predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) = - [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) + [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i + -> inv8 b + -> inv6 f + -> inv10 e2 + -> inv10 e1 + -> inv2 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } @@ -427,7 +489,8 @@ module C05Map_Impl0_ProducesTrans_Impl ensures { result = completed0 self } predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) = - [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv5 func -> inv9 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func + [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv5 func + -> inv9 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -455,11 +518,13 @@ module C05Map_Impl0_ProducesTrans_Impl predicate produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) = - [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ else * Seq.get fs 0 = C05Map_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool ensures { result = produces0 self visited succ } @@ -470,7 +535,14 @@ module C05Map_Impl0_ProducesTrans_Impl constant c : C05Map_Map_Type.t_map i b f function produces_trans [#"../05_map.rs" 36 4 36 90] (a : C05Map_Map_Type.t_map i b f) (ab : Seq.seq b) (b : C05Map_Map_Type.t_map i b f) (bc : Seq.seq b) (c : C05Map_Map_Type.t_map i b f) : () - goal vc_produces_trans : ([#"../05_map.rs" 36 82 36 83] inv0 c) -> ([#"../05_map.rs" 36 61 36 63] inv1 bc) -> ([#"../05_map.rs" 36 52 36 53] inv0 b) -> ([#"../05_map.rs" 36 31 36 33] inv1 ab) -> ([#"../05_map.rs" 36 22 36 23] inv0 a) -> ([#"../05_map.rs" 34 15 34 32] produces0 b bc c) -> ([#"../05_map.rs" 33 15 33 32] produces0 a ab b) -> ([#"../05_map.rs" 35 14 35 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../05_map.rs" 36 82 36 83] inv0 c) + -> ([#"../05_map.rs" 36 61 36 63] inv1 bc) + -> ([#"../05_map.rs" 36 52 36 53] inv0 b) + -> ([#"../05_map.rs" 36 31 36 33] inv1 ab) + -> ([#"../05_map.rs" 36 22 36 23] inv0 a) + -> ([#"../05_map.rs" 34 15 34 32] produces0 b bc c) + -> ([#"../05_map.rs" 33 15 33 32] produces0 a ab b) + -> ([#"../05_map.rs" 35 14 35 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -580,7 +652,10 @@ module C05Map_Impl1_ProducesOne_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -594,13 +669,19 @@ module C05Map_Impl1_ProducesOne_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -609,7 +690,11 @@ module C05Map_Impl1_ProducesOne_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) use seq.Seq predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool @@ -627,14 +712,21 @@ module C05Map_Impl1_ProducesOne_Impl requires {[#"../common.rs" 21 82 21 83] inv6 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv6 a) -> ([#"../common.rs" 21 31 21 33] inv4 ab) -> ([#"../common.rs" 21 52 21 53] inv6 b) -> ([#"../common.rs" 21 61 21 63] inv4 bc) -> ([#"../common.rs" 21 82 21 83] inv6 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv6 a) + -> ([#"../common.rs" 21 31 21 33] inv4 ab) + -> ([#"../common.rs" 21 52 21 53] inv6 b) + -> ([#"../common.rs" 21 61 21 63] inv4 bc) + -> ([#"../common.rs" 21 82 21 83] inv6 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv6 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv6 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv6 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant3 (self : item0) val invariant3 (self : item0) : bool ensures { result = invariant3 self } @@ -669,11 +761,13 @@ module C05Map_Impl1_ProducesOne_Impl predicate produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) = - [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ else * Seq.get fs 0 = C05Map_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool ensures { result = produces0 self visited succ } @@ -691,7 +785,13 @@ module C05Map_Impl1_ProducesOne_Impl requires {[#"../05_map.rs" 36 82 36 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : C05Map_Map_Type.t_map i b f, ab : Seq.seq b, b : C05Map_Map_Type.t_map i b f, bc : Seq.seq b, c : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 33 15 33 32] produces0 a ab b) -> ([#"../05_map.rs" 34 15 34 32] produces0 b bc c) -> ([#"../05_map.rs" 36 22 36 23] inv0 a) -> ([#"../05_map.rs" 36 31 36 33] inv8 ab) -> ([#"../05_map.rs" 36 52 36 53] inv0 b) -> ([#"../05_map.rs" 36 61 36 63] inv8 bc) -> ([#"../05_map.rs" 36 82 36 83] inv0 c) -> ([#"../05_map.rs" 35 14 35 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : C05Map_Map_Type.t_map i b f, ab : Seq.seq b, b : C05Map_Map_Type.t_map i b f, bc : Seq.seq b, c : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 33 15 33 32] produces0 a ab b) + -> ([#"../05_map.rs" 34 15 34 32] produces0 b bc c) + -> ([#"../05_map.rs" 36 22 36 23] inv0 a) + -> ([#"../05_map.rs" 36 31 36 33] inv8 ab) + -> ([#"../05_map.rs" 36 52 36 53] inv0 b) + -> ([#"../05_map.rs" 36 61 36 63] inv8 bc) + -> ([#"../05_map.rs" 36 82 36 83] inv0 c) -> ([#"../05_map.rs" 35 14 35 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../05_map.rs" 29 4 29 26] (self : C05Map_Map_Type.t_map i b f) : () = [#"../05_map.rs" 26 4 26 10] () @@ -699,7 +799,8 @@ module C05Map_Impl1_ProducesOne_Impl requires {[#"../05_map.rs" 29 21 29 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 29 21 29 25] inv0 self) -> ([#"../05_map.rs" 28 14 28 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 29 21 29 25] inv0 self) + -> ([#"../05_map.rs" 28 14 28 45] produces0 self (Seq.empty ) self) predicate invariant1 (self : b) val invariant1 (self : b) : bool ensures { result = invariant1 self } @@ -707,13 +808,22 @@ module C05Map_Impl1_ProducesOne_Impl axiom inv1 : forall x : b . inv1 x = true use seq.Seq predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) = - [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv6 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e) + [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv6 i + -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e) val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool ensures { result = next_precondition0 iter func } use seq.Seq predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) = - [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) + [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i + -> inv1 b + -> inv2 f + -> inv3 e2 + -> inv3 e1 + -> inv4 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } @@ -722,7 +832,8 @@ module C05Map_Impl1_ProducesOne_Impl ensures { result = completed0 self } predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) = - [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv7 func -> inv10 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func + [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv7 func + -> inv10 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -740,7 +851,10 @@ module C05Map_Impl1_ProducesOne_Impl constant succ : C05Map_Map_Type.t_map i b f predicate produces_one [#"../05_map.rs" 117 4 117 57] (self : C05Map_Map_Type.t_map i b f) (visited : b) (succ : C05Map_Map_Type.t_map i b f) - goal vc_produces_one : ([#"../05_map.rs" 117 38 117 42] inv0 succ) -> ([#"../05_map.rs" 117 26 117 33] inv1 visited) -> ([#"../05_map.rs" 117 20 117 24] inv0 self) -> ([#"../05_map.rs" 116 14 116 68] ([#"../05_map.rs" 118 8 123 9] exists f : borrowed f . inv2 f /\ * f = C05Map_Map_Type.map_func self /\ ^ f = C05Map_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C05Map_Map_Type.map_iter self) (Seq.singleton e) (C05Map_Map_Type.map_iter succ) /\ precondition0 ( * f) (e) /\ postcondition_mut0 f (e) visited)) = produces0 self (Seq.singleton visited) succ) + goal vc_produces_one : ([#"../05_map.rs" 117 38 117 42] inv0 succ) + -> ([#"../05_map.rs" 117 26 117 33] inv1 visited) + -> ([#"../05_map.rs" 117 20 117 24] inv0 self) + -> ([#"../05_map.rs" 116 14 116 68] ([#"../05_map.rs" 118 8 123 9] exists f : borrowed f . inv2 f /\ * f = C05Map_Map_Type.map_func self /\ ^ f = C05Map_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C05Map_Map_Type.map_iter self) (Seq.singleton e) (C05Map_Map_Type.map_iter succ) /\ precondition0 ( * f) (e) /\ postcondition_mut0 f (e) visited)) = produces0 self (Seq.singleton visited) succ) end module C05Map_Impl1_ProducesOneInvariant_Impl type i @@ -831,7 +945,8 @@ module C05Map_Impl1_ProducesOneInvariant_Impl use seq.Seq predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) = - [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv4 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e) + [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv4 i + -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e) val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool ensures { result = next_precondition0 iter func } @@ -845,7 +960,15 @@ module C05Map_Impl1_ProducesOneInvariant_Impl ensures { result = unnest0 self _2 } predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) = - [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) + [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i + -> inv2 b + -> inv3 f + -> inv1 e2 + -> inv1 e1 + -> inv5 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } @@ -854,7 +977,8 @@ module C05Map_Impl1_ProducesOneInvariant_Impl ensures { result = completed0 self } predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) = - [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv7 func -> inv8 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func + [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv7 func + -> inv8 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -886,7 +1010,10 @@ module C05Map_Impl1_ProducesOneInvariant_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) function unnest_trans0 (self : f) (b : f) (c : f) : () val unnest_trans0 (self : f) (b : f) (c : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b} @@ -896,13 +1023,19 @@ module C05Map_Impl1_ProducesOneInvariant_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -911,7 +1044,11 @@ module C05Map_Impl1_ProducesOneInvariant_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) use seq.Seq function produces_trans0 [#"../common.rs" 21 4 21 91] (a : i) (ab : Seq.seq item0) (b : i) (bc : Seq.seq item0) (c : i) : () @@ -925,14 +1062,21 @@ module C05Map_Impl1_ProducesOneInvariant_Impl requires {[#"../common.rs" 21 82 21 83] inv4 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv5 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv5 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv4 a) + -> ([#"../common.rs" 21 31 21 33] inv5 ab) + -> ([#"../common.rs" 21 52 21 53] inv4 b) + -> ([#"../common.rs" 21 61 21 63] inv5 bc) + -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv4 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) constant self : C05Map_Map_Type.t_map i b f constant e : item0 constant r : b @@ -940,7 +1084,20 @@ module C05Map_Impl1_ProducesOneInvariant_Impl constant iter : i function produces_one_invariant [#"../05_map.rs" 107 4 107 73] (self : C05Map_Map_Type.t_map i b f) (e : item0) (r : b) (f : borrowed f) (iter : i) : () - goal vc_produces_one_invariant : ([#"../05_map.rs" 107 65 107 69] inv4 iter) -> ([#"../05_map.rs" 107 54 107 55] inv3 f) -> ([#"../05_map.rs" 107 48 107 49] inv2 r) -> ([#"../05_map.rs" 107 36 107 37] inv1 e) -> ([#"../05_map.rs" 107 30 107 34] inv0 self) -> ([#"../05_map.rs" 104 15 104 43] postcondition_mut0 f (e) r) -> ([#"../05_map.rs" 103 15 103 30] * f = C05Map_Map_Type.map_func self) -> ([#"../05_map.rs" 102 4 102 60] produces0 (C05Map_Map_Type.map_iter self) (Seq.singleton e) iter) -> ([#"../05_map.rs" 101 4 101 12] forall i : i . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv1 e2 -> inv1 e1 -> inv5 s -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> produces0 (C05Map_Map_Type.map_iter self) (Seq.snoc (Seq.snoc (Seq.(++) (Seq.singleton e) s) e1) e2) i) && (let _ = () in ([#"../05_map.rs" 106 14 106 47] next_precondition0 iter ( ^ f)) && ([#"../05_map.rs" 105 14 105 42] preservation0 iter ( ^ f))) + goal vc_produces_one_invariant : ([#"../05_map.rs" 107 65 107 69] inv4 iter) + -> ([#"../05_map.rs" 107 54 107 55] inv3 f) + -> ([#"../05_map.rs" 107 48 107 49] inv2 r) + -> ([#"../05_map.rs" 107 36 107 37] inv1 e) + -> ([#"../05_map.rs" 107 30 107 34] inv0 self) + -> ([#"../05_map.rs" 104 15 104 43] postcondition_mut0 f (e) r) + -> ([#"../05_map.rs" 103 15 103 30] * f = C05Map_Map_Type.map_func self) + -> ([#"../05_map.rs" 102 4 102 60] produces0 (C05Map_Map_Type.map_iter self) (Seq.singleton e) iter) + -> ([#"../05_map.rs" 101 4 101 12] forall i : i . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i + -> inv1 e2 + -> inv1 e1 + -> inv5 s + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> produces0 (C05Map_Map_Type.map_iter self) (Seq.snoc (Seq.snoc (Seq.(++) (Seq.singleton e) s) e1) e2) i) && (let _ = () in ([#"../05_map.rs" 106 14 106 47] next_precondition0 iter ( ^ f)) && ([#"../05_map.rs" 105 14 105 42] preservation0 iter ( ^ f))) end module C05Map_Impl0_Next type i @@ -1021,7 +1178,8 @@ module C05Map_Impl0_Next use seq.Seq predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) = - [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv0 i -> inv7 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e) + [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv0 i + -> inv7 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e) val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool ensures { result = next_precondition0 iter func } @@ -1035,7 +1193,15 @@ module C05Map_Impl0_Next ensures { result = unnest0 self _2 } predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) = - [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv8 b -> inv9 f -> inv7 e2 -> inv7 e1 -> inv10 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) + [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i + -> inv8 b + -> inv9 f + -> inv7 e2 + -> inv7 e1 + -> inv10 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } @@ -1048,7 +1214,8 @@ module C05Map_Impl0_Next ensures { result = inv5 _x } predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) = - [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv2 func -> inv5 iter -> completed1 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func + [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv2 func + -> inv5 iter -> completed1 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -1080,7 +1247,10 @@ module C05Map_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv11 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv9 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve3 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv11 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv9 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve3 ( ^ s))) function unnest_trans0 (self : f) (b : f) (c : f) : () val unnest_trans0 (self : f) (b : f) (c : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b} @@ -1090,13 +1260,19 @@ module C05Map_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -1105,7 +1281,11 @@ module C05Map_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv11 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv9 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv11 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant5 (self : borrowed i) val invariant5 (self : borrowed i) : bool ensures { result = invariant5 self } @@ -1157,14 +1337,21 @@ module C05Map_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv10 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv10 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv0 a) + -> ([#"../common.rs" 21 31 21 33] inv10 ab) + -> ([#"../common.rs" 21 52 21 53] inv0 b) + -> ([#"../common.rs" 21 61 21 63] inv10 bc) + -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : i) val invariant0 (self : i) : bool ensures { result = invariant0 self } @@ -1180,11 +1367,13 @@ module C05Map_Impl0_Next predicate produces1 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) = - [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv10 s /\ Seq.length s = Seq.length visited /\ produces0 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv12 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv10 s /\ Seq.length s = Seq.length visited /\ produces0 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv12 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ else * Seq.get fs 0 = C05Map_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) val produces1 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool ensures { result = produces1 self visited succ } @@ -1199,7 +1388,10 @@ module C05Map_Impl0_Next requires {[#"../05_map.rs" 117 38 117 42] inv6 succ} ensures { result = produces_one0 self visited succ } - axiom produces_one0_spec : forall self : C05Map_Map_Type.t_map i b f, visited : b, succ : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 117 20 117 24] inv6 self) -> ([#"../05_map.rs" 117 26 117 33] inv8 visited) -> ([#"../05_map.rs" 117 38 117 42] inv6 succ) -> ([#"../05_map.rs" 116 14 116 68] produces_one0 self visited succ = produces1 self (Seq.singleton visited) succ) + axiom produces_one0_spec : forall self : C05Map_Map_Type.t_map i b f, visited : b, succ : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 117 20 117 24] inv6 self) + -> ([#"../05_map.rs" 117 26 117 33] inv8 visited) + -> ([#"../05_map.rs" 117 38 117 42] inv6 succ) + -> ([#"../05_map.rs" 116 14 116 68] produces_one0 self visited succ = produces1 self (Seq.singleton visited) succ) predicate completed0 [#"../05_map.rs" 22 4 22 35] (self : borrowed (C05Map_Map_Type.t_map i b f)) = [#"../05_map.rs" 23 8 23 75] completed1 (Borrow.borrow_logic (C05Map_Map_Type.map_iter ( * self)) (C05Map_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C05Map_Map_Type.map_func ( * self) = C05Map_Map_Type.map_func ( ^ self) val completed0 [#"../05_map.rs" 22 4 22 35] (self : borrowed (C05Map_Map_Type.t_map i b f)) : bool @@ -1236,7 +1428,15 @@ module C05Map_Impl0_Next requires {[#"../05_map.rs" 107 65 107 69] inv0 iter} ensures { result = produces_one_invariant0 self e r f iter } - axiom produces_one_invariant0_spec : forall self : C05Map_Map_Type.t_map i b f, e : item0, r : b, f : borrowed f, iter : i . ([#"../05_map.rs" 102 4 102 60] produces0 (C05Map_Map_Type.map_iter self) (Seq.singleton e) iter) -> ([#"../05_map.rs" 103 15 103 30] * f = C05Map_Map_Type.map_func self) -> ([#"../05_map.rs" 104 15 104 43] postcondition_mut0 f (e) r) -> ([#"../05_map.rs" 107 30 107 34] inv6 self) -> ([#"../05_map.rs" 107 36 107 37] inv7 e) -> ([#"../05_map.rs" 107 48 107 49] inv8 r) -> ([#"../05_map.rs" 107 54 107 55] inv9 f) -> ([#"../05_map.rs" 107 65 107 69] inv0 iter) -> ([#"../05_map.rs" 106 14 106 47] next_precondition0 iter ( ^ f)) && ([#"../05_map.rs" 105 14 105 42] preservation0 iter ( ^ f)) + axiom produces_one_invariant0_spec : forall self : C05Map_Map_Type.t_map i b f, e : item0, r : b, f : borrowed f, iter : i . ([#"../05_map.rs" 102 4 102 60] produces0 (C05Map_Map_Type.map_iter self) (Seq.singleton e) iter) + -> ([#"../05_map.rs" 103 15 103 30] * f = C05Map_Map_Type.map_func self) + -> ([#"../05_map.rs" 104 15 104 43] postcondition_mut0 f (e) r) + -> ([#"../05_map.rs" 107 30 107 34] inv6 self) + -> ([#"../05_map.rs" 107 36 107 37] inv7 e) + -> ([#"../05_map.rs" 107 48 107 49] inv8 r) + -> ([#"../05_map.rs" 107 54 107 55] inv9 f) + -> ([#"../05_map.rs" 107 65 107 69] inv0 iter) + -> ([#"../05_map.rs" 106 14 106 47] next_precondition0 iter ( ^ f)) && ([#"../05_map.rs" 105 14 105 42] preservation0 iter ( ^ f)) predicate resolve0 (self : Core_Option_Option_Type.t_option item0) val resolve0 (self : Core_Option_Option_Type.t_option item0) : bool ensures { result = resolve0 self } @@ -1397,7 +1597,10 @@ module C05Map_Map requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -1411,13 +1614,19 @@ module C05Map_Map requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res} @@ -1426,7 +1635,11 @@ module C05Map_Map requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) use seq.Seq predicate invariant7 (self : Seq.seq item0) val invariant7 (self : Seq.seq item0) : bool @@ -1474,13 +1687,22 @@ module C05Map_Map ensures { result = inv1 _x } predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) = - [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e) + [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv0 i + -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e) val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool ensures { result = next_precondition0 iter func } use seq.Seq predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) = - [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) + [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i + -> inv5 b + -> inv6 f + -> inv1 e2 + -> inv1 e1 + -> inv7 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } @@ -1489,7 +1711,8 @@ module C05Map_Map ensures { result = completed0 self } predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) = - [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv2 func -> inv4 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func + [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv2 func + -> inv4 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -1534,16 +1757,24 @@ module C05Map_Map requires {[#"../common.rs" 21 82 21 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv7 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv7 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv0 a) + -> ([#"../common.rs" 21 31 21 33] inv7 ab) + -> ([#"../common.rs" 21 52 21 53] inv0 b) + -> ([#"../common.rs" 21 61 21 63] inv7 bc) + -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) let rec cfg map [#"../05_map.rs" 144 0 144 84] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) (func : f) : C05Map_Map_Type.t_map i b f - requires {[#"../05_map.rs" 140 0 140 105] forall i2 : i . forall e : item0 . inv0 i2 -> inv1 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e)} + requires {[#"../05_map.rs" 140 0 140 105] forall i2 : i . forall e : item0 . inv0 i2 + -> inv1 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e)} requires {[#"../05_map.rs" 141 11 141 41] reinitialize0 ()} requires {[#"../05_map.rs" 142 11 142 51] preservation0 iter func} requires {[#"../05_map.rs" 144 51 144 55] inv0 iter} @@ -1709,7 +1940,8 @@ module C05Map_Impl0 use seq.Seq predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) = - [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv9 i -> inv8 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e) + [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv9 i + -> inv8 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e) val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool ensures { result = next_precondition0 iter func } @@ -1723,7 +1955,15 @@ module C05Map_Impl0 ensures { result = unnest0 self _2 } predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) = - [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv6 b -> inv7 f -> inv8 e2 -> inv8 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) + [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i + -> inv6 b + -> inv7 f + -> inv8 e2 + -> inv8 e1 + -> inv4 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2) val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } @@ -1732,7 +1972,8 @@ module C05Map_Impl0 ensures { result = completed1 self } predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) = - [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv10 func -> inv11 iter -> completed1 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func + [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv10 func + -> inv11 iter -> completed1 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -1757,11 +1998,13 @@ module C05Map_Impl0 predicate produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) = - [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ else * Seq.get fs 0 = C05Map_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool ensures { result = produces0 self visited succ } @@ -1775,22 +2018,30 @@ module C05Map_Impl0 requires {[#"../05_map.rs" 117 38 117 42] inv0 succ} ensures { result = produces_one0 self visited succ } - axiom produces_one0_spec : forall self : C05Map_Map_Type.t_map i b f, visited : b, succ : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 117 20 117 24] inv0 self) -> ([#"../05_map.rs" 117 26 117 33] inv6 visited) -> ([#"../05_map.rs" 117 38 117 42] inv0 succ) -> ([#"../05_map.rs" 116 14 116 68] produces_one0 self visited succ = produces0 self (Seq.singleton visited) succ) + axiom produces_one0_spec : forall self : C05Map_Map_Type.t_map i b f, visited : b, succ : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 117 20 117 24] inv0 self) + -> ([#"../05_map.rs" 117 26 117 33] inv6 visited) + -> ([#"../05_map.rs" 117 38 117 42] inv0 succ) + -> ([#"../05_map.rs" 116 14 116 68] produces_one0 self visited succ = produces0 self (Seq.singleton visited) succ) predicate completed0 [#"../05_map.rs" 22 4 22 35] (self : borrowed (C05Map_Map_Type.t_map i b f)) = [#"../05_map.rs" 23 8 23 75] completed1 (Borrow.borrow_logic (C05Map_Map_Type.map_iter ( * self)) (C05Map_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C05Map_Map_Type.map_func ( * self) = C05Map_Map_Type.map_func ( ^ self) val completed0 [#"../05_map.rs" 22 4 22 35] (self : borrowed (C05Map_Map_Type.t_map i b f)) : bool ensures { result = completed0 self } use seq.Seq - goal produces_trans_refn : [#"../05_map.rs" 36 4 36 90] forall a : C05Map_Map_Type.t_map i b f . forall ab : Seq.seq b . forall b : C05Map_Map_Type.t_map i b f . forall bc : Seq.seq b . forall c : C05Map_Map_Type.t_map i b f . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal next_refn : [#"../05_map.rs" 60 4 60 44] forall self : borrowed (C05Map_Map_Type.t_map i b f) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option b . inv3 result /\ match result with + goal produces_trans_refn : [#"../05_map.rs" 36 4 36 90] forall a : C05Map_Map_Type.t_map i b f . forall ab : Seq.seq b . forall b : C05Map_Map_Type.t_map i b f . forall bc : Seq.seq b . forall c : C05Map_Map_Type.t_map i b f . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal next_refn : [#"../05_map.rs" 60 4 60 44] forall self : borrowed (C05Map_Map_Type.t_map i b f) . inv2 self + -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option b . inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces_one0 ( * self) v ( ^ self) - end -> inv3 result /\ match result with + end + -> inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) - goal produces_refl_refn : [#"../05_map.rs" 29 4 29 26] forall self : C05Map_Map_Type.t_map i b f . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal produces_refl_refn : [#"../05_map.rs" 29 4 29 26] forall self : C05Map_Map_Type.t_map i b f . inv0 self + -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) end module C05Map_Impl2 type i diff --git a/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg b/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg index 7843747f96..70b63946f5 100644 --- a/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg +++ b/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg @@ -68,7 +68,10 @@ module C06MapPrecond_Impl1_PreservationInv_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -82,13 +85,19 @@ module C06MapPrecond_Impl1_PreservationInv_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv1 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () @@ -98,7 +107,11 @@ module C06MapPrecond_Impl1_PreservationInv_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant5 (self : item0) val invariant5 (self : item0) : bool ensures { result = invariant5 self } @@ -143,14 +156,21 @@ module C06MapPrecond_Impl1_PreservationInv_Impl requires {[#"../common.rs" 21 82 21 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv0 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv0 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) predicate invariant2 (self : Seq.seq item0) val invariant2 (self : Seq.seq item0) : bool ensures { result = invariant2 self } @@ -173,7 +193,16 @@ module C06MapPrecond_Impl1_PreservationInv_Impl use prelude.Snapshot use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv3 b -> inv4 f -> inv5 e2 -> inv5 e1 -> inv2 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i + -> inv3 b + -> inv4 f + -> inv5 e2 + -> inv5 e1 + -> inv2 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } @@ -181,7 +210,21 @@ module C06MapPrecond_Impl1_PreservationInv_Impl constant func : f constant produced : Seq.seq item0 predicate preservation_inv [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) - goal vc_preservation_inv : ([#"../06_map_precond.rs" 93 42 93 50] inv2 produced) -> ([#"../06_map_precond.rs" 93 33 93 37] inv1 func) -> ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> ([#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv3 b -> inv4 f -> inv5 e2 -> inv5 e1 -> inv2 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) = preservation0 iter func) + goal vc_preservation_inv : ([#"../06_map_precond.rs" 93 42 93 50] inv2 produced) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv1 func) + -> ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> ([#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i + -> inv3 b + -> inv4 f + -> inv5 e2 + -> inv5 e1 + -> inv2 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) = preservation0 iter func) end module C06MapPrecond_Impl0_ProducesRefl_Impl type i @@ -300,7 +343,10 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -314,13 +360,19 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv4 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv4 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () @@ -330,7 +382,11 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) use seq.Seq predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool @@ -348,14 +404,21 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv3 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv3 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = precondition0 self _2 } @@ -363,32 +426,57 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl use prelude.Snapshot use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv3 i -> inv10 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv3 i + -> inv10 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i + -> inv8 b + -> inv6 f + -> inv10 e2 + -> inv10 e1 + -> inv1 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i + -> inv8 b + -> inv6 f + -> inv10 e2 + -> inv10 e1 + -> inv1 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv3 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv4 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv1 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv3 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv1 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv3 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv1 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv4 func -> inv9 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv4 func + -> inv9 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -417,18 +505,21 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces0 self visited succ } use seq.Seq constant self : C06MapPrecond_Map_Type.t_map i b f item0 function produces_refl [#"../06_map_precond.rs" 31 4 31 26] (self : C06MapPrecond_Map_Type.t_map i b f item0) : () - goal vc_produces_refl : ([#"../06_map_precond.rs" 31 21 31 25] inv0 self) -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../06_map_precond.rs" 31 21 31 25] inv0 self) + -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self) end module C06MapPrecond_Impl0_ProducesTrans_Impl type i @@ -547,7 +638,10 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -561,13 +655,19 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv5 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () @@ -577,7 +677,11 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) use seq.Seq predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool @@ -595,14 +699,21 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv4 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv4 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv4 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv4 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Seq.seq b) val invariant1 (self : Seq.seq b) : bool ensures { result = invariant1 self } @@ -619,32 +730,58 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl use prelude.Snapshot use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i -> inv11 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i + -> inv11 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i + -> inv9 b + -> inv7 f + -> inv11 e2 + -> inv11 e1 + -> inv2 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i + -> inv9 b + -> inv7 f + -> inv11 e2 + -> inv11 e1 + -> inv2 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv4 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv5 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv2 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv5 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv2 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv5 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv2 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv5 func -> inv10 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv5 func + -> inv10 iter + -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -674,11 +811,13 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces0 self visited succ } @@ -689,7 +828,14 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl constant c : C06MapPrecond_Map_Type.t_map i b f item0 function produces_trans [#"../06_map_precond.rs" 38 4 38 90] (a : C06MapPrecond_Map_Type.t_map i b f item0) (ab : Seq.seq b) (b : C06MapPrecond_Map_Type.t_map i b f item0) (bc : Seq.seq b) (c : C06MapPrecond_Map_Type.t_map i b f item0) : () - goal vc_produces_trans : ([#"../06_map_precond.rs" 38 82 38 83] inv0 c) -> ([#"../06_map_precond.rs" 38 61 38 63] inv1 bc) -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b) -> ([#"../06_map_precond.rs" 38 31 38 33] inv1 ab) -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a) -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c) -> ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b) -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../06_map_precond.rs" 38 82 38 83] inv0 c) + -> ([#"../06_map_precond.rs" 38 61 38 63] inv1 bc) + -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b) + -> ([#"../06_map_precond.rs" 38 31 38 33] inv1 ab) + -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a) + -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c) + -> ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b) + -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -809,7 +955,10 @@ module C06MapPrecond_Impl1_ProducesOne_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv10 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv10 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -823,13 +972,19 @@ module C06MapPrecond_Impl1_ProducesOne_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () @@ -839,7 +994,11 @@ module C06MapPrecond_Impl1_ProducesOne_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv10 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv10 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant3 (self : item0) val invariant3 (self : item0) : bool ensures { result = invariant3 self } @@ -871,14 +1030,21 @@ module C06MapPrecond_Impl1_ProducesOne_Impl requires {[#"../common.rs" 21 82 21 83] inv6 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv6 a) -> ([#"../common.rs" 21 31 21 33] inv4 ab) -> ([#"../common.rs" 21 52 21 53] inv6 b) -> ([#"../common.rs" 21 61 21 63] inv4 bc) -> ([#"../common.rs" 21 82 21 83] inv6 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv6 a) + -> ([#"../common.rs" 21 31 21 33] inv4 ab) + -> ([#"../common.rs" 21 52 21 53] inv6 b) + -> ([#"../common.rs" 21 61 21 63] inv4 bc) + -> ([#"../common.rs" 21 82 21 83] inv6 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv6 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv6 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv6 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type use seq.Seq predicate inv0 (_x : C06MapPrecond_Map_Type.t_map i b f item0) @@ -903,11 +1069,13 @@ module C06MapPrecond_Impl1_ProducesOne_Impl predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces0 self visited succ } @@ -925,7 +1093,14 @@ module C06MapPrecond_Impl1_ProducesOne_Impl requires {[#"../06_map_precond.rs" 38 82 38 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : C06MapPrecond_Map_Type.t_map i b f item0, ab : Seq.seq b, b : C06MapPrecond_Map_Type.t_map i b f item0, bc : Seq.seq b, c : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b) -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c) -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a) -> ([#"../06_map_precond.rs" 38 31 38 33] inv9 ab) -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b) -> ([#"../06_map_precond.rs" 38 61 38 63] inv9 bc) -> ([#"../06_map_precond.rs" 38 82 38 83] inv0 c) -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : C06MapPrecond_Map_Type.t_map i b f item0, ab : Seq.seq b, b : C06MapPrecond_Map_Type.t_map i b f item0, bc : Seq.seq b, c : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b) + -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c) + -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a) + -> ([#"../06_map_precond.rs" 38 31 38 33] inv9 ab) + -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b) + -> ([#"../06_map_precond.rs" 38 61 38 63] inv9 bc) + -> ([#"../06_map_precond.rs" 38 82 38 83] inv0 c) + -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../06_map_precond.rs" 31 4 31 26] (self : C06MapPrecond_Map_Type.t_map i b f item0) : () = [#"../06_map_precond.rs" 28 4 28 10] () @@ -933,7 +1108,8 @@ module C06MapPrecond_Impl1_ProducesOne_Impl requires {[#"../06_map_precond.rs" 31 21 31 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 31 21 31 25] inv0 self) -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 31 21 31 25] inv0 self) + -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self) predicate invariant1 (self : b) val invariant1 (self : b) : bool ensures { result = invariant1 self } @@ -941,31 +1117,57 @@ module C06MapPrecond_Impl1_ProducesOne_Impl axiom inv1 : forall x : b . inv1 x = true use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv6 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv6 i + -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i + -> inv1 b + -> inv2 f + -> inv3 e2 + -> inv3 e1 + -> inv4 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i + -> inv1 b + -> inv2 f + -> inv3 e2 + -> inv3 e1 + -> inv4 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv6 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv7 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv4 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv6 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv7 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv4 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv6 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv7 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv4 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv7 func -> inv11 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv7 func + -> inv11 iter + -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -983,7 +1185,10 @@ module C06MapPrecond_Impl1_ProducesOne_Impl constant succ : C06MapPrecond_Map_Type.t_map i b f item0 predicate produces_one [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) - goal vc_produces_one : ([#"../06_map_precond.rs" 142 38 142 42] inv0 succ) -> ([#"../06_map_precond.rs" 142 26 142 33] inv1 visited) -> ([#"../06_map_precond.rs" 142 20 142 24] inv0 self) -> ([#"../06_map_precond.rs" 141 14 141 68] ([#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv2 f /\ * f = C06MapPrecond_Map_Type.map_func self /\ ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)) = produces0 self (Seq.singleton visited) succ) + goal vc_produces_one : ([#"../06_map_precond.rs" 142 38 142 42] inv0 succ) + -> ([#"../06_map_precond.rs" 142 26 142 33] inv1 visited) + -> ([#"../06_map_precond.rs" 142 20 142 24] inv0 self) + -> ([#"../06_map_precond.rs" 141 14 141 68] ([#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv2 f /\ * f = C06MapPrecond_Map_Type.map_func self /\ ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)) = produces0 self (Seq.singleton visited) succ) end module C06MapPrecond_Impl1_ProducesOneInvariant_Impl type i @@ -1085,7 +1290,8 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i + -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } @@ -1100,27 +1306,51 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl ensures { result = unnest0 self _2 } predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i + -> inv2 b + -> inv3 f + -> inv1 e2 + -> inv1 e1 + -> inv5 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } use seq.Seq predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i + -> inv2 b + -> inv3 f + -> inv1 e2 + -> inv1 e1 + -> inv5 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv4 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv6 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv5 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv6 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv5 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv6 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv5 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv6 func -> inv9 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv6 func + -> inv9 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -1152,7 +1382,10 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) function unnest_trans0 (self : f) (b : f) (c : f) : () val unnest_trans0 (self : f) (b : f) (c : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b} @@ -1162,13 +1395,19 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv6 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv6 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv6 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv6 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv6 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv6 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () @@ -1178,7 +1417,11 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) function produces_trans0 [#"../common.rs" 21 4 21 91] (a : i) (ab : Seq.seq item0) (b : i) (bc : Seq.seq item0) (c : i) : () val produces_trans0 [#"../common.rs" 21 4 21 91] (a : i) (ab : Seq.seq item0) (b : i) (bc : Seq.seq item0) (c : i) : () @@ -1191,13 +1434,20 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl requires {[#"../common.rs" 21 82 21 83] inv4 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv5 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv5 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv4 a) + -> ([#"../common.rs" 21 31 21 33] inv5 ab) + -> ([#"../common.rs" 21 52 21 53] inv4 b) + -> ([#"../common.rs" 21 61 21 63] inv5 bc) + -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv4 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) constant self : C06MapPrecond_Map_Type.t_map i b f item0 constant e : item0 constant r : b @@ -1205,7 +1455,20 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl constant iter : i function produces_one_invariant [#"../06_map_precond.rs" 132 4 132 73] (self : C06MapPrecond_Map_Type.t_map i b f item0) (e : item0) (r : b) (f : borrowed f) (iter : i) : () - goal vc_produces_one_invariant : ([#"../06_map_precond.rs" 132 65 132 69] inv4 iter) -> ([#"../06_map_precond.rs" 132 54 132 55] inv3 f) -> ([#"../06_map_precond.rs" 132 48 132 49] inv2 r) -> ([#"../06_map_precond.rs" 132 36 132 37] inv1 e) -> ([#"../06_map_precond.rs" 132 30 132 34] inv0 self) -> ([#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r) -> ([#"../06_map_precond.rs" 128 15 128 30] * f = C06MapPrecond_Map_Type.map_func self) -> ([#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter) -> ([#"../06_map_precond.rs" 126 4 126 12] forall i : i . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv1 e2 -> inv1 e1 -> inv5 s -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.snoc (Seq.snoc (Seq.(++) (Seq.singleton e) s) e1) e2) i) && (let _ = () in ([#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) && ([#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e))) + goal vc_produces_one_invariant : ([#"../06_map_precond.rs" 132 65 132 69] inv4 iter) + -> ([#"../06_map_precond.rs" 132 54 132 55] inv3 f) + -> ([#"../06_map_precond.rs" 132 48 132 49] inv2 r) + -> ([#"../06_map_precond.rs" 132 36 132 37] inv1 e) + -> ([#"../06_map_precond.rs" 132 30 132 34] inv0 self) + -> ([#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r) + -> ([#"../06_map_precond.rs" 128 15 128 30] * f = C06MapPrecond_Map_Type.map_func self) + -> ([#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter) + -> ([#"../06_map_precond.rs" 126 4 126 12] forall i : i . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i + -> inv1 e2 + -> inv1 e1 + -> inv5 s + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.snoc (Seq.snoc (Seq.(++) (Seq.singleton e) s) e1) e2) i) && (let _ = () in ([#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) && ([#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e))) end module C06MapPrecond_Impl0_Next type i @@ -1265,7 +1528,8 @@ module C06MapPrecond_Impl0_Next use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i -> inv11 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i + -> inv11 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } @@ -1288,20 +1552,43 @@ module C06MapPrecond_Impl0_Next ensures { result = inv9 _x } predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv12 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i + -> inv9 b + -> inv7 f + -> inv11 e2 + -> inv11 e1 + -> inv12 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } use seq.Seq predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv12 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i + -> inv9 b + -> inv7 f + -> inv11 e2 + -> inv11 e1 + -> inv12 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv0 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv2 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv12 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv12 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv12 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) use prelude.Snapshot predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool @@ -1312,7 +1599,8 @@ module C06MapPrecond_Impl0_Next ensures { result = inv6 _x } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv2 func -> inv6 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv2 func + -> inv6 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -1353,7 +1641,10 @@ module C06MapPrecond_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve4 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve4 ( ^ s))) function unnest_trans0 (self : f) (b : f) (c : f) : () val unnest_trans0 (self : f) (b : f) (c : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b} @@ -1363,13 +1654,19 @@ module C06MapPrecond_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () @@ -1379,7 +1676,11 @@ module C06MapPrecond_Impl0_Next requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) val invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool ensures { result = invariant8 self } @@ -1445,13 +1746,20 @@ module C06MapPrecond_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv12 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv12 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv0 a) + -> ([#"../common.rs" 21 31 21 33] inv12 ab) + -> ([#"../common.rs" 21 52 21 53] inv0 b) + -> ([#"../common.rs" 21 61 21 63] inv12 bc) + -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : i) val invariant0 (self : i) : bool ensures { result = invariant0 self } @@ -1469,11 +1777,13 @@ module C06MapPrecond_Impl0_Next predicate produces1 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv12 s /\ Seq.length s = Seq.length visited /\ produces0 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv12 s /\ Seq.length s = Seq.length visited /\ produces0 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces1 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces1 self visited succ } @@ -1488,7 +1798,10 @@ module C06MapPrecond_Impl0_Next requires {[#"../06_map_precond.rs" 142 38 142 42] inv10 succ} ensures { result = produces_one0 self visited succ } - axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv10 self) -> ([#"../06_map_precond.rs" 142 26 142 33] inv9 visited) -> ([#"../06_map_precond.rs" 142 38 142 42] inv10 succ) -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces1 self (Seq.singleton visited) succ) + axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv10 self) + -> ([#"../06_map_precond.rs" 142 26 142 33] inv9 visited) + -> ([#"../06_map_precond.rs" 142 38 142 42] inv10 succ) + -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces1 self (Seq.singleton visited) succ) predicate completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) = [#"../06_map_precond.rs" 22 8 25 9] Snapshot.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self) @@ -1513,7 +1826,15 @@ module C06MapPrecond_Impl0_Next requires {[#"../06_map_precond.rs" 132 65 132 69] inv0 iter} ensures { result = produces_one_invariant0 self e r f iter } - axiom produces_one_invariant0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, e : item0, r : b, f : borrowed f, iter : i . ([#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter) -> ([#"../06_map_precond.rs" 128 15 128 30] * f = C06MapPrecond_Map_Type.map_func self) -> ([#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r) -> ([#"../06_map_precond.rs" 132 30 132 34] inv10 self) -> ([#"../06_map_precond.rs" 132 36 132 37] inv11 e) -> ([#"../06_map_precond.rs" 132 48 132 49] inv9 r) -> ([#"../06_map_precond.rs" 132 54 132 55] inv7 f) -> ([#"../06_map_precond.rs" 132 65 132 69] inv0 iter) -> ([#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) && ([#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) + axiom produces_one_invariant0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, e : item0, r : b, f : borrowed f, iter : i . ([#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter) + -> ([#"../06_map_precond.rs" 128 15 128 30] * f = C06MapPrecond_Map_Type.map_func self) + -> ([#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r) + -> ([#"../06_map_precond.rs" 132 30 132 34] inv10 self) + -> ([#"../06_map_precond.rs" 132 36 132 37] inv11 e) + -> ([#"../06_map_precond.rs" 132 48 132 49] inv9 r) + -> ([#"../06_map_precond.rs" 132 54 132 55] inv7 f) + -> ([#"../06_map_precond.rs" 132 65 132 69] inv0 iter) + -> ([#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) && ([#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) predicate resolve2 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve2 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool @@ -1723,7 +2044,10 @@ module C06MapPrecond_Map requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res} ensures { result = fn_mut_once0 self args res } - axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) + axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\ * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s))) predicate unnest0 (self : f) (_2 : f) val unnest0 (self : f) (_2 : f) : bool ensures { result = unnest0 self _2 } @@ -1737,13 +2061,19 @@ module C06MapPrecond_Map requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c} ensures { result = unnest_trans0 self b c } - axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) + axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c) function unnest_refl0 (self : f) : () val unnest_refl0 (self : f) : () requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self} ensures { result = unnest_refl0 self } - axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) + axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self) function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : () @@ -1753,7 +2083,11 @@ module C06MapPrecond_Map requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res} ensures { result = postcondition_mut_unnest0 self args res } - axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) + axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self)) predicate invariant7 (self : Seq.seq item0) val invariant7 (self : Seq.seq item0) : bool ensures { result = invariant7 self } @@ -1801,34 +2135,59 @@ module C06MapPrecond_Map ensures { result = inv1 _x } predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i + -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } use seq.Seq use seq.Seq predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i + -> inv5 b + -> inv6 f + -> inv1 e2 + -> inv1 e1 + -> inv7 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } use seq.Seq predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i + -> inv5 b + -> inv6 f + -> inv1 e2 + -> inv1 e1 + -> inv7 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv0 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv2 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv7 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv7 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv7 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv2 func -> inv4 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv2 func + -> inv4 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -1872,15 +2231,23 @@ module C06MapPrecond_Map requires {[#"../common.rs" 21 82 21 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv7 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv7 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv0 a) + -> ([#"../common.rs" 21 31 21 33] inv7 ab) + -> ([#"../common.rs" 21 52 21 53] inv0 b) + -> ([#"../common.rs" 21 61 21 63] inv7 bc) + -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) let rec cfg map [#"../06_map_precond.rs" 170 0 173 17] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) (func : f) : C06MapPrecond_Map_Type.t_map i b f item0 - requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : item0 . inv0 i2 -> inv1 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} + requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : item0 . inv0 i2 + -> inv1 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()} requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func} requires {[#"../06_map_precond.rs" 171 4 171 8] inv0 iter} @@ -1998,14 +2365,21 @@ module C06MapPrecond_Identity_Closure0 requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv3 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv3 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv3 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv3 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) use prelude.Int16 use C06MapPrecond_Identity_Closure0_Type as C06MapPrecond_Identity_Closure0 predicate unnest0 [#"../06_map_precond.rs" 178 14 178 20] (self : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (_2 : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) @@ -2137,14 +2511,21 @@ module C06MapPrecond_Identity requires {[#"../common.rs" 21 82 21 83] inv1 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv1 a) + -> ([#"../common.rs" 21 31 21 33] inv6 ab) + -> ([#"../common.rs" 21 52 21 53] inv1 b) + -> ([#"../common.rs" 21 61 21 63] inv6 bc) + -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv1 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) predicate precondition0 [#"../06_map_precond.rs" 178 14 178 20] (self : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) = @@ -2154,7 +2535,8 @@ module C06MapPrecond_Identity predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv1 i -> inv2 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv1 i + -> inv2 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } @@ -2170,28 +2552,52 @@ module C06MapPrecond_Identity predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i -> inv2 b -> inv5 f -> inv2 e2 -> inv2 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i + -> inv2 b + -> inv5 f + -> inv2 e2 + -> inv2 e1 + -> inv6 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i -> inv2 b -> inv5 f -> inv2 e2 -> inv2 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i + -> inv2 b + -> inv5 f + -> inv2 e2 + -> inv2 e1 + -> inv6 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv1 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv3 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv6 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : i, func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv1 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv3 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv6 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : i, func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv1 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv3 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv6 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) use prelude.Snapshot predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i . forall iter : borrowed i . inv3 func -> inv4 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i . forall iter : borrowed i . inv3 func + -> inv4 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -2217,7 +2623,8 @@ module C06MapPrecond_Identity ensures { result = resolve0 self } val map0 [#"../06_map_precond.rs" 170 0 173 17] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) : C06MapPrecond_Map_Type.t_map i item0 (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) item0 - requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : item0 . inv1 i2 -> inv2 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} + requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : item0 . inv1 i2 + -> inv2 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()} requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func} requires {[#"../06_map_precond.rs" 171 4 171 8] inv1 iter} @@ -2249,7 +2656,7 @@ module C06MapPrecond_Identity goto BB2 } BB2 { - [#"../06_map_precond.rs" 177 38 179 1] _0 <- ([#"../06_map_precond.rs" 177 38 179 1] ()); + [#"../06_map_precond.rs" 177 38 179 1] _0 <- ([#"../06_map_precond.rs" 177 38 179 1] [#"../06_map_precond.rs" 177 38 179 1] ()); goto BB3 } BB3 { @@ -2301,7 +2708,7 @@ module C06MapPrecond_Increment_Closure2 } BB0 { assume { resolve0 _1 }; - [#"../06_map_precond.rs" 190 20 190 25] res1 <- ([#"../06_map_precond.rs" 190 20 190 25] x + (1 : uint32)); + [#"../06_map_precond.rs" 190 20 190 25] res1 <- ([#"../06_map_precond.rs" 190 20 190 25] x + ([#"../06_map_precond.rs" 190 24 190 25] (1 : uint32))); [#"../06_map_precond.rs" 188 8 188 29] res <- ([#"../06_map_precond.rs" 188 8 188 29] res1); [#"../06_map_precond.rs" 189 8 189 35] _0 <- ([#"../06_map_precond.rs" 189 8 189 35] res); return _0 @@ -2403,14 +2810,21 @@ module C06MapPrecond_Increment requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : u, ab : Seq.seq uint32, b : u, bc : Seq.seq uint32, c : u . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv5 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv5 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : u, ab : Seq.seq uint32, b : u, bc : Seq.seq uint32, c : u . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv5 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv5 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 [#"../common.rs" 15 4 15 27] (self : u) : () val produces_refl1 [#"../common.rs" 15 4 15 27] (self : u) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : u . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : u . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : borrowed u) val invariant1 (self : borrowed u) : bool ensures { result = invariant1 self } @@ -2451,11 +2865,13 @@ module C06MapPrecond_Increment predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) (visited : Seq.seq uint32) (succ : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq uint32 . inv5 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) . inv6 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq uint32 . inv5 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) . inv6 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) (visited : Seq.seq uint32) (succ : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) : bool ensures { result = produces0 self visited succ } @@ -2473,7 +2889,14 @@ module C06MapPrecond_Increment requires {[#"../06_map_precond.rs" 38 82 38 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32, ab : Seq.seq uint32, b : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32, bc : Seq.seq uint32, c : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b) -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c) -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a) -> ([#"../06_map_precond.rs" 38 31 38 33] inv5 ab) -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b) -> ([#"../06_map_precond.rs" 38 61 38 63] inv5 bc) -> ([#"../06_map_precond.rs" 38 82 38 83] inv0 c) -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32, ab : Seq.seq uint32, b : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32, bc : Seq.seq uint32, c : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b) + -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c) + -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a) + -> ([#"../06_map_precond.rs" 38 31 38 33] inv5 ab) + -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b) + -> ([#"../06_map_precond.rs" 38 61 38 63] inv5 bc) + -> ([#"../06_map_precond.rs" 38 82 38 83] inv0 c) + -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 [#"../06_map_precond.rs" 31 4 31 26] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) : () = @@ -2482,12 +2905,14 @@ module C06MapPrecond_Increment requires {[#"../06_map_precond.rs" 31 21 31 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . ([#"../06_map_precond.rs" 31 21 31 25] inv0 self) -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . ([#"../06_map_precond.rs" 31 21 31 25] inv0 self) + -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self) use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : u . forall e : uint32 . inv2 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : u . forall e : uint32 . inv2 i + -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) : bool ensures { result = next_precondition0 iter func produced } @@ -2495,27 +2920,51 @@ module C06MapPrecond_Increment predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv7 f -> inv3 e2 -> inv3 e1 -> inv5 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i + -> inv3 b + -> inv7 f + -> inv3 e2 + -> inv3 e1 + -> inv5 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv7 f -> inv3 e2 -> inv3 e1 -> inv5 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i + -> inv3 b + -> inv7 f + -> inv3 e2 + -> inv3 e1 + -> inv5 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv2 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv4 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv5 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : u, func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u, produced : Seq.seq uint32 . ([#"../06_map_precond.rs" 93 24 93 28] inv2 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv5 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : u, func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u, produced : Seq.seq uint32 . ([#"../06_map_precond.rs" 93 24 93 28] inv2 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv5 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed u) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed u) : bool ensures { result = completed0 self } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u . forall iter : borrowed u . inv4 func -> inv1 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u . forall iter : borrowed u . inv4 func + -> inv1 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -2535,7 +2984,8 @@ module C06MapPrecond_Increment ensures { result = resolve0 self } val map0 [#"../06_map_precond.rs" 170 0 173 17] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 - requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : u . forall e : uint32 . inv2 i2 -> inv3 e -> produces1 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} + requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : u . forall e : uint32 . inv2 i2 + -> inv3 e -> produces1 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()} requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func} requires {[#"../06_map_precond.rs" 171 4 171 8] inv2 iter} @@ -2544,8 +2994,13 @@ module C06MapPrecond_Increment ensures { [#"../06_map_precond.rs" 173 5 173 17] inv0 result } let rec cfg increment [#"../06_map_precond.rs" 185 0 185 50] [@cfg:stackify] [@cfg:subregion_analysis] (iter : u) : () - requires {[#"../06_map_precond.rs" 181 0 181 158] forall done' : borrowed u . inv1 done' -> completed0 done' -> (forall steps : Seq.seq uint32 . forall next : u . inv2 next -> produces1 ( ^ done') steps next -> steps = Seq.empty /\ ^ done' = next)} - requires {[#"../06_map_precond.rs" 182 0 184 2] forall fin : u . forall prod : Seq.seq uint32 . inv2 fin -> produces1 iter prod fin -> (forall x : int . 0 <= x /\ x < Seq.length prod -> Seq.get prod x <= (10 : uint32))} + requires {[#"../06_map_precond.rs" 181 0 181 158] forall done' : borrowed u . inv1 done' + -> completed0 done' + -> (forall steps : Seq.seq uint32 . forall next : u . inv2 next + -> produces1 ( ^ done') steps next -> steps = Seq.empty /\ ^ done' = next)} + requires {[#"../06_map_precond.rs" 182 0 184 2] forall fin : u . forall prod : Seq.seq uint32 . inv2 fin + -> produces1 iter prod fin + -> (forall x : int . 0 <= x /\ x < Seq.length prod -> Seq.get prod x <= (10 : uint32))} requires {[#"../06_map_precond.rs" 185 42 185 46] inv2 iter} = [@vc:do_not_keep_trace] [@vc:sp] @@ -2569,11 +3024,12 @@ module C06MapPrecond_Increment BB2 { assert { [@expl:type invariant] inv0 i }; assume { resolve0 i }; - assert { [@expl:assertion] [#"../06_map_precond.rs" 193 4 196 5] forall fin : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . forall prod : Seq.seq uint32 . inv0 fin -> produces0 i prod fin -> (forall x : int . 0 <= x /\ x < Seq.length prod -> Seq.get prod x <= (11 : uint32)) }; + assert { [@expl:assertion] [#"../06_map_precond.rs" 193 4 196 5] forall fin : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . forall prod : Seq.seq uint32 . inv0 fin + -> produces0 i prod fin -> (forall x : int . 0 <= x /\ x < Seq.length prod -> Seq.get prod x <= (11 : uint32)) }; goto BB3 } BB3 { - [#"../06_map_precond.rs" 185 51 197 1] _0 <- ([#"../06_map_precond.rs" 185 51 197 1] ()); + [#"../06_map_precond.rs" 185 51 197 1] _0 <- ([#"../06_map_precond.rs" 185 51 197 1] [#"../06_map_precond.rs" 185 51 197 1] ()); goto BB4 } BB4 { @@ -2642,7 +3098,7 @@ module C06MapPrecond_Counter_Closure2 goto BB0 } BB0 { - [#"../06_map_precond.rs" 208 12 208 20] _1 <- { _1 with current = (let C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 x0 = * _1 in C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 ({ (field_00 ( * _1)) with current = ([#"../06_map_precond.rs" 208 12 208 20] * field_00 ( * _1) + (1 : usize)) ; })) ; }; + [#"../06_map_precond.rs" 208 12 208 20] _1 <- { _1 with current = (let C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 x0 = * _1 in C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 ({ (field_00 ( * _1)) with current = ([#"../06_map_precond.rs" 208 12 208 20] * field_00 ( * _1) + ([#"../06_map_precond.rs" 208 19 208 20] (1 : usize))) ; })) ; }; assume { resolve0 _1 }; [#"../06_map_precond.rs" 209 12 209 13] res1 <- ([#"../06_map_precond.rs" 209 12 209 13] x); [#"../06_map_precond.rs" 205 8 205 63] res <- ([#"../06_map_precond.rs" 205 8 205 63] res1); @@ -2736,14 +3192,21 @@ module C06MapPrecond_Counter requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq uint32, b : i, bc : Seq.seq uint32, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq uint32, b : i, bc : Seq.seq uint32, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv6 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv6 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) predicate invariant1 (self : borrowed i) val invariant1 (self : borrowed i) : bool ensures { result = invariant1 self } @@ -2775,7 +3238,8 @@ module C06MapPrecond_Counter predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : uint32 . inv2 i -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : uint32 . inv2 i + -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) : bool ensures { result = next_precondition0 iter func produced } @@ -2791,27 +3255,51 @@ module C06MapPrecond_Counter predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv5 f -> inv3 e2 -> inv3 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i + -> inv3 b + -> inv5 f + -> inv3 e2 + -> inv3 e1 + -> inv6 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : bool ensures { result = preservation0 iter func } predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv5 f -> inv3 e2 -> inv3 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i + -> inv3 b + -> inv5 f + -> inv3 e2 + -> inv3 e1 + -> inv6 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv2 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv4 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv6 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : i, func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i, produced : Seq.seq uint32 . ([#"../06_map_precond.rs" 93 24 93 28] inv2 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv6 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : i, func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i, produced : Seq.seq uint32 . ([#"../06_map_precond.rs" 93 24 93 28] inv2 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv6 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed0 self } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i . forall iter : borrowed i . inv4 func -> inv1 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i . forall iter : borrowed i . inv4 func + -> inv1 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -2837,7 +3325,8 @@ module C06MapPrecond_Counter ensures { result = resolve0 self } val map0 [#"../06_map_precond.rs" 170 0 173 17] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : C06MapPrecond_Map_Type.t_map i uint32 (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) uint32 - requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : uint32 . inv2 i2 -> inv3 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} + requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : uint32 . inv2 i2 + -> inv3 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()} requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func} requires {[#"../06_map_precond.rs" 171 4 171 8] inv2 iter} @@ -2846,8 +3335,12 @@ module C06MapPrecond_Counter ensures { [#"../06_map_precond.rs" 173 5 173 17] inv0 result } let rec cfg counter [#"../06_map_precond.rs" 201 0 201 48] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) : () - requires {[#"../06_map_precond.rs" 199 0 199 158] forall done' : borrowed i . inv1 done' -> completed0 done' -> (forall steps : Seq.seq uint32 . forall next : i . inv2 next -> produces0 ( ^ done') steps next -> steps = Seq.empty /\ ^ done' = next)} - requires {[#"../06_map_precond.rs" 200 0 200 92] forall fin : i . forall prod : Seq.seq uint32 . inv2 fin -> produces0 iter prod fin -> Seq.length prod <= UIntSize.to_int max0} + requires {[#"../06_map_precond.rs" 199 0 199 158] forall done' : borrowed i . inv1 done' + -> completed0 done' + -> (forall steps : Seq.seq uint32 . forall next : i . inv2 next + -> produces0 ( ^ done') steps next -> steps = Seq.empty /\ ^ done' = next)} + requires {[#"../06_map_precond.rs" 200 0 200 92] forall fin : i . forall prod : Seq.seq uint32 . inv2 fin + -> produces0 iter prod fin -> Seq.length prod <= UIntSize.to_int max0} requires {[#"../06_map_precond.rs" 201 40 201 44] inv2 iter} = [@vc:do_not_keep_trace] [@vc:sp] @@ -2864,7 +3357,7 @@ module C06MapPrecond_Counter goto BB1 } BB1 { - [#"../06_map_precond.rs" 202 18 202 19] cnt <- ([#"../06_map_precond.rs" 202 18 202 19] (0 : usize)); + [#"../06_map_precond.rs" 202 18 202 19] cnt <- ([#"../06_map_precond.rs" 202 18 202 19] [#"../06_map_precond.rs" 202 18 202 19] (0 : usize)); [#"../06_map_precond.rs" 206 8 206 41] _8 <- Borrow.borrow_mut cnt; [#"../06_map_precond.rs" 206 8 206 41] cnt <- ^ _8; [#"../06_map_precond.rs" 206 8 206 41] _7 <- ([#"../06_map_precond.rs" 206 8 206 41] C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 _8); @@ -2880,7 +3373,7 @@ module C06MapPrecond_Counter goto BB3 } BB3 { - [#"../06_map_precond.rs" 201 49 212 1] _0 <- ([#"../06_map_precond.rs" 201 49 212 1] ()); + [#"../06_map_precond.rs" 201 49 212 1] _0 <- ([#"../06_map_precond.rs" 201 49 212 1] [#"../06_map_precond.rs" 201 49 212 1] ()); goto BB4 } BB4 { @@ -2997,7 +3490,8 @@ module C06MapPrecond_Impl0 use seq.Seq predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv9 i -> inv6 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv9 i + -> inv6 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool ensures { result = next_precondition0 iter func produced } @@ -3012,27 +3506,52 @@ module C06MapPrecond_Impl0 ensures { result = unnest0 self _2 } predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) = - [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv4 b -> inv5 f -> inv6 e2 -> inv6 e1 -> inv7 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i + -> inv4 b + -> inv5 f + -> inv6 e2 + -> inv6 e1 + -> inv7 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool ensures { result = preservation0 iter func } use seq.Seq predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) = - [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv4 b -> inv5 f -> inv6 e2 -> inv6 e1 -> inv7 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) + [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i + -> inv4 b + -> inv5 f + -> inv6 e2 + -> inv6 e1 + -> inv7 s + -> unnest0 func ( * f) + -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s)) + -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b + -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1)) val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool requires {[#"../06_map_precond.rs" 93 24 93 28] inv9 iter} requires {[#"../06_map_precond.rs" 93 33 93 37] inv10 func} requires {[#"../06_map_precond.rs" 93 42 93 50] inv7 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv9 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv10 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv7 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv9 iter) + -> ([#"../06_map_precond.rs" 93 33 93 37] inv10 func) + -> ([#"../06_map_precond.rs" 93 42 93 50] inv7 produced) + -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) use prelude.Snapshot predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed1 self } predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) = - [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv10 func -> inv12 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv10 func + -> inv12 iter + -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -3083,11 +3602,13 @@ module C06MapPrecond_Impl0 predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) = - [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv7 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv8 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv7 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv8 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ else * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\ ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool ensures { result = produces0 self visited succ } @@ -3102,22 +3623,30 @@ module C06MapPrecond_Impl0 requires {[#"../06_map_precond.rs" 142 38 142 42] inv2 succ} ensures { result = produces_one0 self visited succ } - axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv2 self) -> ([#"../06_map_precond.rs" 142 26 142 33] inv4 visited) -> ([#"../06_map_precond.rs" 142 38 142 42] inv2 succ) -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces0 self (Seq.singleton visited) succ) + axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv2 self) + -> ([#"../06_map_precond.rs" 142 26 142 33] inv4 visited) + -> ([#"../06_map_precond.rs" 142 38 142 42] inv2 succ) + -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces0 self (Seq.singleton visited) succ) predicate completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) = [#"../06_map_precond.rs" 22 8 25 9] Snapshot.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self) val completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool ensures { result = completed0 self } - goal next_refn : [#"../06_map_precond.rs" 63 4 63 44] forall self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0) . inv0 self -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option b . inv1 result /\ match result with + goal next_refn : [#"../06_map_precond.rs" 63 4 63 44] forall self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0) . inv0 self + -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option b . inv1 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces_one0 ( * self) v ( ^ self) - end -> inv1 result /\ match result with + end + -> inv1 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) - goal produces_trans_refn : [#"../06_map_precond.rs" 38 4 38 90] forall a : C06MapPrecond_Map_Type.t_map i b f item0 . forall ab : Seq.seq b . forall b : C06MapPrecond_Map_Type.t_map i b f item0 . forall bc : Seq.seq b . forall c : C06MapPrecond_Map_Type.t_map i b f item0 . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal produces_refl_refn : [#"../06_map_precond.rs" 31 4 31 26] forall self : C06MapPrecond_Map_Type.t_map i b f item0 . inv2 self -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal produces_trans_refn : [#"../06_map_precond.rs" 38 4 38 90] forall a : C06MapPrecond_Map_Type.t_map i b f item0 . forall ab : Seq.seq b . forall b : C06MapPrecond_Map_Type.t_map i b f item0 . forall bc : Seq.seq b . forall c : C06MapPrecond_Map_Type.t_map i b f item0 . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b + -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal produces_refl_refn : [#"../06_map_precond.rs" 31 4 31 26] forall self : C06MapPrecond_Map_Type.t_map i b f item0 . inv2 self + -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) end module C06MapPrecond_Impl2 type i diff --git a/creusot/tests/should_succeed/iterators/07_fuse.mlcfg b/creusot/tests/should_succeed/iterators/07_fuse.mlcfg index fb1ead2e6c..4652e4992c 100644 --- a/creusot/tests/should_succeed/iterators/07_fuse.mlcfg +++ b/creusot/tests/should_succeed/iterators/07_fuse.mlcfg @@ -74,14 +74,21 @@ module C07Fuse_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv3 a) + -> ([#"../common.rs" 21 31 21 33] inv6 ab) + -> ([#"../common.rs" 21 52 21 53] inv3 b) + -> ([#"../common.rs" 21 61 21 63] inv6 bc) + -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant3 (self : i) val invariant3 (self : i) : bool ensures { result = invariant3 self } @@ -322,14 +329,21 @@ module C07Fuse_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv1 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv1 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv1 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv1 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) use C07Fuse_Fuse_Type as C07Fuse_Fuse_Type predicate invariant0 (self : C07Fuse_Fuse_Type.t_fuse i) val invariant0 (self : C07Fuse_Fuse_Type.t_fuse i) : bool @@ -356,7 +370,8 @@ module C07Fuse_Impl0_ProducesRefl_Impl constant self : C07Fuse_Fuse_Type.t_fuse i function produces_refl [#"../07_fuse.rs" 55 4 55 26] (self : C07Fuse_Fuse_Type.t_fuse i) : () - goal vc_produces_refl : ([#"../07_fuse.rs" 55 21 55 25] inv0 self) -> ([#"../07_fuse.rs" 54 14 54 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../07_fuse.rs" 55 21 55 25] inv0 self) + -> ([#"../07_fuse.rs" 54 14 54 45] produces0 self (Seq.empty ) self) end module C07Fuse_Impl0_ProducesTrans_Impl type i @@ -392,14 +407,21 @@ module C07Fuse_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Seq.seq item0) val invariant1 (self : Seq.seq item0) : bool ensures { result = invariant1 self } @@ -436,7 +458,14 @@ module C07Fuse_Impl0_ProducesTrans_Impl constant c : C07Fuse_Fuse_Type.t_fuse i function produces_trans [#"../07_fuse.rs" 62 4 62 90] (a : C07Fuse_Fuse_Type.t_fuse i) (ab : Seq.seq item0) (b : C07Fuse_Fuse_Type.t_fuse i) (bc : Seq.seq item0) (c : C07Fuse_Fuse_Type.t_fuse i) : () - goal vc_produces_trans : ([#"../07_fuse.rs" 62 82 62 83] inv0 c) -> ([#"../07_fuse.rs" 62 61 62 63] inv1 bc) -> ([#"../07_fuse.rs" 62 52 62 53] inv0 b) -> ([#"../07_fuse.rs" 62 31 62 33] inv1 ab) -> ([#"../07_fuse.rs" 62 22 62 23] inv0 a) -> ([#"../07_fuse.rs" 60 15 60 32] produces0 b bc c) -> ([#"../07_fuse.rs" 59 15 59 32] produces0 a ab b) -> ([#"../07_fuse.rs" 61 14 61 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../07_fuse.rs" 62 82 62 83] inv0 c) + -> ([#"../07_fuse.rs" 62 61 62 63] inv1 bc) + -> ([#"../07_fuse.rs" 62 52 62 53] inv0 b) + -> ([#"../07_fuse.rs" 62 31 62 33] inv1 ab) + -> ([#"../07_fuse.rs" 62 22 62 23] inv0 a) + -> ([#"../07_fuse.rs" 60 15 60 32] produces0 b bc c) + -> ([#"../07_fuse.rs" 59 15 59 32] produces0 a ab b) + -> ([#"../07_fuse.rs" 61 14 61 42] produces0 a (Seq.(++) ab bc) c) end module C07Fuse_Impl1_IsFused_Impl type i @@ -482,14 +511,21 @@ module C07Fuse_Impl1_IsFused_Impl requires {[#"../common.rs" 21 82 21 83] inv4 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv4 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv4 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv4 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) use C07Fuse_Fuse_Type as C07Fuse_Fuse_Type predicate invariant2 (self : C07Fuse_Fuse_Type.t_fuse i) val invariant2 (self : C07Fuse_Fuse_Type.t_fuse i) : bool @@ -542,14 +578,21 @@ module C07Fuse_Impl1_IsFused_Impl requires {[#"../07_fuse.rs" 62 82 62 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : C07Fuse_Fuse_Type.t_fuse i, ab : Seq.seq item0, b : C07Fuse_Fuse_Type.t_fuse i, bc : Seq.seq item0, c : C07Fuse_Fuse_Type.t_fuse i . ([#"../07_fuse.rs" 59 15 59 32] produces0 a ab b) -> ([#"../07_fuse.rs" 60 15 60 32] produces0 b bc c) -> ([#"../07_fuse.rs" 62 22 62 23] inv2 a) -> ([#"../07_fuse.rs" 62 31 62 33] inv1 ab) -> ([#"../07_fuse.rs" 62 52 62 53] inv2 b) -> ([#"../07_fuse.rs" 62 61 62 63] inv1 bc) -> ([#"../07_fuse.rs" 62 82 62 83] inv2 c) -> ([#"../07_fuse.rs" 61 14 61 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : C07Fuse_Fuse_Type.t_fuse i, ab : Seq.seq item0, b : C07Fuse_Fuse_Type.t_fuse i, bc : Seq.seq item0, c : C07Fuse_Fuse_Type.t_fuse i . ([#"../07_fuse.rs" 59 15 59 32] produces0 a ab b) + -> ([#"../07_fuse.rs" 60 15 60 32] produces0 b bc c) + -> ([#"../07_fuse.rs" 62 22 62 23] inv2 a) + -> ([#"../07_fuse.rs" 62 31 62 33] inv1 ab) + -> ([#"../07_fuse.rs" 62 52 62 53] inv2 b) + -> ([#"../07_fuse.rs" 62 61 62 63] inv1 bc) + -> ([#"../07_fuse.rs" 62 82 62 83] inv2 c) -> ([#"../07_fuse.rs" 61 14 61 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 [#"../07_fuse.rs" 55 4 55 26] (self : C07Fuse_Fuse_Type.t_fuse i) : () = [#"../07_fuse.rs" 52 4 52 10] () val produces_refl0 [#"../07_fuse.rs" 55 4 55 26] (self : C07Fuse_Fuse_Type.t_fuse i) : () requires {[#"../07_fuse.rs" 55 21 55 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : C07Fuse_Fuse_Type.t_fuse i . ([#"../07_fuse.rs" 55 21 55 25] inv2 self) -> ([#"../07_fuse.rs" 54 14 54 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : C07Fuse_Fuse_Type.t_fuse i . ([#"../07_fuse.rs" 55 21 55 25] inv2 self) + -> ([#"../07_fuse.rs" 54 14 54 45] produces0 self (Seq.empty ) self) predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool ensures { result = completed1 self } @@ -564,7 +607,12 @@ module C07Fuse_Impl1_IsFused_Impl constant next : C07Fuse_Fuse_Type.t_fuse i function is_fused [#"../07_fuse.rs" 81 4 81 62] (self : borrowed (C07Fuse_Fuse_Type.t_fuse i)) (steps : Seq.seq item0) (next : C07Fuse_Fuse_Type.t_fuse i) : () - goal vc_is_fused : ([#"../07_fuse.rs" 81 51 81 55] inv2 next) -> ([#"../07_fuse.rs" 81 27 81 32] inv1 steps) -> ([#"../07_fuse.rs" 81 21 81 25] inv0 self) -> ([#"../07_fuse.rs" 79 15 79 44] produces0 ( ^ self) steps next) -> ([#"../07_fuse.rs" 78 15 78 31] completed0 self) -> ([#"../07_fuse.rs" 80 14 80 50] steps = Seq.empty /\ ^ self = next) + goal vc_is_fused : ([#"../07_fuse.rs" 81 51 81 55] inv2 next) + -> ([#"../07_fuse.rs" 81 27 81 32] inv1 steps) + -> ([#"../07_fuse.rs" 81 21 81 25] inv0 self) + -> ([#"../07_fuse.rs" 79 15 79 44] produces0 ( ^ self) steps next) + -> ([#"../07_fuse.rs" 78 15 78 31] completed0 self) + -> ([#"../07_fuse.rs" 80 14 80 50] steps = Seq.empty /\ ^ self = next) end module C07Fuse_Impl0 type i @@ -648,12 +696,17 @@ module C07Fuse_Impl0 val produces0 [#"../07_fuse.rs" 25 4 25 65] (self : C07Fuse_Fuse_Type.t_fuse i) (prod : Seq.seq item0) (other : C07Fuse_Fuse_Type.t_fuse i) : bool ensures { result = produces0 self prod other } - goal produces_refl_refn : [#"../07_fuse.rs" 55 4 55 26] forall self : C07Fuse_Fuse_Type.t_fuse i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal produces_trans_refn : [#"../07_fuse.rs" 62 4 62 90] forall a : C07Fuse_Fuse_Type.t_fuse i . forall ab : Seq.seq item0 . forall b : C07Fuse_Fuse_Type.t_fuse i . forall bc : Seq.seq item0 . forall c : C07Fuse_Fuse_Type.t_fuse i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal next_refn : [#"../07_fuse.rs" 39 4 39 44] forall self : borrowed (C07Fuse_Fuse_Type.t_fuse i) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv3 result /\ match result with + goal produces_refl_refn : [#"../07_fuse.rs" 55 4 55 26] forall self : C07Fuse_Fuse_Type.t_fuse i . inv0 self + -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal produces_trans_refn : [#"../07_fuse.rs" 62 4 62 90] forall a : C07Fuse_Fuse_Type.t_fuse i . forall ab : Seq.seq item0 . forall b : C07Fuse_Fuse_Type.t_fuse i . forall bc : Seq.seq item0 . forall c : C07Fuse_Fuse_Type.t_fuse i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal next_refn : [#"../07_fuse.rs" 39 4 39 44] forall self : borrowed (C07Fuse_Fuse_Type.t_fuse i) . inv2 self + -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv3 result /\ match result with + end + -> inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) @@ -729,5 +782,7 @@ module C07Fuse_Impl1 val produces0 [#"../07_fuse.rs" 25 4 25 65] (self : C07Fuse_Fuse_Type.t_fuse i) (prod : Seq.seq item0) (other : C07Fuse_Fuse_Type.t_fuse i) : bool ensures { result = produces0 self prod other } - goal is_fused_refn : [#"../07_fuse.rs" 81 4 81 62] forall self : borrowed (C07Fuse_Fuse_Type.t_fuse i) . forall steps : Seq.seq item0 . forall next : C07Fuse_Fuse_Type.t_fuse i . inv0 next /\ inv1 steps /\ inv2 self /\ produces0 ( ^ self) steps next /\ completed0 self -> inv0 next /\ inv1 steps /\ inv2 self /\ produces0 ( ^ self) steps next /\ completed0 self /\ (forall result : () . steps = Seq.empty /\ ^ self = next -> steps = Seq.empty /\ ^ self = next) + goal is_fused_refn : [#"../07_fuse.rs" 81 4 81 62] forall self : borrowed (C07Fuse_Fuse_Type.t_fuse i) . forall steps : Seq.seq item0 . forall next : C07Fuse_Fuse_Type.t_fuse i . inv0 next /\ inv1 steps /\ inv2 self /\ produces0 ( ^ self) steps next /\ completed0 self + -> inv0 next /\ inv1 steps /\ inv2 self /\ produces0 ( ^ self) steps next /\ completed0 self /\ (forall result : () . steps = Seq.empty /\ ^ self = next + -> steps = Seq.empty /\ ^ self = next) end diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg b/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg index 3c9f7a6ccd..74feab7bd9 100644 --- a/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg +++ b/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg @@ -98,7 +98,8 @@ module C08CollectExtend_Extend requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant6 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model2 self) val invariant6 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -144,14 +145,22 @@ module C08CollectExtend_Extend requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv3 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv8 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv3 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv8 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv3 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv3 a) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv8 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv3 b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv8 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv3 c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : i) : () val produces_refl0 (self : i) : () requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) predicate invariant3 (self : i) val invariant3 (self : i) : bool ensures { result = invariant3 self } @@ -371,7 +380,7 @@ module C08CollectExtend_Extend assume { resolve5 iter1 }; assert { [@expl:type invariant] inv7 vec }; assume { resolve6 vec }; - [#"../08_collect_extend.rs" 27 4 27 35] _0 <- ([#"../08_collect_extend.rs" 27 4 27 35] ()); + [#"../08_collect_extend.rs" 27 4 27 35] _0 <- ([#"../08_collect_extend.rs" 27 4 27 35] [#"../08_collect_extend.rs" 27 4 27 35] ()); goto BB20 } BB12 { @@ -482,7 +491,8 @@ module C08CollectExtend_Collect requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model0 self) val invariant5 (self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -528,14 +538,22 @@ module C08CollectExtend_Collect requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv6 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv6 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : i) : () val produces_refl0 (self : i) : () requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) predicate invariant2 (self : i) val invariant2 (self : i) : bool ensures { result = invariant2 self } @@ -577,7 +595,8 @@ module C08CollectExtend_Collect ensures { result = index_logic0 self ix } predicate resolve5 (self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve6 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve6 (index_logic0 self i) val resolve5 (self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve5 self } @@ -677,7 +696,7 @@ module C08CollectExtend_Collect goto BB1 } BB1 { - [#"../08_collect_extend.rs" 43 18 43 28] res <- ([#"../08_collect_extend.rs" 43 18 43 28] new0 ()); + [#"../08_collect_extend.rs" 43 18 43 28] res <- ([#"../08_collect_extend.rs" 43 18 43 28] new0 ([#"../08_collect_extend.rs" 43 18 43 28] ())); goto BB2 } BB2 { @@ -872,7 +891,14 @@ module C08CollectExtend_ExtendIndex requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq uint32, b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq uint32, c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv3 a) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv5 ab) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv3 b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv5 bc) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv3 c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq uint32, b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq uint32, c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv3 a) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv5 ab) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv3 b) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv5 bc) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv3 c) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global)) : () @@ -882,7 +908,8 @@ module C08CollectExtend_ExtendIndex requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self) use prelude.Borrow predicate invariant6 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global))) @@ -934,7 +961,8 @@ module C08CollectExtend_ExtendIndex requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model0 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -969,7 +997,8 @@ module C08CollectExtend_ExtendIndex requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) function shallow_model2 (self : slice uint32) : Seq.seq uint32 = [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model6 self val shallow_model2 (self : slice uint32) : Seq.seq uint32 @@ -995,7 +1024,8 @@ module C08CollectExtend_ExtendIndex ensures { result = index_logic0 self ix } predicate resolve1 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve2 (index_logic0 self i) val resolve1 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve1 self } @@ -1111,7 +1141,7 @@ module C08CollectExtend_ExtendIndex goto BB5 } BB5 { - [#"../08_collect_extend.rs" 52 52 58 1] _0 <- ([#"../08_collect_extend.rs" 52 52 58 1] ()); + [#"../08_collect_extend.rs" 52 52 58 1] _0 <- ([#"../08_collect_extend.rs" 52 52 58 1] [#"../08_collect_extend.rs" 52 52 58 1] ()); goto BB6 } BB6 { @@ -1147,7 +1177,8 @@ module C08CollectExtend_CollectExample requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1190,14 +1221,22 @@ module C08CollectExtend_CollectExample requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq uint32, b : i, bc : Seq.seq uint32, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv1 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv1 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq uint32, b : i, bc : Seq.seq uint32, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv1 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv1 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : i) : () val produces_refl0 (self : i) : () requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : i) val invariant0 (self : i) : bool ensures { result = invariant0 self } @@ -1218,7 +1257,8 @@ module C08CollectExtend_CollectExample ensures { result = resolve1 self } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve1 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve1 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -1232,7 +1272,9 @@ module C08CollectExtend_CollectExample ensures { [#"../08_collect_extend.rs" 42 40 42 52] inv3 result } let rec cfg collect_example [#"../08_collect_extend.rs" 61 0 61 56] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) : () - requires {[#"../08_collect_extend.rs" 60 0 60 130] forall fin : i . forall prod : Seq.seq uint32 . inv0 fin -> produces0 iter prod fin -> (forall i : int . 0 <= i /\ i < Seq.length prod -> UInt32.to_int (Seq.get prod i) = i)} + requires {[#"../08_collect_extend.rs" 60 0 60 130] forall fin : i . forall prod : Seq.seq uint32 . inv0 fin + -> produces0 iter prod fin + -> (forall i : int . 0 <= i /\ i < Seq.length prod -> UInt32.to_int (Seq.get prod i) = i)} requires {[#"../08_collect_extend.rs" 61 48 61 52] inv0 iter} = [@vc:do_not_keep_trace] [@vc:sp] @@ -1252,11 +1294,12 @@ module C08CollectExtend_CollectExample } BB2 { assume { resolve0 v }; - assert { [@expl:assertion] [#"../08_collect_extend.rs" 64 4 64 75] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) -> UInt32.to_int (index_logic0 v i) = i }; + assert { [@expl:assertion] [#"../08_collect_extend.rs" 64 4 64 75] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) + -> UInt32.to_int (index_logic0 v i) = i }; goto BB3 } BB3 { - [#"../08_collect_extend.rs" 61 57 65 1] _0 <- ([#"../08_collect_extend.rs" 61 57 65 1] ()); + [#"../08_collect_extend.rs" 61 57 65 1] _0 <- ([#"../08_collect_extend.rs" 61 57 65 1] [#"../08_collect_extend.rs" 61 57 65 1] ()); goto BB4 } BB4 { diff --git a/creusot/tests/should_succeed/iterators/09_empty.mlcfg b/creusot/tests/should_succeed/iterators/09_empty.mlcfg index add4799173..a3c74943ee 100644 --- a/creusot/tests/should_succeed/iterators/09_empty.mlcfg +++ b/creusot/tests/should_succeed/iterators/09_empty.mlcfg @@ -55,7 +55,11 @@ module C09Empty_Impl0_ProducesTrans_Impl constant c : C09Empty_Empty_Type.t_empty t function produces_trans [#"../09_empty.rs" 35 4 35 90] (a : C09Empty_Empty_Type.t_empty t) (ab : Seq.seq t) (b : C09Empty_Empty_Type.t_empty t) (bc : Seq.seq t) (c : C09Empty_Empty_Type.t_empty t) : () - goal vc_produces_trans : ([#"../09_empty.rs" 35 61 35 63] inv0 bc) -> ([#"../09_empty.rs" 35 31 35 33] inv0 ab) -> ([#"../09_empty.rs" 33 15 33 32] produces0 b bc c) -> ([#"../09_empty.rs" 32 15 32 32] produces0 a ab b) -> ([#"../09_empty.rs" 34 14 34 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../09_empty.rs" 35 61 35 63] inv0 bc) + -> ([#"../09_empty.rs" 35 31 35 33] inv0 ab) + -> ([#"../09_empty.rs" 33 15 33 32] produces0 b bc c) + -> ([#"../09_empty.rs" 32 15 32 32] produces0 a ab b) + -> ([#"../09_empty.rs" 34 14 34 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -180,12 +184,17 @@ module C09Empty_Impl0 val produces0 [#"../09_empty.rs" 21 4 21 64] (self : C09Empty_Empty_Type.t_empty t) (visited : Seq.seq t) (o : C09Empty_Empty_Type.t_empty t) : bool ensures { result = produces0 self visited o } - goal produces_trans_refn : [#"../09_empty.rs" 35 4 35 90] forall a : C09Empty_Empty_Type.t_empty t . forall ab : Seq.seq t . forall b : C09Empty_Empty_Type.t_empty t . forall bc : Seq.seq t . forall c : C09Empty_Empty_Type.t_empty t . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv1 bc /\ inv1 ab /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal produces_refl_refn : [#"../09_empty.rs" 28 4 28 26] forall self : C09Empty_Empty_Type.t_empty t . inv0 self -> (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal next_refn : [#"../09_empty.rs" 41 4 41 35] forall self : borrowed (C09Empty_Empty_Type.t_empty t) . inv2 self -> (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with + goal produces_trans_refn : [#"../09_empty.rs" 35 4 35 90] forall a : C09Empty_Empty_Type.t_empty t . forall ab : Seq.seq t . forall b : C09Empty_Empty_Type.t_empty t . forall bc : Seq.seq t . forall c : C09Empty_Empty_Type.t_empty t . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv1 bc /\ inv1 ab /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal produces_refl_refn : [#"../09_empty.rs" 28 4 28 26] forall self : C09Empty_Empty_Type.t_empty t . inv0 self + -> (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal next_refn : [#"../09_empty.rs" 41 4 41 35] forall self : borrowed (C09Empty_Empty_Type.t_empty t) . inv2 self + -> (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv3 result /\ match result with + end + -> inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) diff --git a/creusot/tests/should_succeed/iterators/10_once.mlcfg b/creusot/tests/should_succeed/iterators/10_once.mlcfg index 7ff8808fd4..41a028fcd6 100644 --- a/creusot/tests/should_succeed/iterators/10_once.mlcfg +++ b/creusot/tests/should_succeed/iterators/10_once.mlcfg @@ -49,7 +49,8 @@ module C10Once_Impl0_ProducesRefl_Impl constant self : C10Once_Once_Type.t_once t function produces_refl [#"../10_once.rs" 31 4 31 26] (self : C10Once_Once_Type.t_once t) : () - goal vc_produces_refl : ([#"../10_once.rs" 31 21 31 25] inv0 self) -> ([#"../10_once.rs" 30 14 30 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../10_once.rs" 31 21 31 25] inv0 self) + -> ([#"../10_once.rs" 30 14 30 45] produces0 self (Seq.empty ) self) end module C10Once_Impl0_ProducesTrans_Impl type t @@ -100,7 +101,14 @@ module C10Once_Impl0_ProducesTrans_Impl constant c : C10Once_Once_Type.t_once t function produces_trans [#"../10_once.rs" 38 4 38 90] (a : C10Once_Once_Type.t_once t) (ab : Seq.seq t) (b : C10Once_Once_Type.t_once t) (bc : Seq.seq t) (c : C10Once_Once_Type.t_once t) : () - goal vc_produces_trans : ([#"../10_once.rs" 38 82 38 83] inv0 c) -> ([#"../10_once.rs" 38 61 38 63] inv1 bc) -> ([#"../10_once.rs" 38 52 38 53] inv0 b) -> ([#"../10_once.rs" 38 31 38 33] inv1 ab) -> ([#"../10_once.rs" 38 22 38 23] inv0 a) -> ([#"../10_once.rs" 36 15 36 32] produces0 b bc c) -> ([#"../10_once.rs" 35 15 35 32] produces0 a ab b) -> ([#"../10_once.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../10_once.rs" 38 82 38 83] inv0 c) + -> ([#"../10_once.rs" 38 61 38 63] inv1 bc) + -> ([#"../10_once.rs" 38 52 38 53] inv0 b) + -> ([#"../10_once.rs" 38 31 38 33] inv1 ab) + -> ([#"../10_once.rs" 38 22 38 23] inv0 a) + -> ([#"../10_once.rs" 36 15 36 32] produces0 b bc c) + -> ([#"../10_once.rs" 35 15 35 32] produces0 a ab b) + -> ([#"../10_once.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c) end module C10Once_Impl0_Next type t @@ -270,13 +278,18 @@ module C10Once_Impl0 val produces0 [#"../10_once.rs" 21 4 21 64] (self : C10Once_Once_Type.t_once t) (visited : Seq.seq t) (o : C10Once_Once_Type.t_once t) : bool ensures { result = produces0 self visited o } - goal produces_refl_refn : [#"../10_once.rs" 31 4 31 26] forall self : C10Once_Once_Type.t_once t . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal next_refn : [#"../10_once.rs" 44 4 44 35] forall self : borrowed (C10Once_Once_Type.t_once t) . inv1 self -> inv1 self /\ (forall result : Core_Option_Option_Type.t_option t . inv2 result /\ match result with + goal produces_refl_refn : [#"../10_once.rs" 31 4 31 26] forall self : C10Once_Once_Type.t_once t . inv0 self + -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal next_refn : [#"../10_once.rs" 44 4 44 35] forall self : borrowed (C10Once_Once_Type.t_once t) . inv1 self + -> inv1 self /\ (forall result : Core_Option_Option_Type.t_option t . inv2 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv2 result /\ match result with + end + -> inv2 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) - goal produces_trans_refn : [#"../10_once.rs" 38 4 38 90] forall a : C10Once_Once_Type.t_once t . forall ab : Seq.seq t . forall b : C10Once_Once_Type.t_once t . forall bc : Seq.seq t . forall c : C10Once_Once_Type.t_once t . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) + goal produces_trans_refn : [#"../10_once.rs" 38 4 38 90] forall a : C10Once_Once_Type.t_once t . forall ab : Seq.seq t . forall b : C10Once_Once_Type.t_once t . forall bc : Seq.seq t . forall c : C10Once_Once_Type.t_once t . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) end diff --git a/creusot/tests/should_succeed/iterators/11_repeat.mlcfg b/creusot/tests/should_succeed/iterators/11_repeat.mlcfg index e18cf52a0c..d91ac59ba6 100644 --- a/creusot/tests/should_succeed/iterators/11_repeat.mlcfg +++ b/creusot/tests/should_succeed/iterators/11_repeat.mlcfg @@ -27,14 +27,16 @@ module C11Repeat_Impl0_ProducesRefl_Impl predicate produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) = - [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self) + [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self) val produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) : bool ensures { result = produces0 self visited o } use seq.Seq constant self : C11Repeat_Repeat_Type.t_repeat a function produces_refl [#"../11_repeat.rs" 33 4 33 26] (self : C11Repeat_Repeat_Type.t_repeat a) : () - goal vc_produces_refl : ([#"../11_repeat.rs" 33 21 33 25] inv0 self) -> ([#"../11_repeat.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../11_repeat.rs" 33 21 33 25] inv0 self) + -> ([#"../11_repeat.rs" 32 14 32 45] produces0 self (Seq.empty ) self) end module C11Repeat_Impl0_ProducesTrans_Impl type a @@ -65,7 +67,8 @@ module C11Repeat_Impl0_ProducesTrans_Impl predicate produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) = - [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self) + [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self) val produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) : bool ensures { result = produces0 self visited o } @@ -76,7 +79,14 @@ module C11Repeat_Impl0_ProducesTrans_Impl constant c : C11Repeat_Repeat_Type.t_repeat a function produces_trans [#"../11_repeat.rs" 40 4 40 90] (a : C11Repeat_Repeat_Type.t_repeat a) (ab : Seq.seq a) (b : C11Repeat_Repeat_Type.t_repeat a) (bc : Seq.seq a) (c : C11Repeat_Repeat_Type.t_repeat a) : () - goal vc_produces_trans : ([#"../11_repeat.rs" 40 82 40 83] inv0 c) -> ([#"../11_repeat.rs" 40 61 40 63] inv1 bc) -> ([#"../11_repeat.rs" 40 52 40 53] inv0 b) -> ([#"../11_repeat.rs" 40 31 40 33] inv1 ab) -> ([#"../11_repeat.rs" 40 22 40 23] inv0 a) -> ([#"../11_repeat.rs" 38 15 38 32] produces0 b bc c) -> ([#"../11_repeat.rs" 37 15 37 32] produces0 a ab b) -> ([#"../11_repeat.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../11_repeat.rs" 40 82 40 83] inv0 c) + -> ([#"../11_repeat.rs" 40 61 40 63] inv1 bc) + -> ([#"../11_repeat.rs" 40 52 40 53] inv0 b) + -> ([#"../11_repeat.rs" 40 31 40 33] inv1 ab) + -> ([#"../11_repeat.rs" 40 22 40 23] inv0 a) + -> ([#"../11_repeat.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../11_repeat.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../11_repeat.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -132,7 +142,8 @@ module C11Repeat_Impl0_Next predicate produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) = - [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self) + [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self) val produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) : bool ensures { result = produces0 self visited o } @@ -239,17 +250,23 @@ module C11Repeat_Impl0 predicate produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) = - [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self) + [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self) val produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) : bool ensures { result = produces0 self visited o } use seq.Seq - goal produces_refl_refn : [#"../11_repeat.rs" 33 4 33 26] forall self : C11Repeat_Repeat_Type.t_repeat a . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal produces_trans_refn : [#"../11_repeat.rs" 40 4 40 90] forall a : C11Repeat_Repeat_Type.t_repeat a . forall ab : Seq.seq a . forall b : C11Repeat_Repeat_Type.t_repeat a . forall bc : Seq.seq a . forall c : C11Repeat_Repeat_Type.t_repeat a . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal next_refn : [#"../11_repeat.rs" 46 4 46 35] forall self : borrowed (C11Repeat_Repeat_Type.t_repeat a) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option a . inv3 result /\ match result with + goal produces_refl_refn : [#"../11_repeat.rs" 33 4 33 26] forall self : C11Repeat_Repeat_Type.t_repeat a . inv0 self + -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal produces_trans_refn : [#"../11_repeat.rs" 40 4 40 90] forall a : C11Repeat_Repeat_Type.t_repeat a . forall ab : Seq.seq a . forall b : C11Repeat_Repeat_Type.t_repeat a . forall bc : Seq.seq a . forall c : C11Repeat_Repeat_Type.t_repeat a . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal next_refn : [#"../11_repeat.rs" 46 4 46 35] forall self : borrowed (C11Repeat_Repeat_Type.t_repeat a) . inv2 self + -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option a . inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv3 result /\ match result with + end + -> inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) diff --git a/creusot/tests/should_succeed/iterators/12_zip.mlcfg b/creusot/tests/should_succeed/iterators/12_zip.mlcfg index b903c0cfd3..fc06132650 100644 --- a/creusot/tests/should_succeed/iterators/12_zip.mlcfg +++ b/creusot/tests/should_succeed/iterators/12_zip.mlcfg @@ -71,14 +71,21 @@ module C12Zip_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv4 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b) -> ([#"../common.rs" 19 15 19 32] produces2 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces2 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv4 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv4 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : () val produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : () requires {[#"../common.rs" 15 21 15 25] inv4 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv4 self) + -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self) use seq.Seq predicate produces1 [#"../common.rs" 8 4 8 65] (self : a) (visited : Seq.seq item0) (o : a) val produces1 [#"../common.rs" 8 4 8 65] (self : a) (visited : Seq.seq item0) (o : a) : bool @@ -96,14 +103,21 @@ module C12Zip_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv3 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv3 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : () requires {[#"../common.rs" 15 21 15 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv3 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) use C12Zip_Zip_Type as C12Zip_Zip_Type predicate invariant0 (self : C12Zip_Zip_Type.t_zip a b) val invariant0 (self : C12Zip_Zip_Type.t_zip a b) : bool @@ -124,14 +138,16 @@ module C12Zip_Impl0_ProducesRefl_Impl predicate produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) = - [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv1 p2 /\ inv2 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl) + [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv1 p2 /\ inv2 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl) val produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) : bool ensures { result = produces0 self visited tl } use seq.Seq constant self : C12Zip_Zip_Type.t_zip a b function produces_refl [#"../12_zip.rs" 41 4 41 26] (self : C12Zip_Zip_Type.t_zip a b) : () - goal vc_produces_refl : ([#"../12_zip.rs" 41 21 41 25] inv0 self) -> ([#"../12_zip.rs" 40 14 40 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../12_zip.rs" 41 21 41 25] inv0 self) + -> ([#"../12_zip.rs" 40 14 40 45] produces0 self (Seq.empty ) self) end module C12Zip_Impl0_ProducesTrans_Impl type a @@ -192,14 +208,21 @@ module C12Zip_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv5 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b) -> ([#"../common.rs" 19 15 19 32] produces2 b bc c) -> ([#"../common.rs" 21 22 21 23] inv5 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv5 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv5 c) -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces2 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv5 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv5 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv5 c) -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : () val produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : () requires {[#"../common.rs" 15 21 15 25] inv5 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv5 self) -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv5 self) + -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self) use seq.Seq predicate produces1 [#"../common.rs" 8 4 8 65] (self : a) (visited : Seq.seq item0) (o : a) val produces1 [#"../common.rs" 8 4 8 65] (self : a) (visited : Seq.seq item0) (o : a) : bool @@ -217,14 +240,21 @@ module C12Zip_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv4 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv3 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv3 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv4 a) + -> ([#"../common.rs" 21 31 21 33] inv3 ab) + -> ([#"../common.rs" 21 52 21 53] inv4 b) + -> ([#"../common.rs" 21 61 21 63] inv3 bc) + -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : () requires {[#"../common.rs" 15 21 15 25] inv4 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv4 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Seq.seq (item0, item1)) val invariant1 (self : Seq.seq (item0, item1)) : bool ensures { result = invariant1 self } @@ -255,7 +285,8 @@ module C12Zip_Impl0_ProducesTrans_Impl predicate produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) = - [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv2 p2 /\ inv3 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl) + [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv2 p2 /\ inv3 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl) val produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) : bool ensures { result = produces0 self visited tl } @@ -266,7 +297,14 @@ module C12Zip_Impl0_ProducesTrans_Impl constant c : C12Zip_Zip_Type.t_zip a b function produces_trans [#"../12_zip.rs" 48 4 48 90] (a : C12Zip_Zip_Type.t_zip a b) (ab : Seq.seq (item0, item1)) (b : C12Zip_Zip_Type.t_zip a b) (bc : Seq.seq (item0, item1)) (c : C12Zip_Zip_Type.t_zip a b) : () - goal vc_produces_trans : ([#"../12_zip.rs" 48 82 48 83] inv0 c) -> ([#"../12_zip.rs" 48 61 48 63] inv1 bc) -> ([#"../12_zip.rs" 48 52 48 53] inv0 b) -> ([#"../12_zip.rs" 48 31 48 33] inv1 ab) -> ([#"../12_zip.rs" 48 22 48 23] inv0 a) -> ([#"../12_zip.rs" 46 15 46 32] produces0 b bc c) -> ([#"../12_zip.rs" 45 15 45 32] produces0 a ab b) -> ([#"../12_zip.rs" 47 14 47 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../12_zip.rs" 48 82 48 83] inv0 c) + -> ([#"../12_zip.rs" 48 61 48 63] inv1 bc) + -> ([#"../12_zip.rs" 48 52 48 53] inv0 b) + -> ([#"../12_zip.rs" 48 31 48 33] inv1 ab) + -> ([#"../12_zip.rs" 48 22 48 23] inv0 a) + -> ([#"../12_zip.rs" 46 15 46 32] produces0 b bc c) + -> ([#"../12_zip.rs" 45 15 45 32] produces0 a ab b) + -> ([#"../12_zip.rs" 47 14 47 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -371,14 +409,21 @@ module C12Zip_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv3 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b) -> ([#"../common.rs" 19 15 19 32] produces2 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv9 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv9 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces2 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv3 a) + -> ([#"../common.rs" 21 31 21 33] inv9 ab) + -> ([#"../common.rs" 21 52 21 53] inv3 b) + -> ([#"../common.rs" 21 61 21 63] inv9 bc) + -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : () val produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : () requires {[#"../common.rs" 15 21 15 25] inv3 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv3 self) + -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self) predicate invariant3 (self : b) val invariant3 (self : b) : bool ensures { result = invariant3 self } @@ -424,14 +469,21 @@ module C12Zip_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv10 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv10 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv0 a) + -> ([#"../common.rs" 21 31 21 33] inv10 ab) + -> ([#"../common.rs" 21 52 21 53] inv0 b) + -> ([#"../common.rs" 21 61 21 63] inv10 bc) + -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : () requires {[#"../common.rs" 15 21 15 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv0 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant0 (self : a) val invariant0 (self : a) : bool ensures { result = invariant0 self } @@ -447,7 +499,8 @@ module C12Zip_Impl0_Next predicate produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) = - [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv9 p2 /\ inv10 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl) + [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv9 p2 /\ inv10 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl) val produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) : bool ensures { result = produces0 self visited tl } @@ -765,17 +818,23 @@ module C12Zip_Impl0 predicate produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) = - [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv4 p2 /\ inv5 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl) + [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv4 p2 /\ inv5 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl) val produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) : bool ensures { result = produces0 self visited tl } use seq.Seq - goal produces_refl_refn : [#"../12_zip.rs" 41 4 41 26] forall self : C12Zip_Zip_Type.t_zip a b . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal produces_trans_refn : [#"../12_zip.rs" 48 4 48 90] forall a : C12Zip_Zip_Type.t_zip a b . forall ab : Seq.seq (item0, item1) . forall b : C12Zip_Zip_Type.t_zip a b . forall bc : Seq.seq (item0, item1) . forall c : C12Zip_Zip_Type.t_zip a b . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal next_refn : [#"../12_zip.rs" 54 4 54 44] forall self : borrowed (C12Zip_Zip_Type.t_zip a b) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option (item0, item1) . inv3 result /\ match result with + goal produces_refl_refn : [#"../12_zip.rs" 41 4 41 26] forall self : C12Zip_Zip_Type.t_zip a b . inv0 self + -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal produces_trans_refn : [#"../12_zip.rs" 48 4 48 90] forall a : C12Zip_Zip_Type.t_zip a b . forall ab : Seq.seq (item0, item1) . forall b : C12Zip_Zip_Type.t_zip a b . forall bc : Seq.seq (item0, item1) . forall c : C12Zip_Zip_Type.t_zip a b . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal next_refn : [#"../12_zip.rs" 54 4 54 44] forall self : borrowed (C12Zip_Zip_Type.t_zip a b) . inv2 self + -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option (item0, item1) . inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv3 result /\ match result with + end + -> inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) diff --git a/creusot/tests/should_succeed/iterators/13_cloned.mlcfg b/creusot/tests/should_succeed/iterators/13_cloned.mlcfg index 3601063d99..4b4056760f 100644 --- a/creusot/tests/should_succeed/iterators/13_cloned.mlcfg +++ b/creusot/tests/should_succeed/iterators/13_cloned.mlcfg @@ -41,14 +41,21 @@ module C13Cloned_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Seq.seq t) val invariant1 (self : Seq.seq t) : bool ensures { result = invariant1 self } @@ -73,14 +80,16 @@ module C13Cloned_Impl0_ProducesRefl_Impl predicate produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) = - [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv1 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv1 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> Seq.get visited i = Seq.get s i) val produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) : bool ensures { result = produces0 self visited o } use seq.Seq constant self : C13Cloned_Cloned_Type.t_cloned i function produces_refl [#"../13_cloned.rs" 39 4 39 26] (self : C13Cloned_Cloned_Type.t_cloned i) : () - goal vc_produces_refl : ([#"../13_cloned.rs" 39 21 39 25] inv0 self) -> ([#"../13_cloned.rs" 38 14 38 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../13_cloned.rs" 39 21 39 25] inv0 self) + -> ([#"../13_cloned.rs" 38 14 38 45] produces0 self (Seq.empty ) self) end module C13Cloned_Impl0_ProducesTrans_Impl type i @@ -115,14 +124,21 @@ module C13Cloned_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv3 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv3 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant2 (self : Seq.seq t) val invariant2 (self : Seq.seq t) : bool ensures { result = invariant2 self } @@ -157,7 +173,8 @@ module C13Cloned_Impl0_ProducesTrans_Impl predicate produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) = - [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv2 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv2 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> Seq.get visited i = Seq.get s i) val produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) : bool ensures { result = produces0 self visited o } @@ -168,7 +185,14 @@ module C13Cloned_Impl0_ProducesTrans_Impl constant c : C13Cloned_Cloned_Type.t_cloned i function produces_trans [#"../13_cloned.rs" 46 4 46 90] (a : C13Cloned_Cloned_Type.t_cloned i) (ab : Seq.seq t) (b : C13Cloned_Cloned_Type.t_cloned i) (bc : Seq.seq t) (c : C13Cloned_Cloned_Type.t_cloned i) : () - goal vc_produces_trans : ([#"../13_cloned.rs" 46 82 46 83] inv0 c) -> ([#"../13_cloned.rs" 46 61 46 63] inv1 bc) -> ([#"../13_cloned.rs" 46 52 46 53] inv0 b) -> ([#"../13_cloned.rs" 46 31 46 33] inv1 ab) -> ([#"../13_cloned.rs" 46 22 46 23] inv0 a) -> ([#"../13_cloned.rs" 44 15 44 32] produces0 b bc c) -> ([#"../13_cloned.rs" 43 15 43 32] produces0 a ab b) -> ([#"../13_cloned.rs" 45 14 45 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../13_cloned.rs" 46 82 46 83] inv0 c) + -> ([#"../13_cloned.rs" 46 61 46 63] inv1 bc) + -> ([#"../13_cloned.rs" 46 52 46 53] inv0 b) + -> ([#"../13_cloned.rs" 46 31 46 33] inv1 ab) + -> ([#"../13_cloned.rs" 46 22 46 23] inv0 a) + -> ([#"../13_cloned.rs" 44 15 44 32] produces0 b bc c) + -> ([#"../13_cloned.rs" 43 15 43 32] produces0 a ab b) + -> ([#"../13_cloned.rs" 45 14 45 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -257,14 +281,21 @@ module C13Cloned_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv0 a) + -> ([#"../common.rs" 21 31 21 33] inv6 ab) + -> ([#"../common.rs" 21 52 21 53] inv0 b) + -> ([#"../common.rs" 21 61 21 63] inv6 bc) + -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant0 (self : i) val invariant0 (self : i) : bool ensures { result = invariant0 self } @@ -278,7 +309,8 @@ module C13Cloned_Impl0_Next predicate produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) = - [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv6 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv6 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> Seq.get visited i = Seq.get s i) val produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) : bool ensures { result = produces0 self visited o } @@ -294,7 +326,8 @@ module C13Cloned_Impl0_Next val cloned0 (self : Core_Option_Option_Type.t_option t) : Core_Option_Option_Type.t_option t requires {inv4 self} - ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 92 16 92 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 92 16 92 59] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : t . inv5 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some t) } ensures { inv2 result } @@ -425,16 +458,22 @@ module C13Cloned_Impl0 predicate produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) = - [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv4 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv4 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> Seq.get visited i = Seq.get s i) val produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) : bool ensures { result = produces0 self visited o } - goal produces_trans_refn : [#"../13_cloned.rs" 46 4 46 90] forall a : C13Cloned_Cloned_Type.t_cloned i . forall ab : Seq.seq t . forall b : C13Cloned_Cloned_Type.t_cloned i . forall bc : Seq.seq t . forall c : C13Cloned_Cloned_Type.t_cloned i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal produces_refl_refn : [#"../13_cloned.rs" 39 4 39 26] forall self : C13Cloned_Cloned_Type.t_cloned i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal next_refn : [#"../13_cloned.rs" 52 4 52 35] forall self : borrowed (C13Cloned_Cloned_Type.t_cloned i) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with + goal produces_trans_refn : [#"../13_cloned.rs" 46 4 46 90] forall a : C13Cloned_Cloned_Type.t_cloned i . forall ab : Seq.seq t . forall b : C13Cloned_Cloned_Type.t_cloned i . forall bc : Seq.seq t . forall c : C13Cloned_Cloned_Type.t_cloned i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal produces_refl_refn : [#"../13_cloned.rs" 39 4 39 26] forall self : C13Cloned_Cloned_Type.t_cloned i . inv0 self + -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal next_refn : [#"../13_cloned.rs" 52 4 52 35] forall self : borrowed (C13Cloned_Cloned_Type.t_cloned i) . inv2 self + -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv3 result /\ match result with + end + -> inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) diff --git a/creusot/tests/should_succeed/iterators/14_copied.mlcfg b/creusot/tests/should_succeed/iterators/14_copied.mlcfg index eaf3255cce..2ea11a6d0b 100644 --- a/creusot/tests/should_succeed/iterators/14_copied.mlcfg +++ b/creusot/tests/should_succeed/iterators/14_copied.mlcfg @@ -41,14 +41,21 @@ module C14Copied_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Seq.seq t) val invariant1 (self : Seq.seq t) : bool ensures { result = invariant1 self } @@ -73,14 +80,16 @@ module C14Copied_Impl0_ProducesRefl_Impl predicate produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) = - [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv1 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv1 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> Seq.get visited i = Seq.get s i) val produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) : bool ensures { result = produces0 self visited o } use seq.Seq constant self : C14Copied_Copied_Type.t_copied i function produces_refl [#"../14_copied.rs" 39 4 39 26] (self : C14Copied_Copied_Type.t_copied i) : () - goal vc_produces_refl : ([#"../14_copied.rs" 39 21 39 25] inv0 self) -> ([#"../14_copied.rs" 38 14 38 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../14_copied.rs" 39 21 39 25] inv0 self) + -> ([#"../14_copied.rs" 38 14 38 45] produces0 self (Seq.empty ) self) end module C14Copied_Impl0_ProducesTrans_Impl type i @@ -115,14 +124,21 @@ module C14Copied_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv3 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv3 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant2 (self : Seq.seq t) val invariant2 (self : Seq.seq t) : bool ensures { result = invariant2 self } @@ -157,7 +173,8 @@ module C14Copied_Impl0_ProducesTrans_Impl predicate produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) = - [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv2 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv2 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> Seq.get visited i = Seq.get s i) val produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) : bool ensures { result = produces0 self visited o } @@ -168,7 +185,14 @@ module C14Copied_Impl0_ProducesTrans_Impl constant c : C14Copied_Copied_Type.t_copied i function produces_trans [#"../14_copied.rs" 46 4 46 90] (a : C14Copied_Copied_Type.t_copied i) (ab : Seq.seq t) (b : C14Copied_Copied_Type.t_copied i) (bc : Seq.seq t) (c : C14Copied_Copied_Type.t_copied i) : () - goal vc_produces_trans : ([#"../14_copied.rs" 46 82 46 83] inv0 c) -> ([#"../14_copied.rs" 46 61 46 63] inv1 bc) -> ([#"../14_copied.rs" 46 52 46 53] inv0 b) -> ([#"../14_copied.rs" 46 31 46 33] inv1 ab) -> ([#"../14_copied.rs" 46 22 46 23] inv0 a) -> ([#"../14_copied.rs" 44 15 44 32] produces0 b bc c) -> ([#"../14_copied.rs" 43 15 43 32] produces0 a ab b) -> ([#"../14_copied.rs" 45 14 45 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../14_copied.rs" 46 82 46 83] inv0 c) + -> ([#"../14_copied.rs" 46 61 46 63] inv1 bc) + -> ([#"../14_copied.rs" 46 52 46 53] inv0 b) + -> ([#"../14_copied.rs" 46 31 46 33] inv1 ab) + -> ([#"../14_copied.rs" 46 22 46 23] inv0 a) + -> ([#"../14_copied.rs" 44 15 44 32] produces0 b bc c) + -> ([#"../14_copied.rs" 43 15 43 32] produces0 a ab b) + -> ([#"../14_copied.rs" 45 14 45 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -257,14 +281,21 @@ module C14Copied_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv0 a) + -> ([#"../common.rs" 21 31 21 33] inv6 ab) + -> ([#"../common.rs" 21 52 21 53] inv0 b) + -> ([#"../common.rs" 21 61 21 63] inv6 bc) + -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant0 (self : i) val invariant0 (self : i) : bool ensures { result = invariant0 self } @@ -278,7 +309,8 @@ module C14Copied_Impl0_Next predicate produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) = - [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv6 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv6 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> Seq.get visited i = Seq.get s i) val produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) : bool ensures { result = produces0 self visited o } @@ -294,7 +326,8 @@ module C14Copied_Impl0_Next val copied0 (self : Core_Option_Option_Type.t_option t) : Core_Option_Option_Type.t_option t requires {inv4 self} - ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 86 16 86 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 86 16 86 59] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : t . inv5 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some t) } ensures { inv2 result } @@ -425,16 +458,22 @@ module C14Copied_Impl0 predicate produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) = - [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv4 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i) + [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv4 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> Seq.get visited i = Seq.get s i) val produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) : bool ensures { result = produces0 self visited o } - goal produces_trans_refn : [#"../14_copied.rs" 46 4 46 90] forall a : C14Copied_Copied_Type.t_copied i . forall ab : Seq.seq t . forall b : C14Copied_Copied_Type.t_copied i . forall bc : Seq.seq t . forall c : C14Copied_Copied_Type.t_copied i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal produces_refl_refn : [#"../14_copied.rs" 39 4 39 26] forall self : C14Copied_Copied_Type.t_copied i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal next_refn : [#"../14_copied.rs" 52 4 52 35] forall self : borrowed (C14Copied_Copied_Type.t_copied i) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with + goal produces_trans_refn : [#"../14_copied.rs" 46 4 46 90] forall a : C14Copied_Copied_Type.t_copied i . forall ab : Seq.seq t . forall b : C14Copied_Copied_Type.t_copied i . forall bc : Seq.seq t . forall c : C14Copied_Copied_Type.t_copied i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal produces_refl_refn : [#"../14_copied.rs" 39 4 39 26] forall self : C14Copied_Copied_Type.t_copied i . inv0 self + -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal next_refn : [#"../14_copied.rs" 52 4 52 35] forall self : borrowed (C14Copied_Copied_Type.t_copied i) . inv2 self + -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv3 result /\ match result with + end + -> inv3 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) diff --git a/creusot/tests/should_succeed/iterators/15_enumerate.mlcfg b/creusot/tests/should_succeed/iterators/15_enumerate.mlcfg index b2eddf6477..8f88f82844 100644 --- a/creusot/tests/should_succeed/iterators/15_enumerate.mlcfg +++ b/creusot/tests/should_succeed/iterators/15_enumerate.mlcfg @@ -63,14 +63,21 @@ module C15Enumerate_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) use prelude.UIntSize predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool @@ -83,7 +90,11 @@ module C15Enumerate_Impl0_ProducesRefl_Impl use prelude.UIntSize use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type predicate invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) = - [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv2 i -> inv1 s -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv3 i -> completed0 i -> produces1 ( * i) (Seq.empty ) ( ^ i)) + [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv2 i + -> inv1 s + -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i + -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv3 i + -> completed0 i -> produces1 ( * i) (Seq.empty ) ( ^ i)) val invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool ensures { result = invariant0 self } @@ -100,14 +111,16 @@ module C15Enumerate_Impl0_ProducesRefl_Impl predicate produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) = - [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv1 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) + [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv1 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) val produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) : bool ensures { result = produces0 self visited o } use seq.Seq constant self : C15Enumerate_Enumerate_Type.t_enumerate i function produces_refl [#"../15_enumerate.rs" 40 4 40 26] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : () - goal vc_produces_refl : ([#"../15_enumerate.rs" 40 21 40 25] inv0 self) -> ([#"../15_enumerate.rs" 39 14 39 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../15_enumerate.rs" 40 21 40 25] inv0 self) + -> ([#"../15_enumerate.rs" 39 14 39 45] produces0 self (Seq.empty ) self) end module C15Enumerate_Impl0_ProducesTrans_Impl type i @@ -158,14 +171,21 @@ module C15Enumerate_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv3 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv3 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv3 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv3 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) use prelude.UIntSize predicate invariant1 (self : Seq.seq (usize, item0)) val invariant1 (self : Seq.seq (usize, item0)) : bool @@ -187,7 +207,11 @@ module C15Enumerate_Impl0_ProducesTrans_Impl use prelude.UIntSize use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type predicate invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) = - [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv3 i -> inv2 s -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv4 i -> completed0 i -> produces1 ( * i) (Seq.empty ) ( ^ i)) + [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv3 i + -> inv2 s + -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i + -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv4 i + -> completed0 i -> produces1 ( * i) (Seq.empty ) ( ^ i)) val invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool ensures { result = invariant0 self } @@ -205,7 +229,8 @@ module C15Enumerate_Impl0_ProducesTrans_Impl predicate produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) = - [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv2 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) + [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv2 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) val produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) : bool ensures { result = produces0 self visited o } @@ -216,7 +241,14 @@ module C15Enumerate_Impl0_ProducesTrans_Impl constant c : C15Enumerate_Enumerate_Type.t_enumerate i function produces_trans [#"../15_enumerate.rs" 47 4 47 90] (a : C15Enumerate_Enumerate_Type.t_enumerate i) (ab : Seq.seq (usize, item0)) (b : C15Enumerate_Enumerate_Type.t_enumerate i) (bc : Seq.seq (usize, item0)) (c : C15Enumerate_Enumerate_Type.t_enumerate i) : () - goal vc_produces_trans : ([#"../15_enumerate.rs" 47 82 47 83] inv0 c) -> ([#"../15_enumerate.rs" 47 61 47 63] inv1 bc) -> ([#"../15_enumerate.rs" 47 52 47 53] inv0 b) -> ([#"../15_enumerate.rs" 47 31 47 33] inv1 ab) -> ([#"../15_enumerate.rs" 47 22 47 23] inv0 a) -> ([#"../15_enumerate.rs" 45 15 45 32] produces0 b bc c) -> ([#"../15_enumerate.rs" 44 15 44 32] produces0 a ab b) -> ([#"../15_enumerate.rs" 46 14 46 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../15_enumerate.rs" 47 82 47 83] inv0 c) + -> ([#"../15_enumerate.rs" 47 61 47 63] inv1 bc) + -> ([#"../15_enumerate.rs" 47 52 47 53] inv0 b) + -> ([#"../15_enumerate.rs" 47 31 47 33] inv1 ab) + -> ([#"../15_enumerate.rs" 47 22 47 23] inv0 a) + -> ([#"../15_enumerate.rs" 45 15 45 32] produces0 b bc c) + -> ([#"../15_enumerate.rs" 44 15 44 32] produces0 a ab b) + -> ([#"../15_enumerate.rs" 46 14 46 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -263,7 +295,11 @@ module C15Enumerate_Impl0_Next use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type predicate invariant6 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) = - [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv0 i -> inv5 s -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv4 i -> completed1 i -> produces1 ( * i) (Seq.empty ) ( ^ i)) + [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv0 i + -> inv5 s + -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i + -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv4 i + -> completed1 i -> produces1 ( * i) (Seq.empty ) ( ^ i)) val invariant6 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool ensures { result = invariant6 self } @@ -325,13 +361,20 @@ module C15Enumerate_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv5 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv5 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv0 a) + -> ([#"../common.rs" 21 31 21 33] inv5 ab) + -> ([#"../common.rs" 21 52 21 53] inv0 b) + -> ([#"../common.rs" 21 61 21 63] inv5 bc) + -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant0 (self : i) val invariant0 (self : i) : bool ensures { result = invariant0 self } @@ -343,7 +386,8 @@ module C15Enumerate_Impl0_Next predicate produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) = - [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv5 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) + [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv5 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) val produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) : bool ensures { result = produces0 self visited o } @@ -414,7 +458,7 @@ module C15Enumerate_Impl0_Next assert { [@expl:type invariant] inv1 _3 }; assume { resolve0 _3 }; [#"../15_enumerate.rs" 57 24 57 34] n <- ([#"../15_enumerate.rs" 57 24 57 34] C15Enumerate_Enumerate_Type.enumerate_count ( * self)); - [#"../15_enumerate.rs" 58 16 58 31] self <- { self with current = (let C15Enumerate_Enumerate_Type.C_Enumerate x0 x1 = * self in C15Enumerate_Enumerate_Type.C_Enumerate x0 ([#"../15_enumerate.rs" 58 16 58 31] C15Enumerate_Enumerate_Type.enumerate_count ( * self) + (1 : usize))) ; }; + [#"../15_enumerate.rs" 58 16 58 31] self <- { self with current = (let C15Enumerate_Enumerate_Type.C_Enumerate x0 x1 = * self in C15Enumerate_Enumerate_Type.C_Enumerate x0 ([#"../15_enumerate.rs" 58 16 58 31] C15Enumerate_Enumerate_Type.enumerate_count ( * self) + ([#"../15_enumerate.rs" 58 30 58 31] (1 : usize)))) ; }; assert { [@expl:type invariant] inv2 self }; assume { resolve1 self }; [#"../15_enumerate.rs" 59 21 59 27] _8 <- ([#"../15_enumerate.rs" 59 21 59 27] (n, x)); @@ -490,7 +534,11 @@ module C15Enumerate_Enumerate use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type predicate invariant3 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) = - [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv1 i -> inv2 s -> produces0 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv0 i -> completed0 i -> produces0 ( * i) (Seq.empty ) ( ^ i)) + [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv1 i + -> inv2 s + -> produces0 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i + -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv0 i + -> completed0 i -> produces0 ( * i) (Seq.empty ) ( ^ i)) val invariant3 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool ensures { result = invariant3 self } @@ -524,21 +572,30 @@ module C15Enumerate_Enumerate requires {[#"../common.rs" 21 82 21 83] inv1 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv1 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv1 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv1 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) + -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : borrowed i) val invariant0 (self : borrowed i) : bool ensures { result = invariant0 self } axiom inv0 : forall x : borrowed i . inv0 x = true let rec cfg enumerate [#"../15_enumerate.rs" 81 0 81 54] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) : C15Enumerate_Enumerate_Type.t_enumerate i - requires {[#"../15_enumerate.rs" 79 0 79 75] forall i : borrowed i . inv0 i -> completed0 i -> produces0 ( * i) (Seq.empty ) ( ^ i)} - requires {[#"../15_enumerate.rs" 80 0 80 93] forall i : i . forall s : Seq.seq item0 . inv1 i -> inv2 s -> produces0 iter s i -> Seq.length s < UIntSize.to_int max0} + requires {[#"../15_enumerate.rs" 79 0 79 75] forall i : borrowed i . inv0 i + -> completed0 i -> produces0 ( * i) (Seq.empty ) ( ^ i)} + requires {[#"../15_enumerate.rs" 80 0 80 93] forall i : i . forall s : Seq.seq item0 . inv1 i + -> inv2 s -> produces0 iter s i -> Seq.length s < UIntSize.to_int max0} requires {[#"../15_enumerate.rs" 81 30 81 34] inv1 iter} ensures { [#"../15_enumerate.rs" 81 42 81 54] inv3 result } @@ -552,7 +609,7 @@ module C15Enumerate_Enumerate goto BB1 } BB1 { - [#"../15_enumerate.rs" 82 4 82 32] _0 <- ([#"../15_enumerate.rs" 82 4 82 32] C15Enumerate_Enumerate_Type.C_Enumerate iter (0 : usize)); + [#"../15_enumerate.rs" 82 4 82 32] _0 <- ([#"../15_enumerate.rs" 82 4 82 32] C15Enumerate_Enumerate_Type.C_Enumerate iter ([#"../15_enumerate.rs" 82 29 82 30] (0 : usize))); iter <- any i; goto BB2 } @@ -622,7 +679,11 @@ module C15Enumerate_Impl0 use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type predicate invariant2 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) = - [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv5 i -> inv4 s -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv6 i -> completed1 i -> produces1 ( * i) (Seq.empty ) ( ^ i)) + [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv5 i + -> inv4 s + -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i + -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv6 i + -> completed1 i -> produces1 ( * i) (Seq.empty ) ( ^ i)) val invariant2 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool ensures { result = invariant2 self } @@ -661,7 +722,8 @@ module C15Enumerate_Impl0 predicate produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) = - [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv4 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) + [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv4 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i)) val produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) : bool ensures { result = produces0 self visited o } @@ -672,15 +734,20 @@ module C15Enumerate_Impl0 val completed0 [#"../15_enumerate.rs" 22 4 22 35] (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i)) : bool ensures { result = completed0 self } - goal next_refn : [#"../15_enumerate.rs" 53 4 53 44] forall self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i) . inv0 self -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option (usize, item0) . inv1 result /\ match result with + goal next_refn : [#"../15_enumerate.rs" 53 4 53 44] forall self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i) . inv0 self + -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option (usize, item0) . inv1 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv1 result /\ match result with + end + -> inv1 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) - goal produces_trans_refn : [#"../15_enumerate.rs" 47 4 47 90] forall a : C15Enumerate_Enumerate_Type.t_enumerate i . forall ab : Seq.seq (usize, item0) . forall b : C15Enumerate_Enumerate_Type.t_enumerate i . forall bc : Seq.seq (usize, item0) . forall c : C15Enumerate_Enumerate_Type.t_enumerate i . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) - goal produces_refl_refn : [#"../15_enumerate.rs" 40 4 40 26] forall self : C15Enumerate_Enumerate_Type.t_enumerate i . inv2 self -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal produces_trans_refn : [#"../15_enumerate.rs" 47 4 47 90] forall a : C15Enumerate_Enumerate_Type.t_enumerate i . forall ab : Seq.seq (usize, item0) . forall b : C15Enumerate_Enumerate_Type.t_enumerate i . forall bc : Seq.seq (usize, item0) . forall c : C15Enumerate_Enumerate_Type.t_enumerate i . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b + -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) + goal produces_refl_refn : [#"../15_enumerate.rs" 40 4 40 26] forall self : C15Enumerate_Enumerate_Type.t_enumerate i . inv2 self + -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) end module C15Enumerate_Impl1 type i diff --git a/creusot/tests/should_succeed/iterators/16_take.mlcfg b/creusot/tests/should_succeed/iterators/16_take.mlcfg index 97d8327966..dd2135fe79 100644 --- a/creusot/tests/should_succeed/iterators/16_take.mlcfg +++ b/creusot/tests/should_succeed/iterators/16_take.mlcfg @@ -53,14 +53,21 @@ module C16Take_Impl0_ProducesRefl_Impl requires {[#"../common.rs" 21 82 21 83] inv1 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv1 a) + -> ([#"../common.rs" 21 31 21 33] inv2 ab) + -> ([#"../common.rs" 21 52 21 53] inv1 b) + -> ([#"../common.rs" 21 61 21 63] inv2 bc) + -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv1 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) use C16Take_Take_Type as C16Take_Take_Type predicate invariant0 (self : C16Take_Take_Type.t_take i) val invariant0 (self : C16Take_Take_Type.t_take i) : bool @@ -83,7 +90,8 @@ module C16Take_Impl0_ProducesRefl_Impl constant self : C16Take_Take_Type.t_take i function produces_refl [#"../16_take.rs" 40 4 40 26] (self : C16Take_Take_Type.t_take i) : () - goal vc_produces_refl : ([#"../16_take.rs" 40 21 40 25] inv0 self) -> ([#"../16_take.rs" 39 14 39 45] produces0 self (Seq.empty ) self) + goal vc_produces_refl : ([#"../16_take.rs" 40 21 40 25] inv0 self) + -> ([#"../16_take.rs" 39 14 39 45] produces0 self (Seq.empty ) self) end module C16Take_Impl0_ProducesTrans_Impl type i @@ -119,14 +127,21 @@ module C16Take_Impl0_ProducesTrans_Impl requires {[#"../common.rs" 21 82 21 83] inv2 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv2 a) + -> ([#"../common.rs" 21 31 21 33] inv1 ab) + -> ([#"../common.rs" 21 52 21 53] inv2 b) + -> ([#"../common.rs" 21 61 21 63] inv1 bc) + -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv2 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Seq.seq item0) val invariant1 (self : Seq.seq item0) : bool ensures { result = invariant1 self } @@ -159,7 +174,14 @@ module C16Take_Impl0_ProducesTrans_Impl constant c : C16Take_Take_Type.t_take i function produces_trans [#"../16_take.rs" 47 4 47 90] (a : C16Take_Take_Type.t_take i) (ab : Seq.seq item0) (b : C16Take_Take_Type.t_take i) (bc : Seq.seq item0) (c : C16Take_Take_Type.t_take i) : () - goal vc_produces_trans : ([#"../16_take.rs" 47 82 47 83] inv0 c) -> ([#"../16_take.rs" 47 61 47 63] inv1 bc) -> ([#"../16_take.rs" 47 52 47 53] inv0 b) -> ([#"../16_take.rs" 47 31 47 33] inv1 ab) -> ([#"../16_take.rs" 47 22 47 23] inv0 a) -> ([#"../16_take.rs" 45 15 45 32] produces0 b bc c) -> ([#"../16_take.rs" 44 15 44 32] produces0 a ab b) -> ([#"../16_take.rs" 46 14 46 42] produces0 a (Seq.(++) ab bc) c) + goal vc_produces_trans : ([#"../16_take.rs" 47 82 47 83] inv0 c) + -> ([#"../16_take.rs" 47 61 47 63] inv1 bc) + -> ([#"../16_take.rs" 47 52 47 53] inv0 b) + -> ([#"../16_take.rs" 47 31 47 33] inv1 ab) + -> ([#"../16_take.rs" 47 22 47 23] inv0 a) + -> ([#"../16_take.rs" 45 15 45 32] produces0 b bc c) + -> ([#"../16_take.rs" 44 15 44 32] produces0 a ab b) + -> ([#"../16_take.rs" 46 14 46 42] produces0 a (Seq.(++) ab bc) c) end module Core_Option_Option_Type type t_option 't = @@ -221,14 +243,21 @@ module C16Take_Impl0_Next requires {[#"../common.rs" 21 82 21 83] inv1 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv4 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv4 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) + -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) + -> ([#"../common.rs" 21 22 21 23] inv1 a) + -> ([#"../common.rs" 21 31 21 33] inv4 ab) + -> ([#"../common.rs" 21 52 21 53] inv1 b) + -> ([#"../common.rs" 21 61 21 63] inv4 bc) + -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : () requires {[#"../common.rs" 15 21 15 25] inv1 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) + -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : i) val invariant1 (self : i) : bool ensures { result = invariant1 self } @@ -295,14 +324,14 @@ module C16Take_Impl0_Next goto BB0 } BB0 { - [#"../16_take.rs" 54 11 54 22] _3 <- ([#"../16_take.rs" 54 11 54 22] C16Take_Take_Type.take_n ( * self) <> (0 : usize)); + [#"../16_take.rs" 54 11 54 22] _3 <- ([#"../16_take.rs" 54 11 54 22] C16Take_Take_Type.take_n ( * self) <> ([#"../16_take.rs" 54 21 54 22] (0 : usize))); switch (_3) | False -> goto BB3 | True -> goto BB1 end } BB1 { - [#"../16_take.rs" 55 12 55 23] self <- { self with current = (let C16Take_Take_Type.C_Take x0 x1 = * self in C16Take_Take_Type.C_Take x0 ([#"../16_take.rs" 55 12 55 23] C16Take_Take_Type.take_n ( * self) - (1 : usize))) ; }; + [#"../16_take.rs" 55 12 55 23] self <- { self with current = (let C16Take_Take_Type.C_Take x0 x1 = * self in C16Take_Take_Type.C_Take x0 ([#"../16_take.rs" 55 12 55 23] C16Take_Take_Type.take_n ( * self) - ([#"../16_take.rs" 55 22 55 23] (1 : usize)))) ; }; [#"../16_take.rs" 56 12 56 21] _5 <- Borrow.borrow_final (C16Take_Take_Type.take_iter ( * self)) (Borrow.inherit_id (Borrow.get_id self) 1); [#"../16_take.rs" 56 12 56 21] self <- { self with current = (let C16Take_Take_Type.C_Take x0 x1 = * self in C16Take_Take_Type.C_Take ( ^ _5) x1) ; }; assume { inv1 ( ^ _5) }; @@ -401,13 +430,18 @@ module C16Take_Impl0 ensures { result = produces0 self visited o } use seq.Seq - goal produces_refl_refn : [#"../16_take.rs" 40 4 40 26] forall self : C16Take_Take_Type.t_take i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) - goal next_refn : [#"../16_take.rs" 53 4 53 41] forall self : borrowed (C16Take_Take_Type.t_take i) . inv1 self -> inv1 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv2 result /\ match result with + goal produces_refl_refn : [#"../16_take.rs" 40 4 40 26] forall self : C16Take_Take_Type.t_take i . inv0 self + -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self) + goal next_refn : [#"../16_take.rs" 53 4 53 41] forall self : borrowed (C16Take_Take_Type.t_take i) . inv1 self + -> inv1 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv2 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) - end -> inv2 result /\ match result with + end + -> inv2 result /\ match result with | Core_Option_Option_Type.C_None -> completed0 self | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self) end) - goal produces_trans_refn : [#"../16_take.rs" 47 4 47 90] forall a : C16Take_Take_Type.t_take i . forall ab : Seq.seq item0 . forall b : C16Take_Take_Type.t_take i . forall bc : Seq.seq item0 . forall c : C16Take_Take_Type.t_take i . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c) + goal produces_trans_refn : [#"../16_take.rs" 47 4 47 90] forall a : C16Take_Take_Type.t_take i . forall ab : Seq.seq item0 . forall b : C16Take_Take_Type.t_take i . forall bc : Seq.seq item0 . forall c : C16Take_Take_Type.t_take i . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b + -> inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c + -> produces0 a (Seq.(++) ab bc) c) end diff --git a/creusot/tests/should_succeed/knapsack.mlcfg b/creusot/tests/should_succeed/knapsack.mlcfg index a5f688504c..e9e5e27054 100644 --- a/creusot/tests/should_succeed/knapsack.mlcfg +++ b/creusot/tests/should_succeed/knapsack.mlcfg @@ -74,11 +74,17 @@ module Knapsack_M_Impl constant i : int constant w : int function m [#"../knapsack.rs" 34 0 34 57] (items : Seq.seq (Knapsack_Item_Type.t_item name)) (i : int) (w : int) : int - goal vc_m : ([#"../knapsack.rs" 34 11 34 16] inv0 items) -> ([#"../knapsack.rs" 32 11 32 17] 0 <= w) -> ([#"../knapsack.rs" 31 11 31 37] 0 <= i /\ i <= Seq.length items) -> match i = 0 with + goal vc_m : ([#"../knapsack.rs" 34 11 34 16] inv0 items) + -> ([#"../knapsack.rs" 32 11 32 17] 0 <= w) + -> ([#"../knapsack.rs" 31 11 31 37] 0 <= i /\ i <= Seq.length items) + -> match i = 0 with | True -> [#"../knapsack.rs" 33 10 33 21] 0 >= 0 | False -> match UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1))) > w with - | True -> ((([#"../knapsack.rs" 34 11 34 16] inv0 items) && ([#"../knapsack.rs" 32 11 32 17] 0 <= w) && ([#"../knapsack.rs" 31 11 31 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack.rs" 30 10 30 11] i) /\ ([#"../knapsack.rs" 30 10 30 11] i - 1) < ([#"../knapsack.rs" 30 10 30 11] i)) /\ (([#"../knapsack.rs" 33 10 33 21] m items (i - 1) w >= 0) -> ([#"../knapsack.rs" 33 10 33 21] m items (i - 1) w >= 0)) - | False -> ((([#"../knapsack.rs" 34 11 34 16] inv0 items) && ([#"../knapsack.rs" 32 11 32 17] 0 <= w) && ([#"../knapsack.rs" 31 11 31 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack.rs" 30 10 30 11] i) /\ ([#"../knapsack.rs" 30 10 30 11] i - 1) < ([#"../knapsack.rs" 30 10 30 11] i)) /\ (([#"../knapsack.rs" 33 10 33 21] m items (i - 1) w >= 0) -> ((([#"../knapsack.rs" 34 11 34 16] inv0 items) && ([#"../knapsack.rs" 32 11 32 17] 0 <= w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) && ([#"../knapsack.rs" 31 11 31 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack.rs" 30 10 30 11] i) /\ ([#"../knapsack.rs" 30 10 30 11] i - 1) < ([#"../knapsack.rs" 30 10 30 11] i)) /\ (([#"../knapsack.rs" 33 10 33 21] m items (i - 1) (w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) >= 0) -> ([#"../knapsack.rs" 33 10 33 21] MinMax.max (m items (i - 1) w) (m items (i - 1) (w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) + UIntSize.to_int (Knapsack_Item_Type.item_value (Seq.get items (i - 1)))) >= 0))) + | True -> ((([#"../knapsack.rs" 34 11 34 16] inv0 items) && ([#"../knapsack.rs" 32 11 32 17] 0 <= w) && ([#"../knapsack.rs" 31 11 31 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack.rs" 30 10 30 11] i) /\ ([#"../knapsack.rs" 30 10 30 11] i - 1) < ([#"../knapsack.rs" 30 10 30 11] i)) /\ (([#"../knapsack.rs" 33 10 33 21] m items (i - 1) w >= 0) + -> ([#"../knapsack.rs" 33 10 33 21] m items (i - 1) w >= 0)) + | False -> ((([#"../knapsack.rs" 34 11 34 16] inv0 items) && ([#"../knapsack.rs" 32 11 32 17] 0 <= w) && ([#"../knapsack.rs" 31 11 31 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack.rs" 30 10 30 11] i) /\ ([#"../knapsack.rs" 30 10 30 11] i - 1) < ([#"../knapsack.rs" 30 10 30 11] i)) /\ (([#"../knapsack.rs" 33 10 33 21] m items (i - 1) w >= 0) + -> ((([#"../knapsack.rs" 34 11 34 16] inv0 items) && ([#"../knapsack.rs" 32 11 32 17] 0 <= w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) && ([#"../knapsack.rs" 31 11 31 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack.rs" 30 10 30 11] i) /\ ([#"../knapsack.rs" 30 10 30 11] i - 1) < ([#"../knapsack.rs" 30 10 30 11] i)) /\ (([#"../knapsack.rs" 33 10 33 21] m items (i - 1) (w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) >= 0) + -> ([#"../knapsack.rs" 33 10 33 21] MinMax.max (m items (i - 1) w) (m items (i - 1) (w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) + UIntSize.to_int (Knapsack_Item_Type.item_value (Seq.get items (i - 1)))) >= 0))) end end end @@ -156,7 +162,8 @@ module Knapsack_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv16 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv16 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max1) + axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv16 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max1) predicate invariant16 (self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) = @@ -280,7 +287,8 @@ module Knapsack_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max1) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max1) predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) = @@ -299,7 +307,8 @@ module Knapsack_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model3 self) val invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -327,7 +336,8 @@ module Knapsack_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model5 self } - axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv17 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max1) + axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv17 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max1) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) = @@ -376,7 +386,8 @@ module Knapsack_Knapsack01Dyn use prelude.Slice use seq.Seq predicate resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool ensures { result = resolve_elswhere1 self old' fin } @@ -411,7 +422,8 @@ module Knapsack_Knapsack01Dyn predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -538,7 +550,8 @@ module Knapsack_Knapsack01Dyn ensures { result = index_logic3 self ix } predicate resolve5 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> resolve6 (index_logic3 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) + -> resolve6 (index_logic3 self i) val resolve5 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve5 self } @@ -552,7 +565,8 @@ module Knapsack_Knapsack01Dyn predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve5 (index_logic0 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) + -> resolve5 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -577,11 +591,14 @@ module Knapsack_Knapsack01Dyn requires {[#"../knapsack.rs" 34 11 34 16] inv8 items} ensures { result = m0 items i w } - axiom m0_spec : forall items : Seq.seq (Knapsack_Item_Type.t_item name), i : int, w : int . ([#"../knapsack.rs" 31 11 31 37] 0 <= i /\ i <= Seq.length items) -> ([#"../knapsack.rs" 32 11 32 17] 0 <= w) -> ([#"../knapsack.rs" 34 11 34 16] inv8 items) -> ([#"../knapsack.rs" 33 10 33 21] m0 items i w >= 0) + axiom m0_spec : forall items : Seq.seq (Knapsack_Item_Type.t_item name), i : int, w : int . ([#"../knapsack.rs" 31 11 31 37] 0 <= i /\ i <= Seq.length items) + -> ([#"../knapsack.rs" 32 11 32 17] 0 <= w) + -> ([#"../knapsack.rs" 34 11 34 16] inv8 items) -> ([#"../knapsack.rs" 33 10 33 21] m0 items i w >= 0) val from_elem1 (elem : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (n : usize) : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) requires {inv4 elem} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model1 result) = UIntSize.to_int n } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic0 result i = elem } ensures { inv5 result } val len0 (self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : usize @@ -591,13 +608,15 @@ module Knapsack_Knapsack01Dyn val from_elem0 (elem : usize) (n : usize) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) requires {inv3 elem} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model3 result) = UIntSize.to_int n } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic3 result i = elem } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic3 result i = elem } ensures { inv4 result } let rec cfg knapsack01_dyn [#"../knapsack.rs" 48 0 48 91] [@cfg:stackify] [@cfg:subregion_analysis] (items : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) (max_weight : usize) : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) requires {[#"../knapsack.rs" 45 11 45 34] Seq.length (shallow_model0 items) < 10000000} requires {[#"../knapsack.rs" 46 11 46 33] UIntSize.to_int max_weight < 10000000} - requires {[#"../knapsack.rs" 47 0 47 86] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 items) -> UIntSize.to_int (Knapsack_Item_Type.item_value (index_logic2 items i)) <= 10000000} + requires {[#"../knapsack.rs" 47 0 47 86] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 items) + -> UIntSize.to_int (Knapsack_Item_Type.item_value (index_logic2 items i)) <= 10000000} requires {[#"../knapsack.rs" 48 28 48 33] inv0 items} ensures { [#"../knapsack.rs" 48 75 48 91] inv2 result } @@ -652,8 +671,8 @@ module Knapsack_Knapsack01Dyn goto BB0 } BB0 { - [#"../knapsack.rs" 49 38 49 52] _8 <- ([#"../knapsack.rs" 49 38 49 52] max_weight + (1 : usize)); - [#"../knapsack.rs" 49 30 49 53] _7 <- ([#"../knapsack.rs" 49 30 49 53] from_elem0 (0 : usize) _8); + [#"../knapsack.rs" 49 38 49 52] _8 <- ([#"../knapsack.rs" 49 38 49 52] max_weight + ([#"../knapsack.rs" 49 51 49 52] (1 : usize))); + [#"../knapsack.rs" 49 30 49 53] _7 <- ([#"../knapsack.rs" 49 30 49 53] from_elem0 ([#"../knapsack.rs" 49 35 49 36] (0 : usize)) _8); _8 <- any usize; goto BB1 } @@ -662,7 +681,7 @@ module Knapsack_Knapsack01Dyn goto BB2 } BB2 { - [#"../knapsack.rs" 49 55 49 70] _10 <- ([#"../knapsack.rs" 49 55 49 70] _11 + (1 : usize)); + [#"../knapsack.rs" 49 55 49 70] _10 <- ([#"../knapsack.rs" 49 55 49 70] _11 + ([#"../knapsack.rs" 49 69 49 70] (1 : usize))); _11 <- any usize; [#"../knapsack.rs" 49 25 49 71] best_value <- ([#"../knapsack.rs" 49 25 49 71] from_elem1 _7 _10); _7 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global); @@ -670,7 +689,7 @@ module Knapsack_Knapsack01Dyn goto BB3 } BB3 { - [#"../knapsack.rs" 50 16 50 17] i <- ([#"../knapsack.rs" 50 16 50 17] (0 : usize)); + [#"../knapsack.rs" 50 16 50 17] i <- ([#"../knapsack.rs" 50 16 50 17] [#"../knapsack.rs" 50 16 50 17] (0 : usize)); goto BB4 } BB4 { @@ -687,9 +706,12 @@ module Knapsack_Knapsack01Dyn } BB8 { invariant { [#"../knapsack.rs" 52 16 52 53] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) }; - invariant { [#"../knapsack.rs" 52 4 52 55] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; - invariant { [#"../knapsack.rs" 52 4 52 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; - invariant { [#"../knapsack.rs" 52 4 52 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; + invariant { [#"../knapsack.rs" 52 4 52 55] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) + -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; + invariant { [#"../knapsack.rs" 52 4 52 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; + invariant { [#"../knapsack.rs" 52 4 52 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; goto BB9 } BB9 { @@ -712,7 +734,7 @@ module Knapsack_Knapsack01Dyn [#"../knapsack.rs" 60 17 60 26] it <- ([#"../knapsack.rs" 60 17 60 26] _25); assert { [@expl:type invariant] inv1 _25 }; assume { resolve2 _25 }; - [#"../knapsack.rs" 64 20 64 21] w <- ([#"../knapsack.rs" 64 20 64 21] (0 : usize)); + [#"../knapsack.rs" 64 20 64 21] w <- ([#"../knapsack.rs" 64 20 64 21] [#"../knapsack.rs" 64 20 64 21] (0 : usize)); goto BB13 } BB13 { @@ -732,10 +754,14 @@ module Knapsack_Knapsack01Dyn } BB18 { invariant { [#"../knapsack.rs" 66 20 66 57] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) }; - invariant { [#"../knapsack.rs" 66 8 66 59] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; - invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; - invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . 0 <= ww /\ ww <= UIntSize.to_int w - 1 -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww }; - invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; + invariant { [#"../knapsack.rs" 66 8 66 59] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) + -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; + invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; + invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . 0 <= ww /\ ww <= UIntSize.to_int w - 1 + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww }; + invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; goto BB19 } BB19 { @@ -794,7 +820,7 @@ module Knapsack_Knapsack01Dyn BB30 { [#"../knapsack.rs" 77 12 77 22] _69 <- Borrow.borrow_mut best_value; [#"../knapsack.rs" 77 12 77 22] best_value <- ^ _69; - [#"../knapsack.rs" 77 23 77 28] _70 <- ([#"../knapsack.rs" 77 23 77 28] i + (1 : usize)); + [#"../knapsack.rs" 77 23 77 28] _70 <- ([#"../knapsack.rs" 77 23 77 28] i + ([#"../knapsack.rs" 77 27 77 28] (1 : usize))); [#"../knapsack.rs" 77 22 77 29] _68 <- ([#"../knapsack.rs" 77 22 77 29] index_mut0 _69 _70); _69 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)); _70 <- any usize; @@ -812,15 +838,15 @@ module Knapsack_Knapsack01Dyn _38 <- any usize; assume { resolve3 _66 }; assume { resolve4 _68 }; - [#"../knapsack.rs" 82 12 82 18] w <- ([#"../knapsack.rs" 82 12 82 18] w + (1 : usize)); - [#"../knapsack.rs" 82 12 82 18] _19 <- ([#"../knapsack.rs" 82 12 82 18] ()); + [#"../knapsack.rs" 82 12 82 18] w <- ([#"../knapsack.rs" 82 12 82 18] w + ([#"../knapsack.rs" 82 17 82 18] (1 : usize))); + [#"../knapsack.rs" 82 12 82 18] _19 <- ([#"../knapsack.rs" 82 12 82 18] [#"../knapsack.rs" 82 12 82 18] ()); goto BB18 } BB33 { assert { [@expl:type invariant] inv1 it }; assume { resolve2 it }; - [#"../knapsack.rs" 84 8 84 14] i <- ([#"../knapsack.rs" 84 8 84 14] i + (1 : usize)); - [#"../knapsack.rs" 84 8 84 14] _19 <- ([#"../knapsack.rs" 84 8 84 14] ()); + [#"../knapsack.rs" 84 8 84 14] i <- ([#"../knapsack.rs" 84 8 84 14] i + ([#"../knapsack.rs" 84 13 84 14] (1 : usize))); + [#"../knapsack.rs" 84 8 84 14] _19 <- ([#"../knapsack.rs" 84 8 84 14] [#"../knapsack.rs" 84 8 84 14] ()); goto BB8 } BB34 { @@ -846,14 +872,14 @@ module Knapsack_Knapsack01Dyn goto BB39 } BB39 { - [#"../knapsack.rs" 93 10 93 15] _88 <- ([#"../knapsack.rs" 93 10 93 15] (0 : usize) < j); + [#"../knapsack.rs" 93 10 93 15] _88 <- ([#"../knapsack.rs" 93 10 93 15] ([#"../knapsack.rs" 93 10 93 11] (0 : usize)) < j); switch (_88) | False -> goto BB50 | True -> goto BB40 end } BB40 { - [#"../knapsack.rs" 94 8 94 14] j <- ([#"../knapsack.rs" 94 8 94 14] j - (1 : usize)); + [#"../knapsack.rs" 94 8 94 14] j <- ([#"../knapsack.rs" 94 8 94 14] j - ([#"../knapsack.rs" 94 13 94 14] (1 : usize))); [#"../knapsack.rs" 95 23 95 26] _91 <- ([#"../knapsack.rs" 95 23 95 26] index0 items j); goto BB41 } @@ -861,7 +887,7 @@ module Knapsack_Knapsack01Dyn [#"../knapsack.rs" 95 17 95 26] it1 <- ([#"../knapsack.rs" 95 17 95 26] _91); assert { [@expl:type invariant] inv1 _91 }; assume { resolve2 _91 }; - [#"../knapsack.rs" 96 22 96 27] _100 <- ([#"../knapsack.rs" 96 22 96 27] j + (1 : usize)); + [#"../knapsack.rs" 96 22 96 27] _100 <- ([#"../knapsack.rs" 96 22 96 27] j + ([#"../knapsack.rs" 96 26 96 27] (1 : usize))); [#"../knapsack.rs" 96 21 96 28] _98 <- ([#"../knapsack.rs" 96 21 96 28] index1 best_value _100); _100 <- any usize; goto BB42 @@ -897,13 +923,13 @@ module Knapsack_Knapsack01Dyn assert { [@expl:type invariant] inv1 it1 }; assume { resolve2 it1 }; [#"../knapsack.rs" 98 12 98 36] left_weight <- ([#"../knapsack.rs" 98 12 98 36] left_weight - Knapsack_Item_Type.item_weight it1); - [#"../knapsack.rs" 96 72 99 9] _19 <- ([#"../knapsack.rs" 96 72 99 9] ()); + [#"../knapsack.rs" 96 72 99 9] _19 <- ([#"../knapsack.rs" 96 72 99 9] [#"../knapsack.rs" 96 72 99 9] ()); goto BB49 } BB48 { assert { [@expl:type invariant] inv1 it1 }; assume { resolve2 it1 }; - [#"../knapsack.rs" 99 9 99 9] _19 <- ([#"../knapsack.rs" 99 9 99 9] ()); + [#"../knapsack.rs" 99 9 99 9] _19 <- ([#"../knapsack.rs" 99 9 99 9] [#"../knapsack.rs" 99 9 99 9] ()); goto BB49 } BB49 { diff --git a/creusot/tests/should_succeed/knapsack_full.mlcfg b/creusot/tests/should_succeed/knapsack_full.mlcfg index 263a186144..5d2b468df2 100644 --- a/creusot/tests/should_succeed/knapsack_full.mlcfg +++ b/creusot/tests/should_succeed/knapsack_full.mlcfg @@ -73,9 +73,12 @@ module KnapsackFull_SumWeights_Impl constant i : int function sum_weights [#"../knapsack_full.rs" 27 0 27 56] (s : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) : int - goal vc_sum_weights : ([#"../knapsack_full.rs" 27 21 27 22] inv0 s) -> ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s) -> match i = Seq.length s with + goal vc_sum_weights : ([#"../knapsack_full.rs" 27 21 27 22] inv0 s) + -> ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s) + -> match i = Seq.length s with | True -> [#"../knapsack_full.rs" 26 10 26 21] 0 >= 0 - | False -> ((([#"../knapsack_full.rs" 27 21 27 22] inv0 s) && ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i + 1 /\ i + 1 <= Seq.length s)) /\ 0 <= ([#"../knapsack_full.rs" 24 10 24 19] Seq.length s - i) /\ ([#"../knapsack_full.rs" 24 10 24 19] Seq.length s - (i + 1)) < ([#"../knapsack_full.rs" 24 10 24 19] Seq.length s - i)) /\ (([#"../knapsack_full.rs" 26 10 26 21] sum_weights s (i + 1) >= 0) -> ([#"../knapsack_full.rs" 26 10 26 21] UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get s i)) + sum_weights s (i + 1) >= 0)) + | False -> ((([#"../knapsack_full.rs" 27 21 27 22] inv0 s) && ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i + 1 /\ i + 1 <= Seq.length s)) /\ 0 <= ([#"../knapsack_full.rs" 24 10 24 19] Seq.length s - i) /\ ([#"../knapsack_full.rs" 24 10 24 19] Seq.length s - (i + 1)) < ([#"../knapsack_full.rs" 24 10 24 19] Seq.length s - i)) /\ (([#"../knapsack_full.rs" 26 10 26 21] sum_weights s (i + 1) >= 0) + -> ([#"../knapsack_full.rs" 26 10 26 21] UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get s i)) + sum_weights s (i + 1) >= 0)) end end module KnapsackFull_SumValues_Impl @@ -92,7 +95,8 @@ module KnapsackFull_SumValues_Impl constant i : int function sum_values [#"../knapsack_full.rs" 37 0 37 55] (s : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) : int - goal vc_sum_values : ([#"../knapsack_full.rs" 36 11 36 33] i >= 0 /\ i <= Seq.length s) -> match i = Seq.length s with + goal vc_sum_values : ([#"../knapsack_full.rs" 36 11 36 33] i >= 0 /\ i <= Seq.length s) + -> match i = Seq.length s with | True -> true | False -> ([#"../knapsack_full.rs" 36 11 36 33] i + 1 >= 0 /\ i + 1 <= Seq.length s) /\ 0 <= ([#"../knapsack_full.rs" 35 10 35 19] Seq.length s - i) /\ ([#"../knapsack_full.rs" 35 10 35 19] Seq.length s - (i + 1)) < ([#"../knapsack_full.rs" 35 10 35 19] Seq.length s - i) end @@ -111,7 +115,9 @@ module KnapsackFull_SubseqRev_Impl constant s2 : Seq.seq t constant i2 : int predicate subseq_rev [#"../knapsack_full.rs" 48 0 48 67] (s1 : Seq.seq t) (i1 : int) (s2 : Seq.seq t) (i2 : int) - goal vc_subseq_rev : ([#"../knapsack_full.rs" 47 11 47 36] 0 <= i2 /\ i2 <= Seq.length s2) -> ([#"../knapsack_full.rs" 46 11 46 36] 0 <= i1 /\ i1 <= Seq.length s1) -> match i2 = 0 with + goal vc_subseq_rev : ([#"../knapsack_full.rs" 47 11 47 36] 0 <= i2 /\ i2 <= Seq.length s2) + -> ([#"../knapsack_full.rs" 46 11 46 36] 0 <= i1 /\ i1 <= Seq.length s1) + -> match i2 = 0 with | True -> true | False -> if i1 < Seq.length s1 then if Seq.get s1 i1 = Seq.get s2 (i2 - 1) then @@ -177,7 +183,8 @@ module KnapsackFull_M_Impl requires {[#"../knapsack_full.rs" 27 21 27 22] inv1 s} ensures { result = sum_weights0 s i } - axiom sum_weights0_spec : forall s : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int . ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s) -> ([#"../knapsack_full.rs" 27 21 27 22] inv1 s) -> ([#"../knapsack_full.rs" 26 10 26 21] sum_weights0 s i >= 0) + axiom sum_weights0_spec : forall s : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int . ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s) + -> ([#"../knapsack_full.rs" 27 21 27 22] inv1 s) -> ([#"../knapsack_full.rs" 26 10 26 21] sum_weights0 s i >= 0) use seq.Seq predicate subseq_rev0 [#"../knapsack_full.rs" 48 0 48 67] (s1 : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i1 : int) (s2 : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i2 : int) @@ -196,11 +203,29 @@ module KnapsackFull_M_Impl constant w : int function m [#"../knapsack_full.rs" 66 0 66 57] (items : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) (w : int) : int - goal vc_m : ([#"../knapsack_full.rs" 66 11 66 16] inv0 items) -> ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) -> ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i /\ i <= Seq.length items) -> match i = 0 with - | True -> let result = 0 in ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w -> sum_values0 s j <= result) && ([#"../knapsack_full.rs" 62 10 62 21] result >= 0) + goal vc_m : ([#"../knapsack_full.rs" 66 11 66 16] inv0 items) + -> ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) + -> ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i /\ i <= Seq.length items) + -> match i = 0 with + | True -> let result = 0 in ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s + -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w + -> sum_values0 s j <= result) && ([#"../knapsack_full.rs" 62 10 62 21] result >= 0) | False -> match UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1))) > w with - | True -> ((([#"../knapsack_full.rs" 66 11 66 16] inv0 items) && ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) && ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack_full.rs" 59 10 59 11] i) /\ ([#"../knapsack_full.rs" 59 10 59 11] i - 1) < ([#"../knapsack_full.rs" 59 10 59 11] i)) /\ (([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items (i - 1) /\ sum_weights0 s j <= w -> sum_values0 s j <= m items (i - 1) w) && ([#"../knapsack_full.rs" 62 10 62 21] m items (i - 1) w >= 0) -> (let result = m items (i - 1) w in ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w -> sum_values0 s j <= result) && ([#"../knapsack_full.rs" 62 10 62 21] result >= 0))) - | False -> ((([#"../knapsack_full.rs" 66 11 66 16] inv0 items) && ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) && ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack_full.rs" 59 10 59 11] i) /\ ([#"../knapsack_full.rs" 59 10 59 11] i - 1) < ([#"../knapsack_full.rs" 59 10 59 11] i)) /\ (([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items (i - 1) /\ sum_weights0 s j <= w -> sum_values0 s j <= m items (i - 1) w) && ([#"../knapsack_full.rs" 62 10 62 21] m items (i - 1) w >= 0) -> ((([#"../knapsack_full.rs" 66 11 66 16] inv0 items) && ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) && ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack_full.rs" 59 10 59 11] i) /\ ([#"../knapsack_full.rs" 59 10 59 11] i - 1) < ([#"../knapsack_full.rs" 59 10 59 11] i)) /\ (([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items (i - 1) /\ sum_weights0 s j <= w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1))) -> sum_values0 s j <= m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1))))) && ([#"../knapsack_full.rs" 62 10 62 21] m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) >= 0) -> (let result = MinMax.max (m items (i - 1) w) (m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) + UIntSize.to_int (KnapsackFull_Item_Type.item_value (Seq.get items (i - 1)))) in ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w -> sum_values0 s j <= result) && ([#"../knapsack_full.rs" 62 10 62 21] result >= 0)))) + | True -> ((([#"../knapsack_full.rs" 66 11 66 16] inv0 items) && ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) && ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack_full.rs" 59 10 59 11] i) /\ ([#"../knapsack_full.rs" 59 10 59 11] i - 1) < ([#"../knapsack_full.rs" 59 10 59 11] i)) /\ (([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s + -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items (i - 1) /\ sum_weights0 s j <= w + -> sum_values0 s j <= m items (i - 1) w) && ([#"../knapsack_full.rs" 62 10 62 21] m items (i - 1) w >= 0) + -> (let result = m items (i - 1) w in ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s + -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w + -> sum_values0 s j <= result) && ([#"../knapsack_full.rs" 62 10 62 21] result >= 0))) + | False -> ((([#"../knapsack_full.rs" 66 11 66 16] inv0 items) && ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) && ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack_full.rs" 59 10 59 11] i) /\ ([#"../knapsack_full.rs" 59 10 59 11] i - 1) < ([#"../knapsack_full.rs" 59 10 59 11] i)) /\ (([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s + -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items (i - 1) /\ sum_weights0 s j <= w + -> sum_values0 s j <= m items (i - 1) w) && ([#"../knapsack_full.rs" 62 10 62 21] m items (i - 1) w >= 0) + -> ((([#"../knapsack_full.rs" 66 11 66 16] inv0 items) && ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) && ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack_full.rs" 59 10 59 11] i) /\ ([#"../knapsack_full.rs" 59 10 59 11] i - 1) < ([#"../knapsack_full.rs" 59 10 59 11] i)) /\ (([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s + -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items (i - 1) /\ sum_weights0 s j <= w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1))) + -> sum_values0 s j <= m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1))))) && ([#"../knapsack_full.rs" 62 10 62 21] m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) >= 0) + -> (let result = MinMax.max (m items (i - 1) w) (m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) + UIntSize.to_int (KnapsackFull_Item_Type.item_value (Seq.get items (i - 1)))) in ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s + -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w + -> sum_values0 s j <= result) && ([#"../knapsack_full.rs" 62 10 62 21] result >= 0)))) end end end @@ -306,7 +331,8 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv22 self} ensures { result = shallow_model5 self } - axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv22 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max1) + axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv22 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max1) predicate invariant22 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) = @@ -463,7 +489,8 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max1) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max1) predicate invariant8 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) = @@ -482,7 +509,8 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1) predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model3 self) val invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -514,7 +542,8 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max1) + axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max1) predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) = @@ -564,7 +593,9 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv2 self} ensures { result = is_empty_log0 self } - axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv2 self) -> ([#"../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self)) + axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self + -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self)) function range_inclusive_len0 (r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : int = [#"../../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5] if is_empty_log0 r then 0 @@ -575,11 +606,14 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv2 r} ensures { result = range_inclusive_len0 r } - axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv2 r) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0)) + axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv2 r) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0)) predicate produces1 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (visited : Seq.seq usize) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) = - [#"../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i) + [#"../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self + -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i) val produces1 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (visited : Seq.seq usize) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : bool ensures { result = produces1 self visited o } @@ -597,7 +631,14 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv2 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, ab : Seq.seq usize, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, bc : Seq.seq usize, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces1 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces1 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv2 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv10 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv2 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv10 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv2 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, ab : Seq.seq usize, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, bc : Seq.seq usize, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces1 a ab b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces1 b bc c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv2 a) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv10 ab) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv2 b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv10 bc) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv2 c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : () = [#"../../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10] () @@ -605,7 +646,8 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv2 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces1 self (Seq.empty ) self) predicate invariant2 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) = [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant2 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : bool @@ -628,7 +670,9 @@ module KnapsackFull_Knapsack01Dyn predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces0 self visited o } @@ -644,13 +688,21 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -697,7 +749,8 @@ module KnapsackFull_Knapsack01Dyn ensures { result = index_logic5 self ix } predicate resolve7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> resolve8 (index_logic5 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) + -> resolve8 (index_logic5 self i) val resolve7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve7 self } @@ -712,7 +765,8 @@ module KnapsackFull_Knapsack01Dyn predicate resolve5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve7 (index_logic0 self i) + [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) + -> resolve7 (index_logic0 self i) val resolve5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve5 self } @@ -752,7 +806,8 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../knapsack_full.rs" 27 21 27 22] inv3 s} ensures { result = sum_weights0 s i } - axiom sum_weights0_spec : forall s : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int . ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s) -> ([#"../knapsack_full.rs" 27 21 27 22] inv3 s) -> ([#"../knapsack_full.rs" 26 10 26 21] sum_weights0 s i >= 0) + axiom sum_weights0_spec : forall s : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int . ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s) + -> ([#"../knapsack_full.rs" 27 21 27 22] inv3 s) -> ([#"../knapsack_full.rs" 26 10 26 21] sum_weights0 s i >= 0) function index_logic2 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : KnapsackFull_Item_Type.t_item name = @@ -776,7 +831,8 @@ module KnapsackFull_Knapsack01Dyn use prelude.Slice predicate resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool ensures { result = resolve_elswhere1 self old' fin } @@ -810,7 +866,8 @@ module KnapsackFull_Knapsack01Dyn predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -919,7 +976,8 @@ module KnapsackFull_Knapsack01Dyn requires {inv6 end'} ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 220 26 220 53] start_log0 result = start } ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 221 26 221 49] end_log0 result = end' } - ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end' -> not is_empty_log0 result } + ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end' + -> not is_empty_log0 result } ensures { inv2 result } predicate resolve1 (self : KnapsackFull_Item_Type.t_item name) @@ -987,7 +1045,12 @@ module KnapsackFull_Knapsack01Dyn requires {[#"../knapsack_full.rs" 66 11 66 16] inv11 items} ensures { result = m0 items i w } - axiom m0_spec : forall items : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int, w : int . ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i /\ i <= Seq.length items) -> ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) -> ([#"../knapsack_full.rs" 66 11 66 16] inv11 items) -> ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w -> sum_values0 s j <= m0 items i w) && ([#"../knapsack_full.rs" 62 10 62 21] m0 items i w >= 0) + axiom m0_spec : forall items : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int, w : int . ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i /\ i <= Seq.length items) + -> ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) + -> ([#"../knapsack_full.rs" 66 11 66 16] inv11 items) + -> ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 s + -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w + -> sum_values0 s j <= m0 items i w) && ([#"../knapsack_full.rs" 62 10 62 21] m0 items i w >= 0) use prelude.Snapshot use prelude.Snapshot use prelude.Snapshot @@ -1014,7 +1077,8 @@ module KnapsackFull_Knapsack01Dyn val from_elem1 (elem : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (n : usize) : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) requires {inv7 elem} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model1 result) = UIntSize.to_int n } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic0 result i = elem } ensures { inv8 result } val len0 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : usize @@ -1024,17 +1088,21 @@ module KnapsackFull_Knapsack01Dyn val from_elem0 (elem : usize) (n : usize) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) requires {inv6 elem} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model3 result) = UIntSize.to_int n } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic5 result i = elem } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic5 result i = elem } ensures { inv7 result } let rec cfg knapsack01_dyn [#"../knapsack_full.rs" 85 0 85 91] [@cfg:stackify] [@cfg:subregion_analysis] (items : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) (max_weight : usize) : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) requires {[#"../knapsack_full.rs" 77 11 77 34] Seq.length (shallow_model0 items) < 10000000} requires {[#"../knapsack_full.rs" 78 11 78 33] UIntSize.to_int max_weight < 10000000} - requires {[#"../knapsack_full.rs" 79 0 79 86] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 items) -> UIntSize.to_int (KnapsackFull_Item_Type.item_value (index_logic4 items i)) <= 10000000} + requires {[#"../knapsack_full.rs" 79 0 79 86] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 items) + -> UIntSize.to_int (KnapsackFull_Item_Type.item_value (index_logic4 items i)) <= 10000000} requires {[#"../knapsack_full.rs" 85 28 85 33] inv4 items} ensures { [#"../knapsack_full.rs" 80 10 80 60] sum_weights0 (shallow_model4 result) (Seq.length (shallow_model4 result)) <= UIntSize.to_int max_weight } ensures { [#"../knapsack_full.rs" 81 10 81 54] subseq_rev0 (shallow_model4 result) 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) } - ensures { [#"../knapsack_full.rs" 82 0 84 2] forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 s -> subseq_rev0 s 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) /\ sum_weights0 s (Seq.length s) <= UIntSize.to_int max_weight -> sum_values0 s (Seq.length s) <= sum_values0 (shallow_model4 result) (Seq.length (shallow_model4 result)) } + ensures { [#"../knapsack_full.rs" 82 0 84 2] forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 s + -> subseq_rev0 s 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) /\ sum_weights0 s (Seq.length s) <= UIntSize.to_int max_weight + -> sum_values0 s (Seq.length s) <= sum_values0 (shallow_model4 result) (Seq.length (shallow_model4 result)) } ensures { [#"../knapsack_full.rs" 85 75 85 91] inv5 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1104,8 +1172,8 @@ module KnapsackFull_Knapsack01Dyn goto BB0 } BB0 { - [#"../knapsack_full.rs" 86 38 86 52] _11 <- ([#"../knapsack_full.rs" 86 38 86 52] max_weight + (1 : usize)); - [#"../knapsack_full.rs" 86 30 86 53] _10 <- ([#"../knapsack_full.rs" 86 30 86 53] from_elem0 (0 : usize) _11); + [#"../knapsack_full.rs" 86 38 86 52] _11 <- ([#"../knapsack_full.rs" 86 38 86 52] max_weight + ([#"../knapsack_full.rs" 86 51 86 52] (1 : usize))); + [#"../knapsack_full.rs" 86 30 86 53] _10 <- ([#"../knapsack_full.rs" 86 30 86 53] from_elem0 ([#"../knapsack_full.rs" 86 35 86 36] (0 : usize)) _11); _11 <- any usize; goto BB1 } @@ -1114,7 +1182,7 @@ module KnapsackFull_Knapsack01Dyn goto BB2 } BB2 { - [#"../knapsack_full.rs" 86 55 86 70] _13 <- ([#"../knapsack_full.rs" 86 55 86 70] _14 + (1 : usize)); + [#"../knapsack_full.rs" 86 55 86 70] _13 <- ([#"../knapsack_full.rs" 86 55 86 70] _14 + ([#"../knapsack_full.rs" 86 69 86 70] (1 : usize))); _14 <- any usize; [#"../knapsack_full.rs" 86 25 86 71] best_value <- ([#"../knapsack_full.rs" 86 25 86 71] from_elem1 _10 _13); _10 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global); @@ -1126,7 +1194,7 @@ module KnapsackFull_Knapsack01Dyn goto BB4 } BB4 { - [#"../knapsack_full.rs" 95 13 95 27] _18 <- ([#"../knapsack_full.rs" 95 13 95 27] Core_Ops_Range_Range_Type.C_Range (0 : usize) _19); + [#"../knapsack_full.rs" 95 13 95 27] _18 <- ([#"../knapsack_full.rs" 95 13 95 27] Core_Ops_Range_Range_Type.C_Range ([#"../knapsack_full.rs" 95 13 95 14] (0 : usize)) _19); _19 <- any usize; [#"../knapsack_full.rs" 88 4 88 55] iter <- ([#"../knapsack_full.rs" 88 4 88 55] into_iter0 _18); _18 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -1159,9 +1227,12 @@ module KnapsackFull_Knapsack01Dyn invariant { [#"../knapsack_full.rs" 88 4 88 55] inv0 iter }; invariant { [#"../knapsack_full.rs" 88 4 88 55] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../knapsack_full.rs" 88 16 88 53] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) }; - invariant { [#"../knapsack_full.rs" 88 4 88 55] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; - invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (Snapshot.inner produced) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; - invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; + invariant { [#"../knapsack_full.rs" 88 4 88 55] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) + -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; + invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (Snapshot.inner produced) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; + invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; goto BB13 } BB13 { @@ -1207,7 +1278,7 @@ module KnapsackFull_Knapsack01Dyn [#"../knapsack_full.rs" 96 17 96 26] it <- ([#"../knapsack_full.rs" 96 17 96 26] _41); assert { [@expl:type invariant] inv1 _41 }; assume { resolve1 _41 }; - [#"../knapsack_full.rs" 110 17 110 31] _45 <- ([#"../knapsack_full.rs" 110 17 110 31] new2 (0 : usize) max_weight); + [#"../knapsack_full.rs" 110 17 110 31] _45 <- ([#"../knapsack_full.rs" 110 17 110 31] new2 ([#"../knapsack_full.rs" 110 17 110 18] (0 : usize)) max_weight); goto BB21 } BB21 { @@ -1245,10 +1316,14 @@ module KnapsackFull_Knapsack01Dyn invariant { [#"../knapsack_full.rs" 98 8 98 59] inv2 iter1 }; invariant { [#"../knapsack_full.rs" 98 8 98 59] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 }; invariant { [#"../knapsack_full.rs" 98 20 98 57] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) }; - invariant { [#"../knapsack_full.rs" 98 8 98 59] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; - invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; - invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . 0 <= ww /\ ww <= Seq.length (Snapshot.inner produced1) - 1 -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww }; - invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; + invariant { [#"../knapsack_full.rs" 98 8 98 59] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) + -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) }; + invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww }; + invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . 0 <= ww /\ ww <= Seq.length (Snapshot.inner produced1) - 1 + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww }; + invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight + -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii }; goto BB31 } BB31 { @@ -1270,7 +1345,7 @@ module KnapsackFull_Knapsack01Dyn BB33 { assert { [@expl:type invariant] inv1 it }; assume { resolve1 it }; - [#"../knapsack_full.rs" 98 8 98 59] _31 <- ([#"../knapsack_full.rs" 98 8 98 59] ()); + [#"../knapsack_full.rs" 98 8 98 59] _31 <- ([#"../knapsack_full.rs" 98 8 98 59] [#"../knapsack_full.rs" 98 8 98 59] ()); goto BB12 } BB34 { @@ -1333,7 +1408,7 @@ module KnapsackFull_Knapsack01Dyn BB46 { [#"../knapsack_full.rs" 111 12 111 22] _97 <- Borrow.borrow_mut best_value; [#"../knapsack_full.rs" 111 12 111 22] best_value <- ^ _97; - [#"../knapsack_full.rs" 111 23 111 28] _98 <- ([#"../knapsack_full.rs" 111 23 111 28] i + (1 : usize)); + [#"../knapsack_full.rs" 111 23 111 28] _98 <- ([#"../knapsack_full.rs" 111 23 111 28] i + ([#"../knapsack_full.rs" 111 27 111 28] (1 : usize))); [#"../knapsack_full.rs" 111 22 111 29] _96 <- ([#"../knapsack_full.rs" 111 22 111 29] index_mut0 _97 _98); _97 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)); _98 <- any usize; @@ -1351,7 +1426,7 @@ module KnapsackFull_Knapsack01Dyn _66 <- any usize; assume { resolve3 _94 }; assume { resolve4 _96 }; - [#"../knapsack_full.rs" 110 32 116 9] _31 <- ([#"../knapsack_full.rs" 110 32 116 9] ()); + [#"../knapsack_full.rs" 110 32 116 9] _31 <- ([#"../knapsack_full.rs" 110 32 116 9] [#"../knapsack_full.rs" 110 32 116 9] ()); goto BB30 } BB49 { @@ -1379,20 +1454,29 @@ module KnapsackFull_Knapsack01Dyn BB55 { invariant { [#"../knapsack_full.rs" 123 16 123 34] UIntSize.to_int j <= Seq.length (shallow_model0 items) }; invariant { [#"../knapsack_full.rs" 124 16 124 43] UIntSize.to_int left_weight <= UIntSize.to_int max_weight }; - invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 r -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result) -> index_logic2 result i = Seq.get r i) /\ sum_weights0 r (Seq.length (shallow_model4 result)) <= UIntSize.to_int left_weight -> sum_weights0 r 0 <= UIntSize.to_int max_weight }; - invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 r -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result) -> index_logic2 result i = Seq.get r i) /\ sum_values0 r (Seq.length (shallow_model4 result)) = m0 (shallow_model0 items) (UIntSize.to_int j) (UIntSize.to_int left_weight) -> sum_values0 r 0 = m0 (shallow_model0 items) (Seq.length (shallow_model0 items)) (UIntSize.to_int max_weight) }; - invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 r -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result) -> index_logic2 result i = Seq.get r i) /\ subseq_rev0 r (Seq.length (shallow_model4 result)) (shallow_model0 items) (UIntSize.to_int j) -> subseq_rev0 r 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) }; + invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 r + -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result) + -> index_logic2 result i = Seq.get r i) /\ sum_weights0 r (Seq.length (shallow_model4 result)) <= UIntSize.to_int left_weight + -> sum_weights0 r 0 <= UIntSize.to_int max_weight }; + invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 r + -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result) + -> index_logic2 result i = Seq.get r i) /\ sum_values0 r (Seq.length (shallow_model4 result)) = m0 (shallow_model0 items) (UIntSize.to_int j) (UIntSize.to_int left_weight) + -> sum_values0 r 0 = m0 (shallow_model0 items) (Seq.length (shallow_model0 items)) (UIntSize.to_int max_weight) }; + invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 r + -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result) + -> index_logic2 result i = Seq.get r i) /\ subseq_rev0 r (Seq.length (shallow_model4 result)) (shallow_model0 items) (UIntSize.to_int j) + -> subseq_rev0 r 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) }; goto BB56 } BB56 { - [#"../knapsack_full.rs" 140 10 140 15] _115 <- ([#"../knapsack_full.rs" 140 10 140 15] (0 : usize) < j); + [#"../knapsack_full.rs" 140 10 140 15] _115 <- ([#"../knapsack_full.rs" 140 10 140 15] ([#"../knapsack_full.rs" 140 10 140 11] (0 : usize)) < j); switch (_115) | False -> goto BB67 | True -> goto BB57 end } BB57 { - [#"../knapsack_full.rs" 141 8 141 14] j <- ([#"../knapsack_full.rs" 141 8 141 14] j - (1 : usize)); + [#"../knapsack_full.rs" 141 8 141 14] j <- ([#"../knapsack_full.rs" 141 8 141 14] j - ([#"../knapsack_full.rs" 141 13 141 14] (1 : usize))); [#"../knapsack_full.rs" 142 23 142 26] _118 <- ([#"../knapsack_full.rs" 142 23 142 26] index0 items j); goto BB58 } @@ -1400,7 +1484,7 @@ module KnapsackFull_Knapsack01Dyn [#"../knapsack_full.rs" 142 17 142 26] it1 <- ([#"../knapsack_full.rs" 142 17 142 26] _118); assert { [@expl:type invariant] inv1 _118 }; assume { resolve1 _118 }; - [#"../knapsack_full.rs" 143 22 143 27] _127 <- ([#"../knapsack_full.rs" 143 22 143 27] j + (1 : usize)); + [#"../knapsack_full.rs" 143 22 143 27] _127 <- ([#"../knapsack_full.rs" 143 22 143 27] j + ([#"../knapsack_full.rs" 143 26 143 27] (1 : usize))); [#"../knapsack_full.rs" 143 21 143 28] _125 <- ([#"../knapsack_full.rs" 143 21 143 28] index1 best_value _127); _127 <- any usize; goto BB59 @@ -1436,13 +1520,13 @@ module KnapsackFull_Knapsack01Dyn assert { [@expl:type invariant] inv1 it1 }; assume { resolve1 it1 }; [#"../knapsack_full.rs" 145 12 145 36] left_weight <- ([#"../knapsack_full.rs" 145 12 145 36] left_weight - KnapsackFull_Item_Type.item_weight it1); - [#"../knapsack_full.rs" 143 72 146 9] _31 <- ([#"../knapsack_full.rs" 143 72 146 9] ()); + [#"../knapsack_full.rs" 143 72 146 9] _31 <- ([#"../knapsack_full.rs" 143 72 146 9] [#"../knapsack_full.rs" 143 72 146 9] ()); goto BB66 } BB65 { assert { [@expl:type invariant] inv1 it1 }; assume { resolve1 it1 }; - [#"../knapsack_full.rs" 146 9 146 9] _31 <- ([#"../knapsack_full.rs" 146 9 146 9] ()); + [#"../knapsack_full.rs" 146 9 146 9] _31 <- ([#"../knapsack_full.rs" 146 9 146 9] [#"../knapsack_full.rs" 146 9 146 9] ()); goto BB66 } BB66 { diff --git a/creusot/tests/should_succeed/lang/assoc_type.mlcfg b/creusot/tests/should_succeed/lang/assoc_type.mlcfg index f46b83d21a..f559b52a9c 100644 --- a/creusot/tests/should_succeed/lang/assoc_type.mlcfg +++ b/creusot/tests/should_succeed/lang/assoc_type.mlcfg @@ -38,7 +38,7 @@ module AssocType_Uses3 goto BB0 } BB0 { - [#"../assoc_type.rs" 36 34 36 36] _0 <- ([#"../assoc_type.rs" 36 34 36 36] ()); + [#"../assoc_type.rs" 36 34 36 36] _0 <- ([#"../assoc_type.rs" 36 34 36 36] [#"../assoc_type.rs" 36 34 36 36] ()); assert { [@expl:type invariant] inv0 _1 }; assume { resolve0 _1 }; goto BB1 diff --git a/creusot/tests/should_succeed/lang/branch_borrow_2.mlcfg b/creusot/tests/should_succeed/lang/branch_borrow_2.mlcfg index 93e062ce56..22f2266587 100644 --- a/creusot/tests/should_succeed/lang/branch_borrow_2.mlcfg +++ b/creusot/tests/should_succeed/lang/branch_borrow_2.mlcfg @@ -26,18 +26,18 @@ module BranchBorrow2_F goto BB0 } BB0 { - [#"../branch_borrow_2.rs" 4 16 4 18] a <- ([#"../branch_borrow_2.rs" 4 16 4 18] (10 : int32)); - [#"../branch_borrow_2.rs" 5 16 5 18] b <- ([#"../branch_borrow_2.rs" 5 16 5 18] (10 : int32)); - [#"../branch_borrow_2.rs" 6 16 6 18] c <- ([#"../branch_borrow_2.rs" 6 16 6 18] (10 : int32)); + [#"../branch_borrow_2.rs" 4 16 4 18] a <- ([#"../branch_borrow_2.rs" 4 16 4 18] [#"../branch_borrow_2.rs" 4 16 4 18] (10 : int32)); + [#"../branch_borrow_2.rs" 5 16 5 18] b <- ([#"../branch_borrow_2.rs" 5 16 5 18] [#"../branch_borrow_2.rs" 5 16 5 18] (10 : int32)); + [#"../branch_borrow_2.rs" 6 16 6 18] c <- ([#"../branch_borrow_2.rs" 6 16 6 18] [#"../branch_borrow_2.rs" 6 16 6 18] (10 : int32)); [#"../branch_borrow_2.rs" 8 12 8 18] x <- Borrow.borrow_mut a; [#"../branch_borrow_2.rs" 8 12 8 18] a <- ^ x; [#"../branch_borrow_2.rs" 9 12 9 18] y <- Borrow.borrow_mut b; [#"../branch_borrow_2.rs" 9 12 9 18] b <- ^ y; [#"../branch_borrow_2.rs" 10 12 10 18] z <- Borrow.borrow_mut c; [#"../branch_borrow_2.rs" 10 12 10 18] c <- ^ z; - switch ((3 : int32) = 1) + switch (([#"../branch_borrow_2.rs" 13 10 13 11] (3 : int32)) = 1) | True -> goto BB1 - | False -> switch ((3 : int32) = 2) + | False -> switch (([#"../branch_borrow_2.rs" 13 10 13 11] (3 : int32)) = 2) | True -> goto BB2 | False -> goto BB12 end @@ -50,46 +50,46 @@ module BranchBorrow2_F goto BB5 } BB3 { - [#"../branch_borrow_2.rs" 23 12 23 18] z <- { z with current = ([#"../branch_borrow_2.rs" 23 12 23 18] (8 : int32)) ; }; + [#"../branch_borrow_2.rs" 23 12 23 18] z <- { z with current = ([#"../branch_borrow_2.rs" 23 12 23 18] [#"../branch_borrow_2.rs" 23 17 23 18] (8 : int32)) ; }; [#"../branch_borrow_2.rs" 24 16 24 17] _12 <- Borrow.borrow_final ( * z) (Borrow.get_id z); [#"../branch_borrow_2.rs" 24 16 24 17] z <- { z with current = ( ^ _12) ; }; [#"../branch_borrow_2.rs" 24 12 24 17] w <- ([#"../branch_borrow_2.rs" 24 12 24 17] _12); _12 <- any borrowed int32; - [#"../branch_borrow_2.rs" 22 13 25 9] _8 <- ([#"../branch_borrow_2.rs" 22 13 25 9] ()); + [#"../branch_borrow_2.rs" 22 13 25 9] _8 <- ([#"../branch_borrow_2.rs" 22 13 25 9] [#"../branch_borrow_2.rs" 22 13 25 9] ()); goto BB6 } BB4 { assume { resolve0 z }; assume { resolve0 y }; - [#"../branch_borrow_2.rs" 15 12 15 18] x <- { x with current = ([#"../branch_borrow_2.rs" 15 12 15 18] (6 : int32)) ; }; + [#"../branch_borrow_2.rs" 15 12 15 18] x <- { x with current = ([#"../branch_borrow_2.rs" 15 12 15 18] [#"../branch_borrow_2.rs" 15 17 15 18] (6 : int32)) ; }; [#"../branch_borrow_2.rs" 16 12 16 17] w <- ([#"../branch_borrow_2.rs" 16 12 16 17] x); x <- any borrowed int32; - [#"../branch_borrow_2.rs" 14 13 17 9] _8 <- ([#"../branch_borrow_2.rs" 14 13 17 9] ()); + [#"../branch_borrow_2.rs" 14 13 17 9] _8 <- ([#"../branch_borrow_2.rs" 14 13 17 9] [#"../branch_borrow_2.rs" 14 13 17 9] ()); goto BB6 } BB5 { assume { resolve0 z }; - [#"../branch_borrow_2.rs" 19 12 19 18] y <- { y with current = ([#"../branch_borrow_2.rs" 19 12 19 18] (7 : int32)) ; }; + [#"../branch_borrow_2.rs" 19 12 19 18] y <- { y with current = ([#"../branch_borrow_2.rs" 19 12 19 18] [#"../branch_borrow_2.rs" 19 17 19 18] (7 : int32)) ; }; [#"../branch_borrow_2.rs" 20 16 20 17] _11 <- Borrow.borrow_final ( * y) (Borrow.get_id y); [#"../branch_borrow_2.rs" 20 16 20 17] y <- { y with current = ( ^ _11) ; }; [#"../branch_borrow_2.rs" 20 12 20 17] w <- ([#"../branch_borrow_2.rs" 20 12 20 17] _11); _11 <- any borrowed int32; - [#"../branch_borrow_2.rs" 18 13 21 9] _8 <- ([#"../branch_borrow_2.rs" 18 13 21 9] ()); + [#"../branch_borrow_2.rs" 18 13 21 9] _8 <- ([#"../branch_borrow_2.rs" 18 13 21 9] [#"../branch_borrow_2.rs" 18 13 21 9] ()); goto BB6 } BB6 { - [#"../branch_borrow_2.rs" 28 4 28 10] w <- { w with current = ([#"../branch_borrow_2.rs" 28 4 28 10] (5 : int32)) ; }; + [#"../branch_borrow_2.rs" 28 4 28 10] w <- { w with current = ([#"../branch_borrow_2.rs" 28 4 28 10] [#"../branch_borrow_2.rs" 28 9 28 10] (5 : int32)) ; }; assume { resolve0 w }; assume { resolve0 z }; assume { resolve0 y }; - [#"../branch_borrow_2.rs" 30 12 30 18] _14 <- ([#"../branch_borrow_2.rs" 30 12 30 18] c = (5 : int32)); + [#"../branch_borrow_2.rs" 30 12 30 18] _14 <- ([#"../branch_borrow_2.rs" 30 12 30 18] c = ([#"../branch_borrow_2.rs" 30 17 30 18] (5 : int32))); switch (_14) | False -> goto BB8 | True -> goto BB7 end } BB7 { - [#"../branch_borrow_2.rs" 3 11 31 1] _0 <- ([#"../branch_borrow_2.rs" 3 11 31 1] ()); + [#"../branch_borrow_2.rs" 3 11 31 1] _0 <- ([#"../branch_borrow_2.rs" 3 11 31 1] [#"../branch_borrow_2.rs" 3 11 31 1] ()); return _0 } BB8 { @@ -160,8 +160,8 @@ module BranchBorrow2_G goto BB0 } BB0 { - [#"../branch_borrow_2.rs" 36 17 36 26] _2 <- ([#"../branch_borrow_2.rs" 36 17 36 26] BranchBorrow2_MyInt_Type.C_MyInt (10 : usize)); - [#"../branch_borrow_2.rs" 36 28 36 36] _3 <- ([#"../branch_borrow_2.rs" 36 28 36 36] BranchBorrow2_MyInt_Type.C_MyInt (5 : usize)); + [#"../branch_borrow_2.rs" 36 17 36 26] _2 <- ([#"../branch_borrow_2.rs" 36 17 36 26] BranchBorrow2_MyInt_Type.C_MyInt ([#"../branch_borrow_2.rs" 36 23 36 25] (10 : usize))); + [#"../branch_borrow_2.rs" 36 28 36 36] _3 <- ([#"../branch_borrow_2.rs" 36 28 36 36] BranchBorrow2_MyInt_Type.C_MyInt ([#"../branch_borrow_2.rs" 36 34 36 35] (5 : usize))); [#"../branch_borrow_2.rs" 36 16 36 37] a <- ([#"../branch_borrow_2.rs" 36 16 36 37] (_2, _3)); _2 <- any BranchBorrow2_MyInt_Type.t_myint; _3 <- any BranchBorrow2_MyInt_Type.t_myint; @@ -175,7 +175,7 @@ module BranchBorrow2_G assume { resolve0 d }; assume { resolve1 b }; assume { resolve2 a }; - [#"../branch_borrow_2.rs" 35 11 43 1] _0 <- ([#"../branch_borrow_2.rs" 35 11 43 1] ()); + [#"../branch_borrow_2.rs" 35 11 43 1] _0 <- ([#"../branch_borrow_2.rs" 35 11 43 1] [#"../branch_borrow_2.rs" 35 11 43 1] ()); return _0 } @@ -203,38 +203,38 @@ module BranchBorrow2_H goto BB0 } BB0 { - [#"../branch_borrow_2.rs" 46 16 46 18] a <- ([#"../branch_borrow_2.rs" 46 16 46 18] (10 : int32)); - [#"../branch_borrow_2.rs" 47 16 47 18] b <- ([#"../branch_borrow_2.rs" 47 16 47 18] (10 : int32)); + [#"../branch_borrow_2.rs" 46 16 46 18] a <- ([#"../branch_borrow_2.rs" 46 16 46 18] [#"../branch_borrow_2.rs" 46 16 46 18] (10 : int32)); + [#"../branch_borrow_2.rs" 47 16 47 18] b <- ([#"../branch_borrow_2.rs" 47 16 47 18] [#"../branch_borrow_2.rs" 47 16 47 18] (10 : int32)); [#"../branch_borrow_2.rs" 49 12 49 18] x <- Borrow.borrow_mut a; [#"../branch_borrow_2.rs" 49 12 49 18] a <- ^ x; [#"../branch_borrow_2.rs" 50 12 50 18] y <- Borrow.borrow_mut b; [#"../branch_borrow_2.rs" 50 12 50 18] b <- ^ y; - switch (true) + switch ([#"../branch_borrow_2.rs" 52 7 52 11] true) | False -> goto BB2 | True -> goto BB1 end } BB1 { assume { resolve0 y }; - [#"../branch_borrow_2.rs" 53 8 53 14] x <- { x with current = ([#"../branch_borrow_2.rs" 53 8 53 14] (5 : int32)) ; }; + [#"../branch_borrow_2.rs" 53 8 53 14] x <- { x with current = ([#"../branch_borrow_2.rs" 53 8 53 14] [#"../branch_borrow_2.rs" 53 13 53 14] (5 : int32)) ; }; [#"../branch_borrow_2.rs" 54 8 54 13] w <- ([#"../branch_borrow_2.rs" 54 8 54 13] x); x <- any borrowed int32; - [#"../branch_borrow_2.rs" 52 12 55 5] _6 <- ([#"../branch_borrow_2.rs" 52 12 55 5] ()); + [#"../branch_borrow_2.rs" 52 12 55 5] _6 <- ([#"../branch_borrow_2.rs" 52 12 55 5] [#"../branch_borrow_2.rs" 52 12 55 5] ()); goto BB3 } BB2 { assume { resolve0 x }; - [#"../branch_borrow_2.rs" 56 8 56 14] y <- { y with current = ([#"../branch_borrow_2.rs" 56 8 56 14] (6 : int32)) ; }; + [#"../branch_borrow_2.rs" 56 8 56 14] y <- { y with current = ([#"../branch_borrow_2.rs" 56 8 56 14] [#"../branch_borrow_2.rs" 56 13 56 14] (6 : int32)) ; }; [#"../branch_borrow_2.rs" 57 12 57 13] _9 <- Borrow.borrow_final ( * y) (Borrow.get_id y); [#"../branch_borrow_2.rs" 57 12 57 13] y <- { y with current = ( ^ _9) ; }; [#"../branch_borrow_2.rs" 57 8 57 13] w <- ([#"../branch_borrow_2.rs" 57 8 57 13] _9); _9 <- any borrowed int32; - [#"../branch_borrow_2.rs" 55 11 60 5] _6 <- ([#"../branch_borrow_2.rs" 55 11 60 5] ()); + [#"../branch_borrow_2.rs" 55 11 60 5] _6 <- ([#"../branch_borrow_2.rs" 55 11 60 5] [#"../branch_borrow_2.rs" 55 11 60 5] ()); goto BB3 } BB3 { assume { resolve0 w }; - [#"../branch_borrow_2.rs" 45 11 68 1] _0 <- ([#"../branch_borrow_2.rs" 45 11 68 1] ()); + [#"../branch_borrow_2.rs" 45 11 68 1] _0 <- ([#"../branch_borrow_2.rs" 45 11 68 1] [#"../branch_borrow_2.rs" 45 11 68 1] ()); assume { resolve0 y }; return _0 } diff --git a/creusot/tests/should_succeed/lang/const.mlcfg b/creusot/tests/should_succeed/lang/const.mlcfg index f70cc9cd93..a792facef9 100644 --- a/creusot/tests/should_succeed/lang/const.mlcfg +++ b/creusot/tests/should_succeed/lang/const.mlcfg @@ -11,7 +11,7 @@ module Const_Foo goto BB0 } BB0 { - [#"../const.rs" 9 4 9 7] _0 <- ([#"../const.rs" 9 4 9 7] (42 : usize)); + [#"../const.rs" 9 4 9 7] _0 <- ([#"../const.rs" 9 4 9 7] [#"../const.rs" 9 4 9 7] (42 : usize)); return _0 } diff --git a/creusot/tests/should_succeed/lang/empty.mlcfg b/creusot/tests/should_succeed/lang/empty.mlcfg index f7c4f28c0a..3bfe289397 100644 --- a/creusot/tests/should_succeed/lang/empty.mlcfg +++ b/creusot/tests/should_succeed/lang/empty.mlcfg @@ -7,7 +7,7 @@ module Empty_F goto BB0 } BB0 { - [#"../empty.rs" 4 4 4 10] _0 <- ([#"../empty.rs" 4 4 4 10] ()); + [#"../empty.rs" 4 4 4 10] _0 <- ([#"../empty.rs" 4 4 4 10] [#"../empty.rs" 4 4 4 10] ()); return _0 } diff --git a/creusot/tests/should_succeed/lang/float_ops.mlcfg b/creusot/tests/should_succeed/lang/float_ops.mlcfg index fb0bf00ad0..8837b56da2 100644 --- a/creusot/tests/should_succeed/lang/float_ops.mlcfg +++ b/creusot/tests/should_succeed/lang/float_ops.mlcfg @@ -10,7 +10,7 @@ module FloatOps_Eq goto BB0 } BB0 { - [#"../float_ops.rs" 6 4 6 14] _0 <- ([#"../float_ops.rs" 6 4 6 14] (1.0 : Float64.t) .= (2.0 : Float64.t)); + [#"../float_ops.rs" 6 4 6 14] _0 <- ([#"../float_ops.rs" 6 4 6 14] ([#"../float_ops.rs" 6 4 6 7] (1.0 : Float64.t)) .= ([#"../float_ops.rs" 6 11 6 14] (2.0 : Float64.t))); return _0 } @@ -26,7 +26,7 @@ module FloatOps_Lt goto BB0 } BB0 { - [#"../float_ops.rs" 11 4 11 13] _0 <- ([#"../float_ops.rs" 11 4 11 13] (1.0 : Float64.t) .< (2.0 : Float64.t)); + [#"../float_ops.rs" 11 4 11 13] _0 <- ([#"../float_ops.rs" 11 4 11 13] ([#"../float_ops.rs" 11 4 11 7] (1.0 : Float64.t)) .< ([#"../float_ops.rs" 11 10 11 13] (2.0 : Float64.t))); return _0 } @@ -42,7 +42,7 @@ module FloatOps_Le goto BB0 } BB0 { - [#"../float_ops.rs" 16 4 16 14] _0 <- ([#"../float_ops.rs" 16 4 16 14] (1.0 : Float64.t) .<= (2.0 : Float64.t)); + [#"../float_ops.rs" 16 4 16 14] _0 <- ([#"../float_ops.rs" 16 4 16 14] ([#"../float_ops.rs" 16 4 16 7] (1.0 : Float64.t)) .<= ([#"../float_ops.rs" 16 11 16 14] (2.0 : Float64.t))); return _0 } @@ -58,7 +58,7 @@ module FloatOps_Gt goto BB0 } BB0 { - [#"../float_ops.rs" 21 4 21 13] _0 <- ([#"../float_ops.rs" 21 4 21 13] (2.0 : Float64.t) .> (1.0 : Float64.t)); + [#"../float_ops.rs" 21 4 21 13] _0 <- ([#"../float_ops.rs" 21 4 21 13] ([#"../float_ops.rs" 21 4 21 7] (2.0 : Float64.t)) .> ([#"../float_ops.rs" 21 10 21 13] (1.0 : Float64.t))); return _0 } @@ -74,7 +74,7 @@ module FloatOps_Ge goto BB0 } BB0 { - [#"../float_ops.rs" 26 4 26 14] _0 <- ([#"../float_ops.rs" 26 4 26 14] (2.0 : Float64.t) .>= (1.0 : Float64.t)); + [#"../float_ops.rs" 26 4 26 14] _0 <- ([#"../float_ops.rs" 26 4 26 14] ([#"../float_ops.rs" 26 4 26 7] (2.0 : Float64.t)) .>= ([#"../float_ops.rs" 26 11 26 14] (1.0 : Float64.t))); return _0 } @@ -90,7 +90,7 @@ module FloatOps_Neg goto BB0 } BB0 { - [#"../float_ops.rs" 31 4 31 15] _0 <- ([#"../float_ops.rs" 31 4 31 15] (-2.0 : Float64.t) .<= (1.0 : Float64.t)); + [#"../float_ops.rs" 31 4 31 15] _0 <- ([#"../float_ops.rs" 31 4 31 15] ([#"../float_ops.rs" 31 4 31 8] (-2.0 : Float64.t)) .<= ([#"../float_ops.rs" 31 12 31 15] (1.0 : Float64.t))); return _0 } diff --git a/creusot/tests/should_succeed/lang/literals.mlcfg b/creusot/tests/should_succeed/lang/literals.mlcfg index 9d41184fea..8504e3c54b 100644 --- a/creusot/tests/should_succeed/lang/literals.mlcfg +++ b/creusot/tests/should_succeed/lang/literals.mlcfg @@ -12,9 +12,9 @@ module Literals_FloatOperation goto BB0 } BB0 { - [#"../literals.rs" 4 17 4 20] x <- ([#"../literals.rs" 4 17 4 20] (0.0 : Float32.t)); - [#"../literals.rs" 6 7 6 17] _3 <- ([#"../literals.rs" 6 7 6 17] x .+ (0x1.020c40000000p0 : Float32.t)); - [#"../literals.rs" 6 7 6 24] _2 <- ([#"../literals.rs" 6 7 6 24] _3 .= (2.0 : Float32.t)); + [#"../literals.rs" 4 17 4 20] x <- ([#"../literals.rs" 4 17 4 20] [#"../literals.rs" 4 17 4 20] (0.0 : Float32.t)); + [#"../literals.rs" 6 7 6 17] _3 <- ([#"../literals.rs" 6 7 6 17] x .+ ([#"../literals.rs" 6 11 6 17] (0x1.020c40000000p0 : Float32.t))); + [#"../literals.rs" 6 7 6 24] _2 <- ([#"../literals.rs" 6 7 6 24] _3 .= ([#"../literals.rs" 6 21 6 24] (2.0 : Float32.t))); _3 <- any Float32.t; switch (_2) | False -> goto BB2 @@ -22,11 +22,11 @@ module Literals_FloatOperation end } BB1 { - [#"../literals.rs" 7 8 7 17] _0 <- ([#"../literals.rs" 7 8 7 17] (3.0 : Float32.t) .- (1.0 : Float32.t)); + [#"../literals.rs" 7 8 7 17] _0 <- ([#"../literals.rs" 7 8 7 17] ([#"../literals.rs" 7 8 7 11] (3.0 : Float32.t)) .- ([#"../literals.rs" 7 14 7 17] (1.0 : Float32.t))); goto BB3 } BB2 { - [#"../literals.rs" 9 8 9 11] _0 <- ([#"../literals.rs" 9 8 9 11] (0.0 : Float32.t)); + [#"../literals.rs" 9 8 9 11] _0 <- ([#"../literals.rs" 9 8 9 11] [#"../literals.rs" 9 8 9 11] (0.0 : Float32.t)); goto BB3 } BB3 { diff --git a/creusot/tests/should_succeed/lang/module_paths.mlcfg b/creusot/tests/should_succeed/lang/module_paths.mlcfg index 2fc2f76563..2025c02aac 100644 --- a/creusot/tests/should_succeed/lang/module_paths.mlcfg +++ b/creusot/tests/should_succeed/lang/module_paths.mlcfg @@ -38,7 +38,7 @@ module ModulePaths_Test goto BB0 } BB0 { - [#"../module_paths.rs" 22 52 22 54] _0 <- ([#"../module_paths.rs" 22 52 22 54] ()); + [#"../module_paths.rs" 22 52 22 54] _0 <- ([#"../module_paths.rs" 22 52 22 54] [#"../module_paths.rs" 22 52 22 54] ()); return _0 } diff --git a/creusot/tests/should_succeed/lang/modules.mlcfg b/creusot/tests/should_succeed/lang/modules.mlcfg index b99b2775c1..2bd931bd74 100644 --- a/creusot/tests/should_succeed/lang/modules.mlcfg +++ b/creusot/tests/should_succeed/lang/modules.mlcfg @@ -25,7 +25,7 @@ module Modules_Nested_InnerFunc BB0 { [#"../modules.rs" 14 16 14 28] _2 <- ([#"../modules.rs" 14 16 14 28] Modules_Nested_Nested_Type.C_Test); assume { resolve0 _2 }; - [#"../modules.rs" 15 8 15 12] _0 <- ([#"../modules.rs" 15 8 15 12] true); + [#"../modules.rs" 15 8 15 12] _0 <- ([#"../modules.rs" 15 8 15 12] [#"../modules.rs" 15 8 15 12] true); return _0 } @@ -38,7 +38,7 @@ module Modules_Nested_Further_Another goto BB0 } BB0 { - [#"../modules.rs" 20 12 20 17] _0 <- ([#"../modules.rs" 20 12 20 17] false); + [#"../modules.rs" 20 12 20 17] _0 <- ([#"../modules.rs" 20 12 20 17] [#"../modules.rs" 20 12 20 17] false); return _0 } @@ -57,15 +57,15 @@ module Modules_F goto BB0 } BB0 { - [#"../modules.rs" 26 4 26 24] _1 <- ([#"../modules.rs" 26 4 26 24] inner_func0 ()); + [#"../modules.rs" 26 4 26 24] _1 <- ([#"../modules.rs" 26 4 26 24] inner_func0 ([#"../modules.rs" 26 4 26 24] ())); goto BB1 } BB1 { - [#"../modules.rs" 28 4 28 13] _2 <- ([#"../modules.rs" 28 4 28 13] another0 ()); + [#"../modules.rs" 28 4 28 13] _2 <- ([#"../modules.rs" 28 4 28 13] another0 ([#"../modules.rs" 28 4 28 13] ())); goto BB2 } BB2 { - [#"../modules.rs" 25 11 29 1] _0 <- ([#"../modules.rs" 25 11 29 1] ()); + [#"../modules.rs" 25 11 29 1] _0 <- ([#"../modules.rs" 25 11 29 1] [#"../modules.rs" 25 11 29 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/lang/move_path.mlcfg b/creusot/tests/should_succeed/lang/move_path.mlcfg index 47fdd9eba6..52e93c5887 100644 --- a/creusot/tests/should_succeed/lang/move_path.mlcfg +++ b/creusot/tests/should_succeed/lang/move_path.mlcfg @@ -19,16 +19,16 @@ module MovePath_F goto BB0 } BB0 { - [#"../move_path.rs" 4 16 4 17] x <- ([#"../move_path.rs" 4 16 4 17] (1 : int32)); + [#"../move_path.rs" 4 16 4 17] x <- ([#"../move_path.rs" 4 16 4 17] [#"../move_path.rs" 4 16 4 17] (1 : int32)); [#"../move_path.rs" 6 12 6 18] y <- Borrow.borrow_mut x; [#"../move_path.rs" 6 12 6 18] x <- ^ y; [#"../move_path.rs" 7 12 7 13] d <- ([#"../move_path.rs" 7 12 7 13] y); y <- any borrowed int32; [#"../move_path.rs" 8 12 8 13] z <- ([#"../move_path.rs" 8 12 8 13] d); d <- any borrowed int32; - [#"../move_path.rs" 10 12 10 18] z <- { z with current = ([#"../move_path.rs" 10 12 10 18] (2 : int32)) ; }; + [#"../move_path.rs" 10 12 10 18] z <- { z with current = ([#"../move_path.rs" 10 12 10 18] [#"../move_path.rs" 10 17 10 18] (2 : int32)) ; }; assume { resolve0 z }; - [#"../move_path.rs" 3 11 15 1] _0 <- ([#"../move_path.rs" 3 11 15 1] ()); + [#"../move_path.rs" 3 11 15 1] _0 <- ([#"../move_path.rs" 3 11 15 1] [#"../move_path.rs" 3 11 15 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/lang/multiple_scopes.mlcfg b/creusot/tests/should_succeed/lang/multiple_scopes.mlcfg index e6ae9886b7..c00be227a7 100644 --- a/creusot/tests/should_succeed/lang/multiple_scopes.mlcfg +++ b/creusot/tests/should_succeed/lang/multiple_scopes.mlcfg @@ -13,11 +13,11 @@ module MultipleScopes_MultipleScopes goto BB0 } BB0 { - [#"../multiple_scopes.rs" 5 17 5 18] _x <- ([#"../multiple_scopes.rs" 5 17 5 18] (1 : int32)); - [#"../multiple_scopes.rs" 6 13 6 14] _y <- ([#"../multiple_scopes.rs" 6 13 6 14] (2 : int32)); - [#"../multiple_scopes.rs" 8 17 8 18] _y1 <- ([#"../multiple_scopes.rs" 8 17 8 18] (3 : int32)); + [#"../multiple_scopes.rs" 5 17 5 18] _x <- ([#"../multiple_scopes.rs" 5 17 5 18] [#"../multiple_scopes.rs" 5 17 5 18] (1 : int32)); + [#"../multiple_scopes.rs" 6 13 6 14] _y <- ([#"../multiple_scopes.rs" 6 13 6 14] [#"../multiple_scopes.rs" 6 13 6 14] (2 : int32)); + [#"../multiple_scopes.rs" 8 17 8 18] _y1 <- ([#"../multiple_scopes.rs" 8 17 8 18] [#"../multiple_scopes.rs" 8 17 8 18] (3 : int32)); [#"../multiple_scopes.rs" 9 8 9 15] _x <- ([#"../multiple_scopes.rs" 9 8 9 15] _y1); - [#"../multiple_scopes.rs" 7 4 10 5] _0 <- ([#"../multiple_scopes.rs" 7 4 10 5] ()); + [#"../multiple_scopes.rs" 7 4 10 5] _0 <- ([#"../multiple_scopes.rs" 7 4 10 5] [#"../multiple_scopes.rs" 7 4 10 5] ()); return _0 } diff --git a/creusot/tests/should_succeed/lang/promoted_constants.mlcfg b/creusot/tests/should_succeed/lang/promoted_constants.mlcfg index d1c5522c1c..7a9d692899 100644 --- a/creusot/tests/should_succeed/lang/promoted_constants.mlcfg +++ b/creusot/tests/should_succeed/lang/promoted_constants.mlcfg @@ -22,10 +22,10 @@ module PromotedConstants_PromotedNone use prelude.Int let constant promoted0 [#"../promoted_constants.rs" 3 0 3 22] : Core_Option_Option_Type.t_option int32 = [@vc:do_not_keep_trace] [@vc:sp] - let _1 = [#"../promoted_constants.rs" 6 23 6 31] Core_Option_Option_Type.C_Some (43 : int32) in let _0 = [#"../promoted_constants.rs" 6 22 6 31] _1 in _0 + let _1 = [#"../promoted_constants.rs" 6 23 6 31] Core_Option_Option_Type.C_Some ([#"../promoted_constants.rs" 6 28 6 30] (43 : int32)) in let _0 = [#"../promoted_constants.rs" 6 22 6 31] _1 in _0 let constant promoted1 [#"../promoted_constants.rs" 3 0 3 22] : Core_Option_Option_Type.t_option int32 = [@vc:do_not_keep_trace] [@vc:sp] - let _1 = [#"../promoted_constants.rs" 6 12 6 20] Core_Option_Option_Type.C_Some (42 : int32) in let _0 = [#"../promoted_constants.rs" 6 11 6 20] _1 in _0 + let _1 = [#"../promoted_constants.rs" 6 12 6 20] Core_Option_Option_Type.C_Some ([#"../promoted_constants.rs" 6 17 6 19] (42 : int32)) in let _0 = [#"../promoted_constants.rs" 6 11 6 20] _1 in _0 let rec cfg promoted_none [#"../promoted_constants.rs" 3 0 3 22] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () = [@vc:do_not_keep_trace] [@vc:sp] @@ -38,9 +38,9 @@ module PromotedConstants_PromotedNone goto BB0 } BB0 { - [#"../promoted_constants.rs" 4 14 4 21] _ix <- ([#"../promoted_constants.rs" 4 14 4 21] Core_Option_Option_Type.C_Some (0 : int32)); - [#"../promoted_constants.rs" 6 11 6 20] _11 <- ([#"../promoted_constants.rs" 6 11 6 20] promoted1); - [#"../promoted_constants.rs" 6 22 6 31] _10 <- ([#"../promoted_constants.rs" 6 22 6 31] promoted0); + [#"../promoted_constants.rs" 4 14 4 21] _ix <- ([#"../promoted_constants.rs" 4 14 4 21] Core_Option_Option_Type.C_Some ([#"../promoted_constants.rs" 4 19 4 20] (0 : int32))); + [#"../promoted_constants.rs" 6 11 6 20] _11 <- ([#"../promoted_constants.rs" 6 11 6 20] [#"../promoted_constants.rs" 6 11 6 20] promoted1); + [#"../promoted_constants.rs" 6 22 6 31] _10 <- ([#"../promoted_constants.rs" 6 22 6 31] [#"../promoted_constants.rs" 6 22 6 31] promoted0); [#"../promoted_constants.rs" 6 10 6 32] _2 <- ([#"../promoted_constants.rs" 6 10 6 32] (_11, _10)); switch (let (a, _) = _2 in a) | Core_Option_Option_Type.C_None -> goto BB1 @@ -76,7 +76,7 @@ module PromotedConstants_PromotedInt use prelude.Int32 use prelude.Int let constant promoted0 [#"../promoted_constants.rs" 12 0 12 21] : int32 = [@vc:do_not_keep_trace] [@vc:sp] - let _2 = [#"../promoted_constants.rs" 13 15 13 20] (1 : int32) + (5 : int32) in let _1 = [#"../promoted_constants.rs" 13 14 13 26] _2 + (10 : int32) in let _2 = any int32 in let _0 = [#"../promoted_constants.rs" 13 13 13 26] _1 in _0 + let _2 = [#"../promoted_constants.rs" 13 15 13 20] ([#"../promoted_constants.rs" 13 15 13 16] (1 : int32)) + ([#"../promoted_constants.rs" 13 19 13 20] (5 : int32)) in let _1 = [#"../promoted_constants.rs" 13 14 13 26] _2 + ([#"../promoted_constants.rs" 13 23 13 25] (10 : int32)) in let _2 = any int32 in let _0 = [#"../promoted_constants.rs" 13 13 13 26] _1 in _0 let rec cfg promoted_int [#"../promoted_constants.rs" 12 0 12 21] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () = [@vc:do_not_keep_trace] [@vc:sp] @@ -88,9 +88,9 @@ module PromotedConstants_PromotedInt goto BB0 } BB0 { - [#"../promoted_constants.rs" 13 13 13 26] _9 <- ([#"../promoted_constants.rs" 13 13 13 26] promoted0); + [#"../promoted_constants.rs" 13 13 13 26] _9 <- ([#"../promoted_constants.rs" 13 13 13 26] [#"../promoted_constants.rs" 13 13 13 26] promoted0); [#"../promoted_constants.rs" 13 13 13 26] ix <- ([#"../promoted_constants.rs" 13 13 13 26] _9); - [#"../promoted_constants.rs" 15 7 15 16] _4 <- ([#"../promoted_constants.rs" 15 7 15 16] ix <> (16 : int32)); + [#"../promoted_constants.rs" 15 7 15 16] _4 <- ([#"../promoted_constants.rs" 15 7 15 16] ix <> ([#"../promoted_constants.rs" 15 14 15 16] (16 : int32))); switch (_4) | False -> goto BB2 | True -> goto BB1 @@ -101,7 +101,7 @@ module PromotedConstants_PromotedInt absurd } BB2 { - [#"../promoted_constants.rs" 17 5 17 5] _0 <- ([#"../promoted_constants.rs" 17 5 17 5] ()); + [#"../promoted_constants.rs" 17 5 17 5] _0 <- ([#"../promoted_constants.rs" 17 5 17 5] [#"../promoted_constants.rs" 17 5 17 5] ()); return _0 } @@ -164,7 +164,7 @@ module PromotedConstants_String goto BB0 } BB0 { - [#"../promoted_constants.rs" 20 26 20 28] _0 <- ([#"../promoted_constants.rs" 20 26 20 28] ()); + [#"../promoted_constants.rs" 20 26 20 28] _0 <- ([#"../promoted_constants.rs" 20 26 20 28] [#"../promoted_constants.rs" 20 26 20 28] ()); goto BB1 } BB1 { @@ -182,8 +182,8 @@ module PromotedConstants_Str goto BB0 } BB0 { - [#"../promoted_constants.rs" 23 13 23 115] _s <- ([#"../promoted_constants.rs" 23 13 23 115] "1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"); - [#"../promoted_constants.rs" 22 13 24 1] _0 <- ([#"../promoted_constants.rs" 22 13 24 1] ()); + [#"../promoted_constants.rs" 23 13 23 115] _s <- ([#"../promoted_constants.rs" 23 13 23 115] [#"../promoted_constants.rs" 23 13 23 115] "1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"); + [#"../promoted_constants.rs" 22 13 24 1] _0 <- ([#"../promoted_constants.rs" 22 13 24 1] [#"../promoted_constants.rs" 22 13 24 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/lang/unary_op.mlcfg b/creusot/tests/should_succeed/lang/unary_op.mlcfg index 658fdcaece..f38c881546 100644 --- a/creusot/tests/should_succeed/lang/unary_op.mlcfg +++ b/creusot/tests/should_succeed/lang/unary_op.mlcfg @@ -7,7 +7,7 @@ module UnaryOp_F goto BB0 } BB0 { - switch (false) + switch ([#"../unary_op.rs" 5 13 5 18] false) | False -> goto BB2 | True -> goto BB1 end @@ -17,7 +17,7 @@ module UnaryOp_F absurd } BB2 { - [#"../unary_op.rs" 4 11 6 1] _0 <- ([#"../unary_op.rs" 4 11 6 1] ()); + [#"../unary_op.rs" 4 11 6 1] _0 <- ([#"../unary_op.rs" 4 11 6 1] [#"../unary_op.rs" 4 11 6 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/lang/unions.mlcfg b/creusot/tests/should_succeed/lang/unions.mlcfg index 55e9d71ede..8dbbd1ad18 100644 --- a/creusot/tests/should_succeed/lang/unions.mlcfg +++ b/creusot/tests/should_succeed/lang/unions.mlcfg @@ -17,7 +17,7 @@ module Unions_X goto BB0 } BB0 { - [#"../unions.rs" 10 24 10 26] _0 <- ([#"../unions.rs" 10 24 10 26] ()); + [#"../unions.rs" 10 24 10 26] _0 <- ([#"../unions.rs" 10 24 10 26] [#"../unions.rs" 10 24 10 26] ()); return _0 } diff --git a/creusot/tests/should_succeed/lang/while_let.mlcfg b/creusot/tests/should_succeed/lang/while_let.mlcfg index fd16a49e54..2c1180b938 100644 --- a/creusot/tests/should_succeed/lang/while_let.mlcfg +++ b/creusot/tests/should_succeed/lang/while_let.mlcfg @@ -25,7 +25,7 @@ module WhileLet_F goto BB0 } BB0 { - [#"../while_let.rs" 5 16 5 24] a <- ([#"../while_let.rs" 5 16 5 24] Core_Option_Option_Type.C_Some (10 : int32)); + [#"../while_let.rs" 5 16 5 24] a <- ([#"../while_let.rs" 5 16 5 24] Core_Option_Option_Type.C_Some ([#"../while_let.rs" 5 21 5 23] (10 : int32))); [#"../while_let.rs" 6 12 6 18] b <- Borrow.borrow_mut a; [#"../while_let.rs" 6 12 6 18] a <- ^ b; goto BB1 @@ -51,7 +51,7 @@ module WhileLet_F } BB5 { assume { resolve0 b }; - [#"../while_let.rs" 9 4 11 5] _0 <- ([#"../while_let.rs" 9 4 11 5] ()); + [#"../while_let.rs" 9 4 11 5] _0 <- ([#"../while_let.rs" 9 4 11 5] [#"../while_let.rs" 9 4 11 5] ()); return _0 } diff --git a/creusot/tests/should_succeed/list_index_mut.mlcfg b/creusot/tests/should_succeed/list_index_mut.mlcfg index 63d4c7f073..e4303a0404 100644 --- a/creusot/tests/should_succeed/list_index_mut.mlcfg +++ b/creusot/tests/should_succeed/list_index_mut.mlcfg @@ -71,7 +71,8 @@ module ListIndexMut_IndexMut val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list))) : Core_Option_Option_Type.t_option (borrowed (ListIndexMut_List_Type.t_list)) requires {inv0 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (ListIndexMut_List_Type.t_list) . inv1 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv2 result } @@ -129,7 +130,8 @@ module ListIndexMut_IndexMut ensures { [#"../list_index_mut.rs" 33 10 33 37] Core_Option_Option_Type.C_Some ( * result) = get0 ( * l) (UIntSize.to_int ix) } ensures { [#"../list_index_mut.rs" 34 10 34 40] Core_Option_Option_Type.C_Some ( ^ result) = get0 ( ^ l) (UIntSize.to_int ix) } ensures { [#"../list_index_mut.rs" 35 10 35 34] len0 ( ^ l) = len0 ( * l) } - ensures { [#"../list_index_mut.rs" 36 0 36 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( * l) i = get0 ( ^ l) i } + ensures { [#"../list_index_mut.rs" 36 0 36 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix + -> get0 ( * l) i = get0 ( ^ l) i } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : borrowed uint32; @@ -162,12 +164,16 @@ module ListIndexMut_IndexMut invariant { [#"../list_index_mut.rs" 40 16 40 45] (0 : usize) <= ix /\ UIntSize.to_int ix < len0 ( * l) }; invariant { [#"../list_index_mut.rs" 41 16 41 52] get0 ( * l) (UIntSize.to_int ix) = get0 ( * Snapshot.inner old_l) (shallow_model1 old_ix) }; invariant { [#"../list_index_mut.rs" 42 16 42 55] get0 ( ^ l) (UIntSize.to_int ix) = get0 ( ^ Snapshot.inner old_l) (shallow_model1 old_ix) }; - invariant { [#"../list_index_mut.rs" 40 4 40 47] len0 ( ^ l) = len0 ( * l) -> len0 ( ^ Snapshot.inner old_l) = len0 ( * Snapshot.inner old_l) }; - invariant { [#"../list_index_mut.rs" 40 4 40 47] (forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( ^ l) i = get0 ( * l) i) -> (forall i : int . 0 <= i /\ i < len0 ( * Snapshot.inner old_l) /\ i <> shallow_model1 old_ix -> get0 ( ^ Snapshot.inner old_l) i = get0 ( * Snapshot.inner old_l) i) }; + invariant { [#"../list_index_mut.rs" 40 4 40 47] len0 ( ^ l) = len0 ( * l) + -> len0 ( ^ Snapshot.inner old_l) = len0 ( * Snapshot.inner old_l) }; + invariant { [#"../list_index_mut.rs" 40 4 40 47] (forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix + -> get0 ( ^ l) i = get0 ( * l) i) + -> (forall i : int . 0 <= i /\ i < len0 ( * Snapshot.inner old_l) /\ i <> shallow_model1 old_ix + -> get0 ( ^ Snapshot.inner old_l) i = get0 ( * Snapshot.inner old_l) i) }; goto BB4 } BB4 { - [#"../list_index_mut.rs" 49 10 49 16] _20 <- ([#"../list_index_mut.rs" 49 10 49 16] ix > (0 : usize)); + [#"../list_index_mut.rs" 49 10 49 16] _20 <- ([#"../list_index_mut.rs" 49 10 49 16] ix > ([#"../list_index_mut.rs" 49 15 49 16] (0 : usize))); switch (_20) | False -> goto BB8 | True -> goto BB5 @@ -192,7 +198,7 @@ module ListIndexMut_IndexMut [#"../list_index_mut.rs" 50 8 50 33] l <- ([#"../list_index_mut.rs" 50 8 50 33] _22); _22 <- any borrowed (ListIndexMut_List_Type.t_list); assume { resolve2 _23 }; - [#"../list_index_mut.rs" 52 8 52 15] ix <- ([#"../list_index_mut.rs" 52 8 52 15] ix - (1 : usize)); + [#"../list_index_mut.rs" 52 8 52 15] ix <- ([#"../list_index_mut.rs" 52 8 52 15] ix - ([#"../list_index_mut.rs" 52 14 52 15] (1 : usize))); goto BB3 } BB8 { @@ -254,13 +260,15 @@ module ListIndexMut_Write ensures { [#"../list_index_mut.rs" 33 10 33 37] Core_Option_Option_Type.C_Some ( * result) = get0 ( * l) (UIntSize.to_int ix) } ensures { [#"../list_index_mut.rs" 34 10 34 40] Core_Option_Option_Type.C_Some ( ^ result) = get0 ( ^ l) (UIntSize.to_int ix) } ensures { [#"../list_index_mut.rs" 35 10 35 34] len0 ( ^ l) = len0 ( * l) } - ensures { [#"../list_index_mut.rs" 36 0 36 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( * l) i = get0 ( ^ l) i } + ensures { [#"../list_index_mut.rs" 36 0 36 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix + -> get0 ( * l) i = get0 ( ^ l) i } let rec cfg write [#"../list_index_mut.rs" 63 0 63 45] [@cfg:stackify] [@cfg:subregion_analysis] (l : borrowed (ListIndexMut_List_Type.t_list)) (ix : usize) (v : uint32) : () requires {[#"../list_index_mut.rs" 59 11 59 24] UIntSize.to_int ix < len0 ( * l)} ensures { [#"../list_index_mut.rs" 60 10 60 34] Core_Option_Option_Type.C_Some v = get0 ( ^ l) (UIntSize.to_int ix) } ensures { [#"../list_index_mut.rs" 61 10 61 31] len0 ( ^ l) = len0 ( * l) } - ensures { [#"../list_index_mut.rs" 62 0 62 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( * l) i = get0 ( ^ l) i } + ensures { [#"../list_index_mut.rs" 62 0 62 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix + -> get0 ( * l) i = get0 ( ^ l) i } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -283,7 +291,7 @@ module ListIndexMut_Write [#"../list_index_mut.rs" 64 4 64 25] _9 <- { _9 with current = ([#"../list_index_mut.rs" 64 4 64 25] v) ; }; assume { resolve0 _9 }; assume { resolve1 l }; - [#"../list_index_mut.rs" 63 46 65 1] _0 <- ([#"../list_index_mut.rs" 63 46 65 1] ()); + [#"../list_index_mut.rs" 63 46 65 1] _0 <- ([#"../list_index_mut.rs" 63 46 65 1] [#"../list_index_mut.rs" 63 46 65 1] ()); return _0 } @@ -327,7 +335,8 @@ module ListIndexMut_F requires {[#"../list_index_mut.rs" 59 11 59 24] UIntSize.to_int ix < len0 ( * l)} ensures { [#"../list_index_mut.rs" 60 10 60 34] Core_Option_Option_Type.C_Some v = get0 ( ^ l) (UIntSize.to_int ix) } ensures { [#"../list_index_mut.rs" 61 10 61 31] len0 ( ^ l) = len0 ( * l) } - ensures { [#"../list_index_mut.rs" 62 0 62 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( * l) i = get0 ( ^ l) i } + ensures { [#"../list_index_mut.rs" 62 0 62 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix + -> get0 ( * l) i = get0 ( ^ l) i } let rec cfg f [#"../list_index_mut.rs" 67 0 67 10] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () = [@vc:do_not_keep_trace] [@vc:sp] @@ -344,7 +353,7 @@ module ListIndexMut_F } BB0 { [#"../list_index_mut.rs" 68 47 68 51] _5 <- ([#"../list_index_mut.rs" 68 47 68 51] Core_Option_Option_Type.C_None); - [#"../list_index_mut.rs" 68 38 68 52] _4 <- ([#"../list_index_mut.rs" 68 38 68 52] ListIndexMut_List_Type.C_List (10 : uint32) _5); + [#"../list_index_mut.rs" 68 38 68 52] _4 <- ([#"../list_index_mut.rs" 68 38 68 52] ListIndexMut_List_Type.C_List ([#"../list_index_mut.rs" 68 43 68 45] (10 : uint32)) _5); _5 <- any Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list); goto BB1 } @@ -357,7 +366,7 @@ module ListIndexMut_F goto BB3 } BB3 { - [#"../list_index_mut.rs" 68 16 68 55] l <- ([#"../list_index_mut.rs" 68 16 68 55] ListIndexMut_List_Type.C_List (1 : uint32) _2); + [#"../list_index_mut.rs" 68 16 68 55] l <- ([#"../list_index_mut.rs" 68 16 68 55] ListIndexMut_List_Type.C_List ([#"../list_index_mut.rs" 68 21 68 22] (1 : uint32)) _2); _2 <- any Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list); goto BB4 } @@ -366,13 +375,13 @@ module ListIndexMut_F [#"../list_index_mut.rs" 69 10 69 16] l <- ^ _8; [#"../list_index_mut.rs" 69 10 69 16] _7 <- Borrow.borrow_final ( * _8) (Borrow.get_id _8); [#"../list_index_mut.rs" 69 10 69 16] _8 <- { _8 with current = ( ^ _7) ; }; - [#"../list_index_mut.rs" 69 4 69 23] _6 <- ([#"../list_index_mut.rs" 69 4 69 23] write0 _7 (0 : usize) (2 : uint32)); + [#"../list_index_mut.rs" 69 4 69 23] _6 <- ([#"../list_index_mut.rs" 69 4 69 23] write0 _7 ([#"../list_index_mut.rs" 69 18 69 19] (0 : usize)) ([#"../list_index_mut.rs" 69 21 69 22] (2 : uint32))); _7 <- any borrowed (ListIndexMut_List_Type.t_list); goto BB5 } BB5 { assume { resolve0 _8 }; - [#"../list_index_mut.rs" 67 11 72 1] _0 <- ([#"../list_index_mut.rs" 67 11 72 1] ()); + [#"../list_index_mut.rs" 67 11 72 1] _0 <- ([#"../list_index_mut.rs" 67 11 72 1] [#"../list_index_mut.rs" 67 11 72 1] ()); goto BB6 } BB6 { diff --git a/creusot/tests/should_succeed/list_reversal_lasso.mlcfg b/creusot/tests/should_succeed/list_reversal_lasso.mlcfg index 2ad8c0e9c0..d5dac98cd6 100644 --- a/creusot/tests/should_succeed/list_reversal_lasso.mlcfg +++ b/creusot/tests/should_succeed/list_reversal_lasso.mlcfg @@ -81,7 +81,8 @@ module ListReversalLasso_Impl1_Index requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model1 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -218,7 +219,8 @@ module ListReversalLasso_Impl2_IndexMut requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model0 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -291,7 +293,8 @@ module ListReversalLasso_Impl2_IndexMut use prelude.Slice predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -327,7 +330,8 @@ module ListReversalLasso_Impl2_IndexMut ensures { [#"../list_reversal_lasso.rs" 37 14 37 47] * result = index_logic0 ( * self) i } ensures { [#"../list_reversal_lasso.rs" 38 14 38 47] ^ result = index_logic0 ( ^ self) i } ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) } - ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic0 ( ^ self) j = index_logic0 ( * self) j } + ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j + -> index_logic0 ( ^ self) j = index_logic0 ( * self) j } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : borrowed usize; @@ -391,7 +395,8 @@ module ListReversalLasso_Impl4_ListReversalSafe requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -432,7 +437,8 @@ module ListReversalLasso_Impl4_ListReversalSafe ensures { [#"../list_reversal_lasso.rs" 37 14 37 47] * result = index_logic0 ( * self) i } ensures { [#"../list_reversal_lasso.rs" 38 14 38 47] ^ result = index_logic0 ( ^ self) i } ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) } - ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic0 ( ^ self) j = index_logic0 ( * self) j } + ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j + -> index_logic0 ( ^ self) j = index_logic0 ( * self) j } val index0 [#"../list_reversal_lasso.rs" 30 4 30 35] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize) : usize requires {[#"../list_reversal_lasso.rs" 28 15 28 34] nonnull_ptr0 self i} @@ -444,11 +450,12 @@ module ListReversalLasso_Impl4_ListReversalSafe ensures { result = resolve0 self } let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15] : usize = [@vc:do_not_keep_trace] [@vc:sp] - (18446744073709551615 : usize) + [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize) predicate mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory) = - [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i -> index_logic0 self i = null0 \/ nonnull_ptr0 self (index_logic0 self i) + [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i + -> index_logic0 self i = null0 \/ nonnull_ptr0 self (index_logic0 self i) val mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory) : bool ensures { result = mem_is_well_formed0 self } @@ -470,7 +477,7 @@ module ListReversalLasso_Impl4_ListReversalSafe goto BB0 } BB0 { - [#"../list_reversal_lasso.rs" 66 20 66 24] r <- ([#"../list_reversal_lasso.rs" 66 20 66 24] (18446744073709551615 : usize)); + [#"../list_reversal_lasso.rs" 66 20 66 24] r <- ([#"../list_reversal_lasso.rs" 66 20 66 24] [#"../list_reversal_lasso.rs" 66 20 66 24] (18446744073709551615 : usize)); goto BB1 } BB1 { @@ -480,7 +487,7 @@ module ListReversalLasso_Impl4_ListReversalSafe goto BB2 } BB2 { - [#"../list_reversal_lasso.rs" 71 14 71 23] _12 <- ([#"../list_reversal_lasso.rs" 71 14 71 23] l <> (18446744073709551615 : usize)); + [#"../list_reversal_lasso.rs" 71 14 71 23] _12 <- ([#"../list_reversal_lasso.rs" 71 14 71 23] l <> ([#"../list_reversal_lasso.rs" 71 19 71 23] (18446744073709551615 : usize))); switch (_12) | False -> goto BB6 | True -> goto BB3 @@ -541,7 +548,8 @@ module ListReversalLasso_Impl4_ListReversalList requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -599,16 +607,18 @@ module ListReversalLasso_Impl4_ListReversalList last else Seq.get s l - ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then + ) /\ (forall i : int . l <= i /\ i < h + -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then last else Seq.get s (i + 1) - )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j) + )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j + -> Seq.get s i <> Seq.get s j) val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool ensures { result = list_seg0 self first s last l h } let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15] : usize = [@vc:do_not_keep_trace] [@vc:sp] - (18446744073709551615 : usize) + [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize) predicate list0 [#"../list_reversal_lasso.rs" 91 4 91 54] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) = @@ -635,7 +645,8 @@ module ListReversalLasso_Impl4_ListReversalList ensures { [#"../list_reversal_lasso.rs" 37 14 37 47] * result = index_logic1 ( * self) i } ensures { [#"../list_reversal_lasso.rs" 38 14 38 47] ^ result = index_logic1 ( ^ self) i } ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) } - ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic1 ( ^ self) j = index_logic1 ( * self) j } + ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j + -> index_logic1 ( ^ self) j = index_logic1 ( * self) j } predicate resolve0 (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -671,7 +682,7 @@ module ListReversalLasso_Impl4_ListReversalList goto BB0 } BB0 { - [#"../list_reversal_lasso.rs" 100 20 100 24] r <- ([#"../list_reversal_lasso.rs" 100 20 100 24] (18446744073709551615 : usize)); + [#"../list_reversal_lasso.rs" 100 20 100 24] r <- ([#"../list_reversal_lasso.rs" 100 20 100 24] [#"../list_reversal_lasso.rs" 100 20 100 24] (18446744073709551615 : usize)); [#"../list_reversal_lasso.rs" 101 20 101 35] n <- ([#"../list_reversal_lasso.rs" 101 20 101 35] Snapshot.new 0); goto BB1 } @@ -685,7 +696,7 @@ module ListReversalLasso_Impl4_ListReversalList goto BB3 } BB3 { - [#"../list_reversal_lasso.rs" 107 14 107 23] _15 <- ([#"../list_reversal_lasso.rs" 107 14 107 23] l <> (18446744073709551615 : usize)); + [#"../list_reversal_lasso.rs" 107 14 107 23] _15 <- ([#"../list_reversal_lasso.rs" 107 14 107 23] l <> ([#"../list_reversal_lasso.rs" 107 19 107 23] (18446744073709551615 : usize))); switch (_15) | False -> goto BB9 | True -> goto BB4 @@ -767,7 +778,8 @@ module ListReversalLasso_Impl4_ListReversalLoop requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -825,11 +837,13 @@ module ListReversalLasso_Impl4_ListReversalLoop last else Seq.get s l - ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then + ) /\ (forall i : int . l <= i /\ i < h + -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then last else Seq.get s (i + 1) - )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j) + )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j + -> Seq.get s i <> Seq.get s j) val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool ensures { result = list_seg0 self first s last l h } @@ -859,7 +873,8 @@ module ListReversalLasso_Impl4_ListReversalLoop ensures { [#"../list_reversal_lasso.rs" 37 14 37 47] * result = index_logic1 ( * self) i } ensures { [#"../list_reversal_lasso.rs" 38 14 38 47] ^ result = index_logic1 ( ^ self) i } ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) } - ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic1 ( ^ self) j = index_logic1 ( * self) j } + ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j + -> index_logic1 ( ^ self) j = index_logic1 ( * self) j } use seq.Seq use seq_ext.SeqExt @@ -877,7 +892,7 @@ module ListReversalLasso_Impl4_ListReversalLoop ensures { result = index_logic0 self ix } let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15] : usize = [@vc:do_not_keep_trace] [@vc:sp] - (18446744073709551615 : usize) + [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize) use prelude.Snapshot use prelude.Snapshot let rec cfg list_reversal_loop [#"../list_reversal_lasso.rs" 125 4 125 82] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s : Snapshot.snap_ty (Seq.seq usize)) : usize @@ -906,7 +921,7 @@ module ListReversalLasso_Impl4_ListReversalLoop goto BB0 } BB0 { - [#"../list_reversal_lasso.rs" 126 20 126 24] r <- ([#"../list_reversal_lasso.rs" 126 20 126 24] (18446744073709551615 : usize)); + [#"../list_reversal_lasso.rs" 126 20 126 24] r <- ([#"../list_reversal_lasso.rs" 126 20 126 24] [#"../list_reversal_lasso.rs" 126 20 126 24] (18446744073709551615 : usize)); [#"../list_reversal_lasso.rs" 127 20 127 35] n <- ([#"../list_reversal_lasso.rs" 127 20 127 35] Snapshot.new 0); goto BB1 } @@ -915,20 +930,24 @@ module ListReversalLasso_Impl4_ListReversalLoop } BB2 { invariant { [#"../list_reversal_lasso.rs" 129 20 129 48] 0 <= Snapshot.inner n /\ Snapshot.inner n <= Seq.length (Snapshot.inner s) + 1 }; - invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n = Seq.length (Snapshot.inner s) + 1 -> l = null0 /\ r = index_logic0 s 0 /\ nonnull_ptr0 ( * self) r /\ index_logic1 ( * self) r = index_logic0 s (Seq.length (Snapshot.inner s) - 1) /\ list_seg0 ( * self) (index_logic0 s (Seq.length (Snapshot.inner s) - 1)) (Reverse.reverse (Snapshot.inner s)) (index_logic0 s 0) 0 (Seq.length (Snapshot.inner s) - 1) }; - invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n <= Seq.length (Snapshot.inner s) -> list_seg0 ( * self) l (Snapshot.inner s) (index_logic0 s 0) (Snapshot.inner n) (Seq.length (Snapshot.inner s)) }; - invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n <= Seq.length (Snapshot.inner s) -> list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s)) null0 (Seq.length (Snapshot.inner s) - Snapshot.inner n) (Seq.length (Snapshot.inner s)) }; + invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n = Seq.length (Snapshot.inner s) + 1 + -> l = null0 /\ r = index_logic0 s 0 /\ nonnull_ptr0 ( * self) r /\ index_logic1 ( * self) r = index_logic0 s (Seq.length (Snapshot.inner s) - 1) /\ list_seg0 ( * self) (index_logic0 s (Seq.length (Snapshot.inner s) - 1)) (Reverse.reverse (Snapshot.inner s)) (index_logic0 s 0) 0 (Seq.length (Snapshot.inner s) - 1) }; + invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n <= Seq.length (Snapshot.inner s) + -> list_seg0 ( * self) l (Snapshot.inner s) (index_logic0 s 0) (Snapshot.inner n) (Seq.length (Snapshot.inner s)) }; + invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n <= Seq.length (Snapshot.inner s) + -> list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s)) null0 (Seq.length (Snapshot.inner s) - Snapshot.inner n) (Seq.length (Snapshot.inner s)) }; goto BB3 } BB3 { - [#"../list_reversal_lasso.rs" 137 14 137 23] _17 <- ([#"../list_reversal_lasso.rs" 137 14 137 23] l <> (18446744073709551615 : usize)); + [#"../list_reversal_lasso.rs" 137 14 137 23] _17 <- ([#"../list_reversal_lasso.rs" 137 14 137 23] l <> ([#"../list_reversal_lasso.rs" 137 19 137 23] (18446744073709551615 : usize))); switch (_17) | False -> goto BB9 | True -> goto BB4 end } BB4 { - assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 138 12 138 77] Snapshot.inner n = Seq.length (Snapshot.inner s) -> l = Seq.get (Reverse.reverse (Snapshot.inner s)) (Seq.length (Snapshot.inner s) - 1) }; + assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 138 12 138 77] Snapshot.inner n = Seq.length (Snapshot.inner s) + -> l = Seq.get (Reverse.reverse (Snapshot.inner s)) (Seq.length (Snapshot.inner s) - 1) }; [#"../list_reversal_lasso.rs" 139 39 139 43] _25 <- Borrow.borrow_mut ( * self); [#"../list_reversal_lasso.rs" 139 39 139 43] self <- { self with current = ( ^ _25) ; }; [#"../list_reversal_lasso.rs" 139 43 139 46] _24 <- ([#"../list_reversal_lasso.rs" 139 43 139 46] index_mut0 _25 l); @@ -970,7 +989,8 @@ module ListReversalLasso_Impl4_ListReversalLoop } BB9 { assume { resolve0 self }; - assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 143 8 145 54] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner s) -> Seq.get (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Snapshot.inner s) 1 (Seq.length (Snapshot.inner s))))) i = (if i = 0 then + assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 143 8 145 54] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner s) + -> Seq.get (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Snapshot.inner s) 1 (Seq.length (Snapshot.inner s))))) i = (if i = 0 then index_logic0 s 0 else Seq.get (Reverse.reverse (Snapshot.inner s)) (i - 1) @@ -1009,7 +1029,8 @@ module ListReversalLasso_Impl4_ListReversalLasso requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1067,11 +1088,13 @@ module ListReversalLasso_Impl4_ListReversalLasso last else Seq.get s l - ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic2 self (Seq.get s i) = (if i = h - 1 then + ) /\ (forall i : int . l <= i /\ i < h + -> nonnull_ptr0 self (Seq.get s i) /\ index_logic2 self (Seq.get s i) = (if i = h - 1 then last else Seq.get s (i + 1) - )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j) + )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j + -> Seq.get s i <> Seq.get s j) val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool ensures { result = list_seg0 self first s last l h } @@ -1082,7 +1105,8 @@ module ListReversalLasso_Impl4_ListReversalLasso Seq.get s1 (Seq.length s1 - 1) else Seq.get s2 0 - in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2 -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2) + in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2 + -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2) val lasso0 [#"../list_reversal_lasso.rs" 151 4 151 70] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s1 : Seq.seq usize) (s2 : Seq.seq usize) : bool ensures { result = lasso0 self first s1 s2 } @@ -1105,7 +1129,8 @@ module ListReversalLasso_Impl4_ListReversalLasso ensures { [#"../list_reversal_lasso.rs" 37 14 37 47] * result = index_logic2 ( * self) i } ensures { [#"../list_reversal_lasso.rs" 38 14 38 47] ^ result = index_logic2 ( ^ self) i } ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) } - ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic2 ( ^ self) j = index_logic2 ( * self) j } + ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j + -> index_logic2 ( ^ self) j = index_logic2 ( * self) j } predicate resolve0 (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -1113,7 +1138,7 @@ module ListReversalLasso_Impl4_ListReversalLasso ensures { result = resolve0 self } let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15] : usize = [@vc:do_not_keep_trace] [@vc:sp] - (18446744073709551615 : usize) + [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize) use seq.Reverse use prelude.Snapshot function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq usize)) (ix : int) : usize = @@ -1149,7 +1174,7 @@ module ListReversalLasso_Impl4_ListReversalLasso goto BB0 } BB0 { - [#"../list_reversal_lasso.rs" 169 20 169 24] r <- ([#"../list_reversal_lasso.rs" 169 20 169 24] (18446744073709551615 : usize)); + [#"../list_reversal_lasso.rs" 169 20 169 24] r <- ([#"../list_reversal_lasso.rs" 169 20 169 24] [#"../list_reversal_lasso.rs" 169 20 169 24] (18446744073709551615 : usize)); [#"../list_reversal_lasso.rs" 170 20 170 35] n <- ([#"../list_reversal_lasso.rs" 170 20 170 35] Snapshot.new 0); goto BB1 } @@ -1162,17 +1187,20 @@ module ListReversalLasso_Impl4_ListReversalLasso index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1) else index_logic0 s2 0 - in Snapshot.inner n <= Seq.length (Snapshot.inner s1) -> list_seg0 ( * self) l (Snapshot.inner s1) mid (Snapshot.inner n) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) mid (Snapshot.inner s2) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) 0 (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s1)) null0 (Seq.length (Snapshot.inner s1) - Snapshot.inner n) (Seq.length (Snapshot.inner s1)) }; - invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] Seq.length (Snapshot.inner s1) < Snapshot.inner n /\ Snapshot.inner n <= Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) -> list_seg0 ( * self) l (Snapshot.inner s2) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Snapshot.inner n - Seq.length (Snapshot.inner s1)) (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s2)) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) - Snapshot.inner n) (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Reverse.reverse (Snapshot.inner s1)) null0 0 (Seq.length (Snapshot.inner s1)) }; + in Snapshot.inner n <= Seq.length (Snapshot.inner s1) + -> list_seg0 ( * self) l (Snapshot.inner s1) mid (Snapshot.inner n) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) mid (Snapshot.inner s2) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) 0 (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s1)) null0 (Seq.length (Snapshot.inner s1) - Snapshot.inner n) (Seq.length (Snapshot.inner s1)) }; + invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] Seq.length (Snapshot.inner s1) < Snapshot.inner n /\ Snapshot.inner n <= Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) + -> list_seg0 ( * self) l (Snapshot.inner s2) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Snapshot.inner n - Seq.length (Snapshot.inner s1)) (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s2)) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) - Snapshot.inner n) (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Reverse.reverse (Snapshot.inner s1)) null0 0 (Seq.length (Snapshot.inner s1)) }; invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] let mid = if Seq.length (Snapshot.inner s2) = 0 then index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1) else index_logic0 s2 (Seq.length (Snapshot.inner s2) - 1) - in Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) < Snapshot.inner n -> list_seg0 ( * self) l (Reverse.reverse (Snapshot.inner s1)) null0 (Snapshot.inner n - Seq.length (Snapshot.inner s1) - Seq.length (Snapshot.inner s2)) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) r (Snapshot.inner s1) mid (2 * Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) - Snapshot.inner n) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) mid (Reverse.reverse (Snapshot.inner s2)) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) 0 (Seq.length (Snapshot.inner s2)) }; + in Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) < Snapshot.inner n + -> list_seg0 ( * self) l (Reverse.reverse (Snapshot.inner s1)) null0 (Snapshot.inner n - Seq.length (Snapshot.inner s1) - Seq.length (Snapshot.inner s2)) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) r (Snapshot.inner s1) mid (2 * Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) - Snapshot.inner n) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) mid (Reverse.reverse (Snapshot.inner s2)) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) 0 (Seq.length (Snapshot.inner s2)) }; goto BB3 } BB3 { - [#"../list_reversal_lasso.rs" 190 14 190 23] _17 <- ([#"../list_reversal_lasso.rs" 190 14 190 23] l <> (18446744073709551615 : usize)); + [#"../list_reversal_lasso.rs" 190 14 190 23] _17 <- ([#"../list_reversal_lasso.rs" 190 14 190 23] l <> ([#"../list_reversal_lasso.rs" 190 19 190 23] (18446744073709551615 : usize))); switch (_17) | False -> goto BB9 | True -> goto BB4 @@ -1245,21 +1273,27 @@ module ListReversalLasso_Impl4_FindPtrInSeq_Impl constant p : int function find_ptr_in_seq [#"../list_reversal_lasso.rs" 204 4 204 66] (s : Seq.seq usize) (i : int) (p : int) : Core_Option_Option_Type.t_option int - goal vc_find_ptr_in_seq : ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) -> match i = Seq.length s with + goal vc_find_ptr_in_seq : ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) + -> match i = Seq.length s with | True -> [#"../list_reversal_lasso.rs" 199 14 202 5] match Core_Option_Option_Type.C_None with - | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p + | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> p | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p end | False -> match UIntSize.to_int (Seq.get s i) = p with | True -> [#"../list_reversal_lasso.rs" 199 14 202 5] match Core_Option_Option_Type.C_Some i with - | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p + | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> p | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p end | False -> (([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i + 1 /\ i + 1 <= Seq.length s) /\ 0 <= ([#"../list_reversal_lasso.rs" 203 14 203 25] Seq.length s - i) /\ ([#"../list_reversal_lasso.rs" 203 14 203 25] Seq.length s - (i + 1)) < ([#"../list_reversal_lasso.rs" 203 14 203 25] Seq.length s - i)) /\ (([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq s (i + 1) p with - | Core_Option_Option_Type.C_None -> forall j : int . i + 1 <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p + | Core_Option_Option_Type.C_None -> forall j : int . i + 1 <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> p | Core_Option_Option_Type.C_Some j -> i + 1 <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p - end) -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq s (i + 1) p with - | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p + end) + -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq s (i + 1) p with + | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> p | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p end)) end @@ -1287,25 +1321,42 @@ module ListReversalLasso_Impl4_Pigeon_Impl requires {[#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s} ensures { result = find_ptr_in_seq0 s i p } - axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with - | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p + axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) + -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with + | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> p | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p end) constant s : Seq.seq usize constant n : int function pigeon [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool - goal vc_pigeon : ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j) -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n) -> ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n) -> match n = 0 with + goal vc_pigeon : ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j + -> Seq.get s i <> Seq.get s j) + -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (Seq.get s i) < n) + -> ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n) + -> match n = 0 with | True -> ([#"../list_reversal_lasso.rs" 217 14 217 20] true) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n) | False -> ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= 0 /\ 0 <= Seq.length s) /\ (([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s 0 (n - 1) with - | Core_Option_Option_Type.C_None -> forall j : int . 0 <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> n - 1 + | Core_Option_Option_Type.C_None -> forall j : int . 0 <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> n - 1 | Core_Option_Option_Type.C_Some j -> 0 <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = n - 1 - end) -> match find_ptr_in_seq0 s 0 (n - 1) with - | Core_Option_Option_Type.C_None -> ((([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j) && ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n - 1) && ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n - 1)) /\ 0 <= ([#"../list_reversal_lasso.rs" 218 14 218 15] n) /\ ([#"../list_reversal_lasso.rs" 218 14 218 15] n - 1) < ([#"../list_reversal_lasso.rs" 218 14 218 15] n)) /\ (([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon s (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n - 1) -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon s (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)) + end) + -> match find_ptr_in_seq0 s 0 (n - 1) with + | Core_Option_Option_Type.C_None -> ((([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j + -> Seq.get s i <> Seq.get s j) && ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (Seq.get s i) < n - 1) && ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n - 1)) /\ 0 <= ([#"../list_reversal_lasso.rs" 218 14 218 15] n) /\ ([#"../list_reversal_lasso.rs" 218 14 218 15] n - 1) < ([#"../list_reversal_lasso.rs" 218 14 218 15] n)) /\ (([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon s (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n - 1) + -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon s (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)) | Core_Option_Option_Type.C_Some i -> ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i + 1 /\ i + 1 <= Seq.length s) /\ (([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s (i + 1) (n - 1) with - | Core_Option_Option_Type.C_None -> forall j : int . i + 1 <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> n - 1 + | Core_Option_Option_Type.C_None -> forall j : int . i + 1 <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> n - 1 | Core_Option_Option_Type.C_Some j -> i + 1 <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = n - 1 - end) -> match find_ptr_in_seq0 s (i + 1) (n - 1) with - | Core_Option_Option_Type.C_None -> ((([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i' : int . 0 <= i' /\ i' < Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) /\ 0 <= j /\ j < Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) /\ i' <> j -> Seq.get (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) i' <> Seq.get (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) j) && ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i' : int . 0 <= i' /\ i' < Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) -> UIntSize.to_int (Seq.get (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) i') < n - 1) && ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n - 1)) /\ 0 <= ([#"../list_reversal_lasso.rs" 218 14 218 15] n) /\ ([#"../list_reversal_lasso.rs" 218 14 218 15] n - 1) < ([#"../list_reversal_lasso.rs" 218 14 218 15] n)) /\ (([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) <= n - 1) -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)) + end) + -> match find_ptr_in_seq0 s (i + 1) (n - 1) with + | Core_Option_Option_Type.C_None -> ((([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i' : int . 0 <= i' /\ i' < Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) /\ 0 <= j /\ j < Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) /\ i' <> j + -> Seq.get (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) i' <> Seq.get (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) j) && ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i' : int . 0 <= i' /\ i' < Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) + -> UIntSize.to_int (Seq.get (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) i') < n - 1) && ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n - 1)) /\ 0 <= ([#"../list_reversal_lasso.rs" 218 14 218 15] n) /\ ([#"../list_reversal_lasso.rs" 218 14 218 15] n - 1) < ([#"../list_reversal_lasso.rs" 218 14 218 15] n)) /\ (([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) <= n - 1) + -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)) | Core_Option_Option_Type.C_Some _ -> ([#"../list_reversal_lasso.rs" 217 14 217 20] true) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n) end) end) @@ -1340,7 +1391,8 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1378,8 +1430,10 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl requires {[#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s} ensures { result = find_ptr_in_seq0 s i p } - axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with - | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p + axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) + -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with + | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> p | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p end) use seq.Seq @@ -1397,11 +1451,18 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl ) val pigeon0 [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool requires {[#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n} - requires {[#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n} - requires {[#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j} + requires {[#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (Seq.get s i) < n} + requires {[#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j + -> Seq.get s i <> Seq.get s j} ensures { result = pigeon0 s n } - axiom pigeon0_spec : forall s : Seq.seq usize, n : int . ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n) -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n) -> ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j) -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s n) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n) + axiom pigeon0_spec : forall s : Seq.seq usize, n : int . ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n) + -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (Seq.get s i) < n) + -> ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j + -> Seq.get s i <> Seq.get s j) + -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s n) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n) predicate nonnull_ptr0 [#"../list_reversal_lasso.rs" 49 4 49 44] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize) = @@ -1416,11 +1477,13 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl last else Seq.get s l - ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then + ) /\ (forall i : int . l <= i /\ i < h + -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then last else Seq.get s (i + 1) - )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j) + )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j + -> Seq.get s i <> Seq.get s j) val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool ensures { result = list_seg0 self first s last l h } @@ -1431,12 +1494,13 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl Seq.get s1 (Seq.length s1 - 1) else Seq.get s2 0 - in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2 -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2) + in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2 + -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2) val lasso0 [#"../list_reversal_lasso.rs" 151 4 151 70] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s1 : Seq.seq usize) (s2 : Seq.seq usize) : bool ensures { result = lasso0 self first s1 s2 } let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15] : usize = [@vc:do_not_keep_trace] [@vc:sp] - (18446744073709551615 : usize) + [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize) predicate list0 [#"../list_reversal_lasso.rs" 91 4 91 54] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) = @@ -1447,7 +1511,8 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl predicate mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory) = - [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i -> index_logic1 self i = null0 \/ nonnull_ptr0 self (index_logic1 self i) + [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i + -> index_logic1 self i = null0 \/ nonnull_ptr0 self (index_logic1 self i) val mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory) : bool ensures { result = mem_is_well_formed0 self } @@ -1457,20 +1522,30 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl constant s : Seq.seq usize function find_lasso_aux [#"../list_reversal_lasso.rs" 244 4 244 95] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (last : usize) (s : Seq.seq usize) : (Seq.seq usize, Core_Option_Option_Type.t_option (Seq.seq usize)) - goal vc_find_lasso_aux : ([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s)) -> ([#"../list_reversal_lasso.rs" 237 15 237 53] last = null0 \/ nonnull_ptr0 self last) -> ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self) -> match last = null0 with + goal vc_find_lasso_aux : ([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s)) + -> ([#"../list_reversal_lasso.rs" 237 15 237 53] last = null0 \/ nonnull_ptr0 self last) + -> ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self) + -> match last = null0 with | True -> [#"../list_reversal_lasso.rs" 239 14 242 5] match (s, Core_Option_Option_Type.C_None) with | (s, Core_Option_Option_Type.C_None) -> list0 self first s | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2 end | False -> ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= 0 /\ 0 <= Seq.length s) /\ (([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s 0 (UIntSize.to_int last) with - | Core_Option_Option_Type.C_None -> forall j : int . 0 <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> UIntSize.to_int last + | Core_Option_Option_Type.C_None -> forall j : int . 0 <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> UIntSize.to_int last | Core_Option_Option_Type.C_Some j -> 0 <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = UIntSize.to_int last - end) -> match find_ptr_in_seq0 s 0 (UIntSize.to_int last) with - | Core_Option_Option_Type.C_None -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 (ListReversalLasso_Memory_Type.memory_0 self)) /\ (([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) <= UIntSize.to_int max0) -> (([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j) && ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) && ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)))) /\ (([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s (Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)))) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) -> match pigeon0 s (Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) with + end) + -> match find_ptr_in_seq0 s 0 (UIntSize.to_int last) with + | Core_Option_Option_Type.C_None -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 (ListReversalLasso_Memory_Type.memory_0 self)) /\ (([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) <= UIntSize.to_int max0) + -> (([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j + -> Seq.get s i <> Seq.get s j) && ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (Seq.get s i) < Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) && ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)))) /\ (([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s (Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)))) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) + -> match pigeon0 s (Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) with | True -> ((([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first (Seq.snoc s last) (index_logic1 self last) 0 (Seq.length (Seq.snoc s last))) && ([#"../list_reversal_lasso.rs" 237 15 237 53] index_logic1 self last = null0 \/ nonnull_ptr0 self (index_logic1 self last)) && ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self)) /\ 0 <= ([#"../list_reversal_lasso.rs" 243 4 243 39] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) - Seq.length s) /\ ([#"../list_reversal_lasso.rs" 243 4 243 39] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) - Seq.length (Seq.snoc s last)) < ([#"../list_reversal_lasso.rs" 243 4 243 39] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) - Seq.length s)) /\ (([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux self first (index_logic1 self last) (Seq.snoc s last) with | (s, Core_Option_Option_Type.C_None) -> list0 self first s | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2 - end) -> ([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux self first (index_logic1 self last) (Seq.snoc s last) with + end) + -> ([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux self first (index_logic1 self last) (Seq.snoc s last) with | (s, Core_Option_Option_Type.C_None) -> list0 self first s | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2 end)) @@ -1515,7 +1590,8 @@ module ListReversalLasso_Impl4_FindLasso_Impl requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1552,11 +1628,13 @@ module ListReversalLasso_Impl4_FindLasso_Impl last else Seq.get s l - ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic0 self (Seq.get s i) = (if i = h - 1 then + ) /\ (forall i : int . l <= i /\ i < h + -> nonnull_ptr0 self (Seq.get s i) /\ index_logic0 self (Seq.get s i) = (if i = h - 1 then last else Seq.get s (i + 1) - )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j) + )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j + -> Seq.get s i <> Seq.get s j) val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool ensures { result = list_seg0 self first s last l h } @@ -1573,8 +1651,10 @@ module ListReversalLasso_Impl4_FindLasso_Impl requires {[#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s} ensures { result = find_ptr_in_seq0 s i p } - axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with - | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p + axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) + -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with + | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s + -> UIntSize.to_int (Seq.get s j) <> p | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p end) use seq_ext.SeqExt @@ -1594,11 +1674,18 @@ module ListReversalLasso_Impl4_FindLasso_Impl ) val pigeon0 [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool requires {[#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n} - requires {[#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n} - requires {[#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j} + requires {[#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (Seq.get s i) < n} + requires {[#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j + -> Seq.get s i <> Seq.get s j} ensures { result = pigeon0 s n } - axiom pigeon0_spec : forall s : Seq.seq usize, n : int . ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n) -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n) -> ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j) -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s n) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n) + axiom pigeon0_spec : forall s : Seq.seq usize, n : int . ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n) + -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s + -> UIntSize.to_int (Seq.get s i) < n) + -> ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j + -> Seq.get s i <> Seq.get s j) + -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s n) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n) predicate lasso0 [#"../list_reversal_lasso.rs" 151 4 151 70] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s1 : Seq.seq usize) (s2 : Seq.seq usize) = @@ -1606,12 +1693,13 @@ module ListReversalLasso_Impl4_FindLasso_Impl Seq.get s1 (Seq.length s1 - 1) else Seq.get s2 0 - in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2 -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2) + in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2 + -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2) val lasso0 [#"../list_reversal_lasso.rs" 151 4 151 70] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s1 : Seq.seq usize) (s2 : Seq.seq usize) : bool ensures { result = lasso0 self first s1 s2 } let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15] : usize = [@vc:do_not_keep_trace] [@vc:sp] - (18446744073709551615 : usize) + [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize) predicate list0 [#"../list_reversal_lasso.rs" 91 4 91 54] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) = @@ -1622,7 +1710,8 @@ module ListReversalLasso_Impl4_FindLasso_Impl predicate mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory) = - [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i -> index_logic0 self i = null0 \/ nonnull_ptr0 self (index_logic0 self i) + [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i + -> index_logic0 self i = null0 \/ nonnull_ptr0 self (index_logic0 self i) val mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory) : bool ensures { result = mem_is_well_formed0 self } @@ -1646,7 +1735,10 @@ module ListReversalLasso_Impl4_FindLasso_Impl requires {[#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s)} ensures { result = find_lasso_aux0 self first last s } - axiom find_lasso_aux0_spec : forall self : ListReversalLasso_Memory_Type.t_memory, first : usize, last : usize, s : Seq.seq usize . ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self) -> ([#"../list_reversal_lasso.rs" 237 15 237 53] last = null0 \/ nonnull_ptr0 self last) -> ([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s)) -> ([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux0 self first last s with + axiom find_lasso_aux0_spec : forall self : ListReversalLasso_Memory_Type.t_memory, first : usize, last : usize, s : Seq.seq usize . ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self) + -> ([#"../list_reversal_lasso.rs" 237 15 237 53] last = null0 \/ nonnull_ptr0 self last) + -> ([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s)) + -> ([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux0 self first last s with | (s, Core_Option_Option_Type.C_None) -> list0 self first s | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2 end) @@ -1655,10 +1747,13 @@ module ListReversalLasso_Impl4_FindLasso_Impl constant first : usize function find_lasso [#"../list_reversal_lasso.rs" 270 4 270 71] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) : (Seq.seq usize, Core_Option_Option_Type.t_option (Seq.seq usize)) - goal vc_find_lasso : ([#"../list_reversal_lasso.rs" 265 15 265 55] first = null0 \/ nonnull_ptr0 self first) -> ([#"../list_reversal_lasso.rs" 264 15 264 40] mem_is_well_formed0 self) -> (([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first (Seq.empty : Seq.seq usize) first 0 (Seq.length (Seq.empty : Seq.seq usize))) && ([#"../list_reversal_lasso.rs" 237 15 237 53] first = null0 \/ nonnull_ptr0 self first) && ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self)) /\ (([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux0 self first first (Seq.empty : Seq.seq usize) with + goal vc_find_lasso : ([#"../list_reversal_lasso.rs" 265 15 265 55] first = null0 \/ nonnull_ptr0 self first) + -> ([#"../list_reversal_lasso.rs" 264 15 264 40] mem_is_well_formed0 self) + -> (([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first (Seq.empty : Seq.seq usize) first 0 (Seq.length (Seq.empty : Seq.seq usize))) && ([#"../list_reversal_lasso.rs" 237 15 237 53] first = null0 \/ nonnull_ptr0 self first) && ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self)) /\ (([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux0 self first first (Seq.empty : Seq.seq usize) with | (s, Core_Option_Option_Type.C_None) -> list0 self first s | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2 - end) -> ([#"../list_reversal_lasso.rs" 266 14 269 5] match find_lasso_aux0 self first first (Seq.empty : Seq.seq usize) with + end) + -> ([#"../list_reversal_lasso.rs" 266 14 269 5] match find_lasso_aux0 self first first (Seq.empty : Seq.seq usize) with | (s, Core_Option_Option_Type.C_None) -> list0 self first s | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2 end)) diff --git a/creusot/tests/should_succeed/loop.mlcfg b/creusot/tests/should_succeed/loop.mlcfg index f5384ca1dd..cd9f3506c4 100644 --- a/creusot/tests/should_succeed/loop.mlcfg +++ b/creusot/tests/should_succeed/loop.mlcfg @@ -17,10 +17,10 @@ module Loop_F goto BB0 } BB0 { - [#"../loop.rs" 4 16 4 18] a <- ([#"../loop.rs" 4 16 4 18] (10 : int32)); + [#"../loop.rs" 4 16 4 18] a <- ([#"../loop.rs" 4 16 4 18] [#"../loop.rs" 4 16 4 18] (10 : int32)); [#"../loop.rs" 5 12 5 18] b <- Borrow.borrow_mut a; [#"../loop.rs" 5 12 5 18] a <- ^ b; - [#"../loop.rs" 6 4 6 10] b <- { b with current = ([#"../loop.rs" 6 4 6 10] (5 : int32)) ; }; + [#"../loop.rs" 6 4 6 10] b <- { b with current = ([#"../loop.rs" 6 4 6 10] [#"../loop.rs" 6 9 6 10] (5 : int32)) ; }; assume { resolve0 b }; goto BB1 } @@ -28,13 +28,13 @@ module Loop_F goto BB2 } BB2 { - switch (true) + switch ([#"../loop.rs" 8 11 8 15] true) | False -> goto BB4 | True -> goto BB3 end } BB3 { - [#"../loop.rs" 3 11 13 1] _0 <- ([#"../loop.rs" 3 11 13 1] ()); + [#"../loop.rs" 3 11 13 1] _0 <- ([#"../loop.rs" 3 11 13 1] [#"../loop.rs" 3 11 13 1] ()); return _0 } BB4 { diff --git a/creusot/tests/should_succeed/mapping_test.mlcfg b/creusot/tests/should_succeed/mapping_test.mlcfg index e754183262..fdf9961b91 100644 --- a/creusot/tests/should_succeed/mapping_test.mlcfg +++ b/creusot/tests/should_succeed/mapping_test.mlcfg @@ -69,10 +69,10 @@ module MappingTest_Incr goto BB1 } BB1 { - [#"../mapping_test.rs" 32 4 32 15] t <- { t with current = (let MappingTest_T_Type.C_T x0 = * t in MappingTest_T_Type.C_T ([#"../mapping_test.rs" 32 4 32 15] MappingTest_T_Type.t_a ( * t) + (1 : int32))) ; }; + [#"../mapping_test.rs" 32 4 32 15] t <- { t with current = (let MappingTest_T_Type.C_T x0 = * t in MappingTest_T_Type.C_T ([#"../mapping_test.rs" 32 4 32 15] MappingTest_T_Type.t_a ( * t) + ([#"../mapping_test.rs" 32 14 32 15] (1 : int32)))) ; }; assume { resolve0 t }; assert { [@expl:assertion] [#"../mapping_test.rs" 35 19 35 50] shallow_model0 ( ^ t) = Map.set (shallow_model1 old_t) (Int32.to_int (MappingTest_T_Type.t_a ( * Snapshot.inner old_t))) 1 }; - [#"../mapping_test.rs" 30 19 36 1] _0 <- ([#"../mapping_test.rs" 30 19 36 1] ()); + [#"../mapping_test.rs" 30 19 36 1] _0 <- ([#"../mapping_test.rs" 30 19 36 1] [#"../mapping_test.rs" 30 19 36 1] ()); return _0 } @@ -122,7 +122,7 @@ module MappingTest_F goto BB0 } BB0 { - [#"../mapping_test.rs" 39 16 39 27] x <- ([#"../mapping_test.rs" 39 16 39 27] MappingTest_T_Type.C_T (42 : int32)); + [#"../mapping_test.rs" 39 16 39 27] x <- ([#"../mapping_test.rs" 39 16 39 27] MappingTest_T_Type.C_T ([#"../mapping_test.rs" 39 23 39 25] (42 : int32))); assert { [@expl:assertion] [#"../mapping_test.rs" 40 19 40 34] Map.get (shallow_model0 x) 13 = 1 }; assert { [@expl:assertion] [#"../mapping_test.rs" 41 19 41 34] Map.get (shallow_model0 x) 42 = 0 }; [#"../mapping_test.rs" 42 9 42 15] _8 <- Borrow.borrow_mut x; @@ -137,7 +137,7 @@ module MappingTest_F assume { resolve0 _8 }; assert { [@expl:assertion] [#"../mapping_test.rs" 43 19 43 34] Map.get (shallow_model0 x) 13 = 1 }; assert { [@expl:assertion] [#"../mapping_test.rs" 44 19 44 34] Map.get (shallow_model0 x) 42 = 1 }; - [#"../mapping_test.rs" 38 11 45 1] _0 <- ([#"../mapping_test.rs" 38 11 45 1] ()); + [#"../mapping_test.rs" 38 11 45 1] _0 <- ([#"../mapping_test.rs" 38 11 45 1] [#"../mapping_test.rs" 38 11 45 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/match_int.mlcfg b/creusot/tests/should_succeed/match_int.mlcfg index 96b4b86e70..60cef044ff 100644 --- a/creusot/tests/should_succeed/match_int.mlcfg +++ b/creusot/tests/should_succeed/match_int.mlcfg @@ -12,15 +12,15 @@ module MatchInt_F goto BB0 } BB0 { - [#"../match_int.rs" 8 10 8 11] _1 <- ([#"../match_int.rs" 8 10 8 11] (1 : int32)); - [#"../match_int.rs" 9 8 9 13] _2 <- ([#"../match_int.rs" 9 8 9 13] (0 : int32) <= _1); + [#"../match_int.rs" 8 10 8 11] _1 <- ([#"../match_int.rs" 8 10 8 11] [#"../match_int.rs" 8 10 8 11] (1 : int32)); + [#"../match_int.rs" 9 8 9 13] _2 <- ([#"../match_int.rs" 9 8 9 13] ([#"../match_int.rs" 9 8 9 13] (0 : int32)) <= _1); switch (_2) | False -> goto BB3 | True -> goto BB1 end } BB1 { - [#"../match_int.rs" 9 8 9 13] _3 <- ([#"../match_int.rs" 9 8 9 13] _1 < (10 : int32)); + [#"../match_int.rs" 9 8 9 13] _3 <- ([#"../match_int.rs" 9 8 9 13] _1 < ([#"../match_int.rs" 9 8 9 13] (10 : int32))); switch (_3) | False -> goto BB3 | True -> goto BB2 @@ -45,13 +45,13 @@ module MatchInt_F goto BB10 } BB6 { - switch (false) + switch ([#"../match_int.rs" 16 20 16 25] false) | False -> goto BB13 | True -> goto BB14 end } BB7 { - switch (true) + switch ([#"../match_int.rs" 10 20 10 24] true) | False -> goto BB8 | True -> goto BB9 end @@ -61,11 +61,11 @@ module MatchInt_F absurd } BB9 { - [#"../match_int.rs" 10 25 10 25] _0 <- ([#"../match_int.rs" 10 25 10 25] ()); + [#"../match_int.rs" 10 25 10 25] _0 <- ([#"../match_int.rs" 10 25 10 25] [#"../match_int.rs" 10 25 10 25] ()); goto BB15 } BB10 { - switch (false) + switch ([#"../match_int.rs" 13 20 13 25] false) | False -> goto BB11 | True -> goto BB12 end @@ -75,7 +75,7 @@ module MatchInt_F absurd } BB12 { - [#"../match_int.rs" 13 26 13 26] _0 <- ([#"../match_int.rs" 13 26 13 26] ()); + [#"../match_int.rs" 13 26 13 26] _0 <- ([#"../match_int.rs" 13 26 13 26] [#"../match_int.rs" 13 26 13 26] ()); goto BB15 } BB13 { @@ -83,7 +83,7 @@ module MatchInt_F absurd } BB14 { - [#"../match_int.rs" 16 26 16 26] _0 <- ([#"../match_int.rs" 16 26 16 26] ()); + [#"../match_int.rs" 16 26 16 26] _0 <- ([#"../match_int.rs" 16 26 16 26] [#"../match_int.rs" 16 26 16 26] ()); goto BB15 } BB15 { diff --git a/creusot/tests/should_succeed/mc91.mlcfg b/creusot/tests/should_succeed/mc91.mlcfg index f09ff21c56..3962018ac5 100644 --- a/creusot/tests/should_succeed/mc91.mlcfg +++ b/creusot/tests/should_succeed/mc91.mlcfg @@ -3,7 +3,8 @@ module Mc91_Mc91 use prelude.UInt32 use prelude.Int let rec cfg mc91 [#"../mc91.rs" 7 0 7 26] [@cfg:stackify] [@cfg:subregion_analysis] (x : uint32) : uint32 - ensures { [#"../mc91.rs" 5 0 6 40] x <= (100 : uint32) -> result = (91 : uint32) /\ x > (100 : uint32) -> result = x - (10 : uint32) } + ensures { [#"../mc91.rs" 5 0 6 40] x <= (100 : uint32) + -> result = (91 : uint32) /\ x > (100 : uint32) -> result = x - (10 : uint32) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : uint32; @@ -15,18 +16,18 @@ module Mc91_Mc91 goto BB0 } BB0 { - [#"../mc91.rs" 8 7 8 14] _3 <- ([#"../mc91.rs" 8 7 8 14] x > (100 : uint32)); + [#"../mc91.rs" 8 7 8 14] _3 <- ([#"../mc91.rs" 8 7 8 14] x > ([#"../mc91.rs" 8 11 8 14] (100 : uint32))); switch (_3) | False -> goto BB2 | True -> goto BB1 end } BB1 { - [#"../mc91.rs" 9 8 9 14] _0 <- ([#"../mc91.rs" 9 8 9 14] x - (10 : uint32)); + [#"../mc91.rs" 9 8 9 14] _0 <- ([#"../mc91.rs" 9 8 9 14] x - ([#"../mc91.rs" 9 12 9 14] (10 : uint32))); goto BB5 } BB2 { - [#"../mc91.rs" 11 18 11 24] _7 <- ([#"../mc91.rs" 11 18 11 24] x + (11 : uint32)); + [#"../mc91.rs" 11 18 11 24] _7 <- ([#"../mc91.rs" 11 18 11 24] x + ([#"../mc91.rs" 11 22 11 24] (11 : uint32))); [#"../mc91.rs" 11 13 11 25] _6 <- ([#"../mc91.rs" 11 13 11 25] mc91 _7); _7 <- any uint32; goto BB3 diff --git a/creusot/tests/should_succeed/mutex.mlcfg b/creusot/tests/should_succeed/mutex.mlcfg index ece0d14179..0b79cec7d9 100644 --- a/creusot/tests/should_succeed/mutex.mlcfg +++ b/creusot/tests/should_succeed/mutex.mlcfg @@ -162,7 +162,7 @@ module Mutex_Impl3_Call } BB2 { [#"../mutex.rs" 102 18 102 28] val' <- ([#"../mutex.rs" 102 18 102 28] _5); - [#"../mutex.rs" 103 11 103 23] _7 <- ([#"../mutex.rs" 103 11 103 23] val' < (100000 : uint32)); + [#"../mutex.rs" 103 11 103 23] _7 <- ([#"../mutex.rs" 103 11 103 23] val' < ([#"../mutex.rs" 103 17 103 23] (100000 : uint32))); switch (_7) | False -> goto BB5 | True -> goto BB3 @@ -171,25 +171,25 @@ module Mutex_Impl3_Call BB3 { [#"../mutex.rs" 104 12 104 13] _10 <- Borrow.borrow_mut v; [#"../mutex.rs" 104 12 104 13] v <- ^ _10; - [#"../mutex.rs" 104 18 104 25] _11 <- ([#"../mutex.rs" 104 18 104 25] val' + (2 : uint32)); + [#"../mutex.rs" 104 18 104 25] _11 <- ([#"../mutex.rs" 104 18 104 25] val' + ([#"../mutex.rs" 104 24 104 25] (2 : uint32))); [#"../mutex.rs" 104 12 104 26] _9 <- ([#"../mutex.rs" 104 12 104 26] set0 _10 _11); _10 <- any borrowed (Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even)); _11 <- any uint32; goto BB4 } BB4 { - [#"../mutex.rs" 103 24 105 9] _0 <- ([#"../mutex.rs" 103 24 105 9] ()); + [#"../mutex.rs" 103 24 105 9] _0 <- ([#"../mutex.rs" 103 24 105 9] [#"../mutex.rs" 103 24 105 9] ()); goto BB7 } BB5 { [#"../mutex.rs" 106 12 106 13] _14 <- Borrow.borrow_mut v; [#"../mutex.rs" 106 12 106 13] v <- ^ _14; - [#"../mutex.rs" 106 12 106 20] _13 <- ([#"../mutex.rs" 106 12 106 20] set0 _14 (0 : uint32)); + [#"../mutex.rs" 106 12 106 20] _13 <- ([#"../mutex.rs" 106 12 106 20] set0 _14 ([#"../mutex.rs" 106 18 106 19] (0 : uint32))); _14 <- any borrowed (Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even)); goto BB6 } BB6 { - [#"../mutex.rs" 105 15 107 9] _0 <- ([#"../mutex.rs" 105 15 107 9] ()); + [#"../mutex.rs" 105 15 107 9] _0 <- ([#"../mutex.rs" 105 15 107 9] [#"../mutex.rs" 105 15 107 9] ()); goto BB7 } BB7 { @@ -424,7 +424,7 @@ module Mutex_Concurrent } BB0 { [#"../mutex.rs" 164 52 164 56] _5 <- ([#"../mutex.rs" 164 52 164 56] Mutex_Even_Type.C_Even); - [#"../mutex.rs" 164 38 164 57] _4 <- ([#"../mutex.rs" 164 38 164 57] new0 (0 : uint32) _5); + [#"../mutex.rs" 164 38 164 57] _4 <- ([#"../mutex.rs" 164 38 164 57] new0 ([#"../mutex.rs" 164 49 164 50] (0 : uint32)) _5); _5 <- any Mutex_Even_Type.t_even; goto BB1 } @@ -463,7 +463,7 @@ module Mutex_Concurrent goto BB7 } BB7 { - [#"../mutex.rs" 163 20 175 1] _0 <- ([#"../mutex.rs" 163 20 175 1] ()); + [#"../mutex.rs" 163 20 175 1] _0 <- ([#"../mutex.rs" 163 20 175 1] [#"../mutex.rs" 163 20 175 1] ()); goto BB8 } BB8 { @@ -512,5 +512,6 @@ module Mutex_Impl3 val precondition0 [#"../mutex.rs" 91 4 91 33] (self : Mutex_AddsTwo_Type.t_addstwo) : bool ensures { result = precondition0 self } - goal call_refn : [#"../mutex.rs" 100 4 100 23] forall self : Mutex_AddsTwo_Type.t_addstwo . inv0 self /\ precondition0 self -> (forall result : () . inv1 result /\ postcondition0 self result) + goal call_refn : [#"../mutex.rs" 100 4 100 23] forall self : Mutex_AddsTwo_Type.t_addstwo . inv0 self /\ precondition0 self + -> (forall result : () . inv1 result /\ postcondition0 self result) end diff --git a/creusot/tests/should_succeed/one_side_update.mlcfg b/creusot/tests/should_succeed/one_side_update.mlcfg index 8a9675a0ff..e8af0ae821 100644 --- a/creusot/tests/should_succeed/one_side_update.mlcfg +++ b/creusot/tests/should_succeed/one_side_update.mlcfg @@ -26,25 +26,25 @@ module OneSideUpdate_F goto BB0 } BB0 { - [#"../one_side_update.rs" 6 16 6 25] a <- ([#"../one_side_update.rs" 6 16 6 25] OneSideUpdate_MyInt_Type.C_MyInt (10 : usize)); + [#"../one_side_update.rs" 6 16 6 25] a <- ([#"../one_side_update.rs" 6 16 6 25] OneSideUpdate_MyInt_Type.C_MyInt ([#"../one_side_update.rs" 6 22 6 24] (10 : usize))); [#"../one_side_update.rs" 7 12 7 18] b <- Borrow.borrow_mut a; [#"../one_side_update.rs" 7 12 7 18] a <- ^ b; - switch (true) + switch ([#"../one_side_update.rs" 8 7 8 11] true) | False -> goto BB2 | True -> goto BB1 end } BB1 { assume { resolve0 b }; - [#"../one_side_update.rs" 8 12 10 5] _0 <- ([#"../one_side_update.rs" 8 12 10 5] ()); + [#"../one_side_update.rs" 8 12 10 5] _0 <- ([#"../one_side_update.rs" 8 12 10 5] [#"../one_side_update.rs" 8 12 10 5] ()); goto BB3 } BB2 { - [#"../one_side_update.rs" 11 13 11 21] _6 <- ([#"../one_side_update.rs" 11 13 11 21] OneSideUpdate_MyInt_Type.C_MyInt (5 : usize)); + [#"../one_side_update.rs" 11 13 11 21] _6 <- ([#"../one_side_update.rs" 11 13 11 21] OneSideUpdate_MyInt_Type.C_MyInt ([#"../one_side_update.rs" 11 19 11 20] (5 : usize))); [#"../one_side_update.rs" 11 8 11 21] b <- { b with current = ([#"../one_side_update.rs" 11 8 11 21] _6) ; }; _6 <- any OneSideUpdate_MyInt_Type.t_myint; assume { resolve0 b }; - [#"../one_side_update.rs" 10 11 12 5] _0 <- ([#"../one_side_update.rs" 10 11 12 5] ()); + [#"../one_side_update.rs" 10 11 12 5] _0 <- ([#"../one_side_update.rs" 10 11 12 5] [#"../one_side_update.rs" 10 11 12 5] ()); goto BB3 } BB3 { diff --git a/creusot/tests/should_succeed/option.mlcfg b/creusot/tests/should_succeed/option.mlcfg index 8091735123..0f481b4fa3 100644 --- a/creusot/tests/should_succeed/option.mlcfg +++ b/creusot/tests/should_succeed/option.mlcfg @@ -110,7 +110,8 @@ module Option_TestOption axiom inv0 : forall x : Core_Option_Option_Type.t_option int32 . inv0 x = true val flatten0 (self : Core_Option_Option_Type.t_option (Core_Option_Option_Type.t_option int32)) : Core_Option_Option_Type.t_option int32 - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 120 16 120 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 120 16 120 59] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ self = Core_Option_Option_Type.C_Some result } ensures { inv1 result } @@ -121,25 +122,29 @@ module Option_TestOption val cloned1 (self : Core_Option_Option_Type.t_option (borrowed int32)) : Core_Option_Option_Type.t_option int32 requires {inv5 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 109 16 109 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 109 16 109 59] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : borrowed int32 . inv4 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some ( * t) /\ resolve0 t) } ensures { inv1 result } val cloned0 (self : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32 requires {inv8 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 92 16 92 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 92 16 92 59] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : int32 . inv7 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some t) } ensures { inv1 result } val copied1 (self : Core_Option_Option_Type.t_option (borrowed int32)) : Core_Option_Option_Type.t_option int32 requires {inv5 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 100 16 100 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 100 16 100 59] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : borrowed int32 . inv4 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some ( * t) /\ resolve0 t) } ensures { inv1 result } val copied0 (self : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32 requires {inv8 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 86 16 86 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 86 16 86 59] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : int32 . inv7 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some t) } ensures { inv1 result } @@ -151,7 +156,8 @@ module Option_TestOption val unwrap_or_default0 (self : Core_Option_Option_Type.t_option int32) : int32 requires {inv1 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 78 16 78 64] self = Core_Option_Option_Type.C_None -> is_default0 result } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 78 16 78 64] self = Core_Option_Option_Type.C_None + -> is_default0 result } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ self = Core_Option_Option_Type.C_Some result } ensures { inv2 result } @@ -169,14 +175,16 @@ module Option_TestOption val or0 (self : Core_Option_Option_Type.t_option int32) (optb : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32 requires {inv1 self} requires {inv1 optb} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 68 16 68 59] self = Core_Option_Option_Type.C_None -> result = optb } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 68 16 68 59] self = Core_Option_Option_Type.C_None + -> result = optb } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ result = self } ensures { inv1 result } val and0 (self : Core_Option_Option_Type.t_option int32) (optb : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32 requires {inv1 self} requires {inv1 optb} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 64 16 64 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 64 16 64 59] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ result = optb } ensures { inv1 result } @@ -192,7 +200,8 @@ module Option_TestOption val as_ref0 (self : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32 requires {inv0 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : int32 . inv7 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) } ensures { inv8 result } @@ -208,14 +217,16 @@ module Option_TestOption val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option int32)) : Core_Option_Option_Type.t_option (borrowed int32) requires {inv3 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed int32 . inv4 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv5 result } val unwrap_or0 (self : Core_Option_Option_Type.t_option int32) (default : int32) : int32 requires {inv1 self} requires {inv2 default} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 47 16 47 62] self = Core_Option_Option_Type.C_None -> result = default } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 47 16 47 62] self = Core_Option_Option_Type.C_None + -> result = default } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ self = Core_Option_Option_Type.C_Some result } ensures { inv2 result } @@ -371,7 +382,7 @@ module Option_TestOption } BB0 { [#"../option.rs" 5 32 5 36] none <- ([#"../option.rs" 5 32 5 36] Core_Option_Option_Type.C_None); - [#"../option.rs" 6 32 6 39] some <- ([#"../option.rs" 6 32 6 39] Core_Option_Option_Type.C_Some (1 : int32)); + [#"../option.rs" 6 32 6 39] some <- ([#"../option.rs" 6 32 6 39] Core_Option_Option_Type.C_Some ([#"../option.rs" 6 37 6 38] (1 : int32))); [#"../option.rs" 9 12 9 26] _4 <- ([#"../option.rs" 9 12 9 26] is_some0 some); goto BB1 } @@ -436,7 +447,7 @@ module Option_TestOption absurd } BB15 { - [#"../option.rs" 14 12 14 30] _16 <- ([#"../option.rs" 14 12 14 30] _17 = (1 : int32)); + [#"../option.rs" 14 12 14 30] _16 <- ([#"../option.rs" 14 12 14 30] _17 = ([#"../option.rs" 14 29 14 30] (1 : int32))); _17 <- any int32; switch (_16) | False -> goto BB17 @@ -444,7 +455,7 @@ module Option_TestOption end } BB16 { - [#"../option.rs" 19 12 19 29] _22 <- ([#"../option.rs" 19 12 19 29] unwrap_or0 some (2 : int32)); + [#"../option.rs" 19 12 19 29] _22 <- ([#"../option.rs" 19 12 19 29] unwrap_or0 some ([#"../option.rs" 19 27 19 28] (2 : int32))); goto BB18 } BB17 { @@ -452,7 +463,7 @@ module Option_TestOption absurd } BB18 { - [#"../option.rs" 19 12 19 34] _21 <- ([#"../option.rs" 19 12 19 34] _22 = (1 : int32)); + [#"../option.rs" 19 12 19 34] _21 <- ([#"../option.rs" 19 12 19 34] _22 = ([#"../option.rs" 19 33 19 34] (1 : int32))); _22 <- any int32; switch (_21) | False -> goto BB20 @@ -460,7 +471,7 @@ module Option_TestOption end } BB19 { - [#"../option.rs" 20 12 20 29] _27 <- ([#"../option.rs" 20 12 20 29] unwrap_or0 none (2 : int32)); + [#"../option.rs" 20 12 20 29] _27 <- ([#"../option.rs" 20 12 20 29] unwrap_or0 none ([#"../option.rs" 20 27 20 28] (2 : int32))); goto BB21 } BB20 { @@ -468,7 +479,7 @@ module Option_TestOption absurd } BB21 { - [#"../option.rs" 20 12 20 34] _26 <- ([#"../option.rs" 20 12 20 34] _27 = (2 : int32)); + [#"../option.rs" 20 12 20 34] _26 <- ([#"../option.rs" 20 12 20 34] _27 = ([#"../option.rs" 20 33 20 34] (2 : int32))); _27 <- any int32; switch (_26) | False -> goto BB23 @@ -513,13 +524,13 @@ module Option_TestOption goto BB29 } BB29 { - [#"../option.rs" 24 4 24 31] _36 <- { _36 with current = ([#"../option.rs" 24 4 24 31] (2 : int32)) ; }; + [#"../option.rs" 24 4 24 31] _36 <- { _36 with current = ([#"../option.rs" 24 4 24 31] [#"../option.rs" 24 30 24 31] (2 : int32)) ; }; assume { resolve0 _36 }; [#"../option.rs" 25 12 25 25] _41 <- ([#"../option.rs" 25 12 25 25] unwrap0 some); goto BB30 } BB30 { - [#"../option.rs" 25 12 25 30] _40 <- ([#"../option.rs" 25 12 25 30] _41 = (2 : int32)); + [#"../option.rs" 25 12 25 30] _40 <- ([#"../option.rs" 25 12 25 30] _41 = ([#"../option.rs" 25 29 25 30] (2 : int32))); _41 <- any int32; switch (_40) | False -> goto BB32 @@ -543,13 +554,13 @@ module Option_TestOption goto BB34 } BB34 { - [#"../option.rs" 26 4 26 31] _44 <- { _44 with current = ([#"../option.rs" 26 4 26 31] (1 : int32)) ; }; + [#"../option.rs" 26 4 26 31] _44 <- { _44 with current = ([#"../option.rs" 26 4 26 31] [#"../option.rs" 26 30 26 31] (1 : int32)) ; }; assume { resolve0 _44 }; [#"../option.rs" 27 12 27 25] _49 <- ([#"../option.rs" 27 12 27 25] unwrap0 some); goto BB35 } BB35 { - [#"../option.rs" 27 12 27 30] _48 <- ([#"../option.rs" 27 12 27 30] _49 = (1 : int32)); + [#"../option.rs" 27 12 27 30] _48 <- ([#"../option.rs" 27 12 27 30] _49 = ([#"../option.rs" 27 29 27 30] (1 : int32))); _49 <- any int32; switch (_48) | False -> goto BB37 @@ -588,7 +599,7 @@ module Option_TestOption goto BB43 } BB43 { - [#"../option.rs" 30 12 30 40] _59 <- ([#"../option.rs" 30 12 30 40] _61 = (1 : int32)); + [#"../option.rs" 30 12 30 40] _59 <- ([#"../option.rs" 30 12 30 40] _61 = ([#"../option.rs" 30 39 30 40] (1 : int32))); switch (_59) | False -> goto BB45 | True -> goto BB44 @@ -613,7 +624,7 @@ module Option_TestOption end } BB48 { - [#"../option.rs" 34 21 34 28] _77 <- ([#"../option.rs" 34 21 34 28] Core_Option_Option_Type.C_Some (2 : int32)); + [#"../option.rs" 34 21 34 28] _77 <- ([#"../option.rs" 34 21 34 28] Core_Option_Option_Type.C_Some ([#"../option.rs" 34 26 34 27] (2 : int32))); [#"../option.rs" 34 12 34 29] _75 <- ([#"../option.rs" 34 12 34 29] and0 none _77); _77 <- any Core_Option_Option_Type.t_option int32; goto BB50 @@ -651,7 +662,7 @@ module Option_TestOption end } BB56 { - [#"../option.rs" 36 21 36 28] _91 <- ([#"../option.rs" 36 21 36 28] Core_Option_Option_Type.C_Some (2 : int32)); + [#"../option.rs" 36 21 36 28] _91 <- ([#"../option.rs" 36 21 36 28] Core_Option_Option_Type.C_Some ([#"../option.rs" 36 26 36 27] (2 : int32))); [#"../option.rs" 36 12 36 29] _89 <- ([#"../option.rs" 36 12 36 29] and0 some _91); _91 <- any Core_Option_Option_Type.t_option int32; goto BB58 @@ -666,7 +677,7 @@ module Option_TestOption goto BB59 } BB59 { - [#"../option.rs" 36 12 36 43] _87 <- ([#"../option.rs" 36 12 36 43] _88 = (2 : int32)); + [#"../option.rs" 36 12 36 43] _87 <- ([#"../option.rs" 36 12 36 43] _88 = ([#"../option.rs" 36 42 36 43] (2 : int32))); _88 <- any int32; switch (_87) | False -> goto BB61 @@ -692,7 +703,7 @@ module Option_TestOption end } BB64 { - [#"../option.rs" 39 20 39 27] _105 <- ([#"../option.rs" 39 20 39 27] Core_Option_Option_Type.C_Some (2 : int32)); + [#"../option.rs" 39 20 39 27] _105 <- ([#"../option.rs" 39 20 39 27] Core_Option_Option_Type.C_Some ([#"../option.rs" 39 25 39 26] (2 : int32))); [#"../option.rs" 39 12 39 28] _103 <- ([#"../option.rs" 39 12 39 28] or0 none _105); _105 <- any Core_Option_Option_Type.t_option int32; goto BB66 @@ -707,7 +718,7 @@ module Option_TestOption goto BB67 } BB67 { - [#"../option.rs" 39 12 39 42] _101 <- ([#"../option.rs" 39 12 39 42] _102 = (2 : int32)); + [#"../option.rs" 39 12 39 42] _101 <- ([#"../option.rs" 39 12 39 42] _102 = ([#"../option.rs" 39 41 39 42] (2 : int32))); _102 <- any int32; switch (_101) | False -> goto BB69 @@ -728,7 +739,7 @@ module Option_TestOption goto BB71 } BB71 { - [#"../option.rs" 40 12 40 39] _108 <- ([#"../option.rs" 40 12 40 39] _109 = (1 : int32)); + [#"../option.rs" 40 12 40 39] _108 <- ([#"../option.rs" 40 12 40 39] _109 = ([#"../option.rs" 40 38 40 39] (1 : int32))); _109 <- any int32; switch (_108) | False -> goto BB73 @@ -736,7 +747,7 @@ module Option_TestOption end } BB72 { - [#"../option.rs" 41 20 41 27] _119 <- ([#"../option.rs" 41 20 41 27] Core_Option_Option_Type.C_Some (2 : int32)); + [#"../option.rs" 41 20 41 27] _119 <- ([#"../option.rs" 41 20 41 27] Core_Option_Option_Type.C_Some ([#"../option.rs" 41 25 41 26] (2 : int32))); [#"../option.rs" 41 12 41 28] _117 <- ([#"../option.rs" 41 12 41 28] or0 some _119); _119 <- any Core_Option_Option_Type.t_option int32; goto BB74 @@ -751,7 +762,7 @@ module Option_TestOption goto BB75 } BB75 { - [#"../option.rs" 41 12 41 42] _115 <- ([#"../option.rs" 41 12 41 42] _116 = (1 : int32)); + [#"../option.rs" 41 12 41 42] _115 <- ([#"../option.rs" 41 12 41 42] _116 = ([#"../option.rs" 41 41 41 42] (1 : int32))); _116 <- any int32; switch (_115) | False -> goto BB77 @@ -810,7 +821,7 @@ module Option_TestOption goto BB86 } BB86 { - [#"../option.rs" 46 12 46 37] _132 <- ([#"../option.rs" 46 12 46 37] _133 = (1 : int32)); + [#"../option.rs" 46 12 46 37] _132 <- ([#"../option.rs" 46 12 46 37] _133 = ([#"../option.rs" 46 36 46 37] (1 : int32))); _133 <- any int32; switch (_132) | False -> goto BB88 @@ -832,12 +843,12 @@ module Option_TestOption end } BB90 { - [#"../option.rs" 48 11 48 18] _141 <- ([#"../option.rs" 48 11 48 18] Core_Option_Option_Type.C_Some (1 : int32)); + [#"../option.rs" 48 11 48 18] _141 <- ([#"../option.rs" 48 11 48 18] Core_Option_Option_Type.C_Some ([#"../option.rs" 48 16 48 17] (1 : int32))); [#"../option.rs" 48 4 48 18] some <- ([#"../option.rs" 48 4 48 18] _141); _141 <- any Core_Option_Option_Type.t_option int32; [#"../option.rs" 50 12 50 16] _146 <- Borrow.borrow_mut none; [#"../option.rs" 50 12 50 16] none <- ^ _146; - [#"../option.rs" 50 12 50 27] _145 <- ([#"../option.rs" 50 12 50 27] replace0 _146 (2 : int32)); + [#"../option.rs" 50 12 50 27] _145 <- ([#"../option.rs" 50 12 50 27] replace0 _146 ([#"../option.rs" 50 25 50 26] (2 : int32))); _146 <- any borrowed (Core_Option_Option_Type.t_option int32); goto BB92 } @@ -864,7 +875,7 @@ module Option_TestOption absurd } BB96 { - [#"../option.rs" 51 12 51 30] _149 <- ([#"../option.rs" 51 12 51 30] _150 = (2 : int32)); + [#"../option.rs" 51 12 51 30] _149 <- ([#"../option.rs" 51 12 51 30] _150 = ([#"../option.rs" 51 29 51 30] (2 : int32))); _150 <- any int32; switch (_149) | False -> goto BB98 @@ -877,7 +888,7 @@ module Option_TestOption _153 <- any Core_Option_Option_Type.t_option int32; [#"../option.rs" 53 12 53 16] _158 <- Borrow.borrow_mut some; [#"../option.rs" 53 12 53 16] some <- ^ _158; - [#"../option.rs" 53 12 53 27] _157 <- ([#"../option.rs" 53 12 53 27] replace0 _158 (2 : int32)); + [#"../option.rs" 53 12 53 27] _157 <- ([#"../option.rs" 53 12 53 27] replace0 _158 ([#"../option.rs" 53 25 53 26] (2 : int32))); _158 <- any borrowed (Core_Option_Option_Type.t_option int32); goto BB99 } @@ -891,7 +902,7 @@ module Option_TestOption goto BB100 } BB100 { - [#"../option.rs" 53 12 53 41] _155 <- ([#"../option.rs" 53 12 53 41] _156 = (1 : int32)); + [#"../option.rs" 53 12 53 41] _155 <- ([#"../option.rs" 53 12 53 41] _156 = ([#"../option.rs" 53 40 53 41] (1 : int32))); _156 <- any int32; switch (_155) | False -> goto BB102 @@ -907,7 +918,7 @@ module Option_TestOption absurd } BB103 { - [#"../option.rs" 54 12 54 30] _161 <- ([#"../option.rs" 54 12 54 30] _162 = (2 : int32)); + [#"../option.rs" 54 12 54 30] _161 <- ([#"../option.rs" 54 12 54 30] _162 = ([#"../option.rs" 54 29 54 30] (2 : int32))); _162 <- any int32; switch (_161) | False -> goto BB105 @@ -917,7 +928,7 @@ module Option_TestOption BB104 { [#"../option.rs" 55 12 55 16] _169 <- Borrow.borrow_mut some; [#"../option.rs" 55 12 55 16] some <- ^ _169; - [#"../option.rs" 55 12 55 27] _168 <- ([#"../option.rs" 55 12 55 27] replace0 _169 (1 : int32)); + [#"../option.rs" 55 12 55 27] _168 <- ([#"../option.rs" 55 12 55 27] replace0 _169 ([#"../option.rs" 55 25 55 26] (1 : int32))); _169 <- any borrowed (Core_Option_Option_Type.t_option int32); goto BB106 } @@ -931,7 +942,7 @@ module Option_TestOption goto BB107 } BB107 { - [#"../option.rs" 55 12 55 41] _166 <- ([#"../option.rs" 55 12 55 41] _167 = (2 : int32)); + [#"../option.rs" 55 12 55 41] _166 <- ([#"../option.rs" 55 12 55 41] _167 = ([#"../option.rs" 55 40 55 41] (2 : int32))); _167 <- any int32; switch (_166) | False -> goto BB109 @@ -947,7 +958,7 @@ module Option_TestOption absurd } BB110 { - [#"../option.rs" 56 12 56 30] _172 <- ([#"../option.rs" 56 12 56 30] _173 = (1 : int32)); + [#"../option.rs" 56 12 56 30] _172 <- ([#"../option.rs" 56 12 56 30] _173 = ([#"../option.rs" 56 29 56 30] (1 : int32))); _173 <- any int32; switch (_172) | False -> goto BB112 @@ -963,7 +974,7 @@ module Option_TestOption absurd } BB113 { - [#"../option.rs" 59 12 59 41] _177 <- ([#"../option.rs" 59 12 59 41] _178 = (0 : int32)); + [#"../option.rs" 59 12 59 41] _177 <- ([#"../option.rs" 59 12 59 41] _178 = ([#"../option.rs" 59 40 59 41] (0 : int32))); _178 <- any int32; switch (_177) | False -> goto BB115 @@ -979,7 +990,7 @@ module Option_TestOption absurd } BB116 { - [#"../option.rs" 60 12 60 41] _182 <- ([#"../option.rs" 60 12 60 41] _183 = (1 : int32)); + [#"../option.rs" 60 12 60 41] _182 <- ([#"../option.rs" 60 12 60 41] _183 = ([#"../option.rs" 60 40 60 41] (1 : int32))); _183 <- any int32; switch (_182) | False -> goto BB118 @@ -1028,7 +1039,7 @@ module Option_TestOption goto BB126 } BB126 { - [#"../option.rs" 64 12 64 48] _194 <- ([#"../option.rs" 64 12 64 48] _195 = (1 : int32)); + [#"../option.rs" 64 12 64 48] _194 <- ([#"../option.rs" 64 12 64 48] _195 = ([#"../option.rs" 64 47 64 48] (1 : int32))); _195 <- any int32; switch (_194) | False -> goto BB128 @@ -1083,7 +1094,7 @@ module Option_TestOption goto BB136 } BB136 { - [#"../option.rs" 66 12 66 48] _208 <- ([#"../option.rs" 66 12 66 48] _209 = (1 : int32)); + [#"../option.rs" 66 12 66 48] _208 <- ([#"../option.rs" 66 12 66 48] _209 = ([#"../option.rs" 66 47 66 48] (1 : int32))); _209 <- any int32; switch (_208) | False -> goto BB138 @@ -1132,7 +1143,7 @@ module Option_TestOption goto BB146 } BB146 { - [#"../option.rs" 69 12 69 48] _222 <- ([#"../option.rs" 69 12 69 48] _223 = (1 : int32)); + [#"../option.rs" 69 12 69 48] _222 <- ([#"../option.rs" 69 12 69 48] _223 = ([#"../option.rs" 69 47 69 48] (1 : int32))); _223 <- any int32; switch (_222) | False -> goto BB148 @@ -1187,7 +1198,7 @@ module Option_TestOption goto BB156 } BB156 { - [#"../option.rs" 71 12 71 48] _236 <- ([#"../option.rs" 71 12 71 48] _237 = (1 : int32)); + [#"../option.rs" 71 12 71 48] _236 <- ([#"../option.rs" 71 12 71 48] _237 = ([#"../option.rs" 71 47 71 48] (1 : int32))); _237 <- any int32; switch (_236) | False -> goto BB158 @@ -1235,7 +1246,7 @@ module Option_TestOption end } BB165 { - [#"../option.rs" 78 40 78 47] _258 <- ([#"../option.rs" 78 40 78 47] Core_Option_Option_Type.C_Some (1 : int32)); + [#"../option.rs" 78 40 78 47] _258 <- ([#"../option.rs" 78 40 78 47] Core_Option_Option_Type.C_Some ([#"../option.rs" 78 45 78 46] (1 : int32))); [#"../option.rs" 78 35 78 48] opt2 <- ([#"../option.rs" 78 35 78 48] Core_Option_Option_Type.C_Some _258); _258 <- any Core_Option_Option_Type.t_option int32; [#"../option.rs" 79 12 79 25] _262 <- ([#"../option.rs" 79 12 79 25] flatten0 opt2); @@ -1251,7 +1262,7 @@ module Option_TestOption goto BB168 } BB168 { - [#"../option.rs" 79 12 79 39] _260 <- ([#"../option.rs" 79 12 79 39] _261 = (1 : int32)); + [#"../option.rs" 79 12 79 39] _260 <- ([#"../option.rs" 79 12 79 39] _261 = ([#"../option.rs" 79 38 79 39] (1 : int32))); _261 <- any int32; switch (_260) | False -> goto BB170 @@ -1259,7 +1270,7 @@ module Option_TestOption end } BB169 { - [#"../option.rs" 4 21 80 1] _0 <- ([#"../option.rs" 4 21 80 1] ()); + [#"../option.rs" 4 21 80 1] _0 <- ([#"../option.rs" 4 21 80 1] [#"../option.rs" 4 21 80 1] ()); return _0 } BB170 { diff --git a/creusot/tests/should_succeed/ord_trait.mlcfg b/creusot/tests/should_succeed/ord_trait.mlcfg index af0d60501e..832ad1edcb 100644 --- a/creusot/tests/should_succeed/ord_trait.mlcfg +++ b/creusot/tests/should_succeed/ord_trait.mlcfg @@ -29,7 +29,9 @@ module OrdTrait_X requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -37,7 +39,10 @@ module OrdTrait_X requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -45,7 +50,10 @@ module OrdTrait_X requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -56,13 +64,19 @@ module OrdTrait_X requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -73,7 +87,9 @@ module OrdTrait_X requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -84,7 +100,9 @@ module OrdTrait_X requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -95,7 +113,9 @@ module OrdTrait_X requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -106,7 +126,9 @@ module OrdTrait_X requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant1 (self : t) val invariant1 (self : t) : bool ensures { result = invariant1 self } @@ -206,7 +228,9 @@ module OrdTrait_GtOrLe requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -214,7 +238,10 @@ module OrdTrait_GtOrLe requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -222,7 +249,10 @@ module OrdTrait_GtOrLe requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -233,13 +263,19 @@ module OrdTrait_GtOrLe requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -250,7 +286,9 @@ module OrdTrait_GtOrLe requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -261,7 +299,9 @@ module OrdTrait_GtOrLe requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -272,7 +312,9 @@ module OrdTrait_GtOrLe requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -283,7 +325,9 @@ module OrdTrait_GtOrLe requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant0 (self : t) val invariant0 (self : t) : bool ensures { result = invariant0 self } diff --git a/creusot/tests/should_succeed/projection_toggle.mlcfg b/creusot/tests/should_succeed/projection_toggle.mlcfg index 97b3ca30db..e7f1978e3a 100644 --- a/creusot/tests/should_succeed/projection_toggle.mlcfg +++ b/creusot/tests/should_succeed/projection_toggle.mlcfg @@ -136,8 +136,8 @@ module ProjectionToggle_F goto BB0 } BB0 { - [#"../projection_toggle.rs" 14 16 14 18] a <- ([#"../projection_toggle.rs" 14 16 14 18] (10 : int32)); - [#"../projection_toggle.rs" 15 16 15 17] b <- ([#"../projection_toggle.rs" 15 16 15 17] (5 : int32)); + [#"../projection_toggle.rs" 14 16 14 18] a <- ([#"../projection_toggle.rs" 14 16 14 18] [#"../projection_toggle.rs" 14 16 14 18] (10 : int32)); + [#"../projection_toggle.rs" 15 16 15 17] b <- ([#"../projection_toggle.rs" 15 16 15 17] [#"../projection_toggle.rs" 15 16 15 17] (5 : int32)); [#"../projection_toggle.rs" 17 30 17 36] _5 <- Borrow.borrow_mut a; [#"../projection_toggle.rs" 17 30 17 36] a <- ^ _5; [#"../projection_toggle.rs" 17 30 17 36] _4 <- Borrow.borrow_final ( * _5) (Borrow.get_id _5); @@ -146,7 +146,7 @@ module ProjectionToggle_F [#"../projection_toggle.rs" 17 38 17 44] b <- ^ _7; [#"../projection_toggle.rs" 17 38 17 44] _6 <- Borrow.borrow_final ( * _7) (Borrow.get_id _7); [#"../projection_toggle.rs" 17 38 17 44] _7 <- { _7 with current = ( ^ _6) ; }; - [#"../projection_toggle.rs" 17 12 17 45] x <- ([#"../projection_toggle.rs" 17 12 17 45] proj_toggle0 true _4 _6); + [#"../projection_toggle.rs" 17 12 17 45] x <- ([#"../projection_toggle.rs" 17 12 17 45] proj_toggle0 ([#"../projection_toggle.rs" 17 24 17 28] true) _4 _6); _4 <- any borrowed int32; _6 <- any borrowed int32; goto BB1 @@ -154,16 +154,16 @@ module ProjectionToggle_F BB1 { assume { resolve0 _7 }; assume { resolve0 _5 }; - [#"../projection_toggle.rs" 19 4 19 11] x <- { x with current = ([#"../projection_toggle.rs" 19 4 19 11] * x + (5 : int32)) ; }; + [#"../projection_toggle.rs" 19 4 19 11] x <- { x with current = ([#"../projection_toggle.rs" 19 4 19 11] * x + ([#"../projection_toggle.rs" 19 10 19 11] (5 : int32))) ; }; assume { resolve0 x }; - [#"../projection_toggle.rs" 20 12 20 19] _9 <- ([#"../projection_toggle.rs" 20 12 20 19] a = (15 : int32)); + [#"../projection_toggle.rs" 20 12 20 19] _9 <- ([#"../projection_toggle.rs" 20 12 20 19] a = ([#"../projection_toggle.rs" 20 17 20 19] (15 : int32))); switch (_9) | False -> goto BB3 | True -> goto BB2 end } BB2 { - [#"../projection_toggle.rs" 13 11 21 1] _0 <- ([#"../projection_toggle.rs" 13 11 21 1] ()); + [#"../projection_toggle.rs" 13 11 21 1] _0 <- ([#"../projection_toggle.rs" 13 11 21 1] [#"../projection_toggle.rs" 13 11 21 1] ()); return _0 } BB3 { diff --git a/creusot/tests/should_succeed/projections.mlcfg b/creusot/tests/should_succeed/projections.mlcfg index 2c202a2f4b..1648dbf408 100644 --- a/creusot/tests/should_succeed/projections.mlcfg +++ b/creusot/tests/should_succeed/projections.mlcfg @@ -142,9 +142,9 @@ module Projections_WriteIntoSum BB4 { [#"../projections.rs" 18 13 18 14] y <- Borrow.borrow_final (Core_Option_Option_Type.some_0 ( * x)) (Borrow.inherit_id (Borrow.get_id x) 1); [#"../projections.rs" 18 13 18 14] x <- { x with current = (let Core_Option_Option_Type.C_Some x0 = * x in Core_Option_Option_Type.C_Some ( ^ y)) ; }; - [#"../projections.rs" 18 19 18 26] y <- { y with current = ([#"../projections.rs" 18 19 18 26] (10 : uint32)) ; }; + [#"../projections.rs" 18 19 18 26] y <- { y with current = ([#"../projections.rs" 18 19 18 26] [#"../projections.rs" 18 24 18 26] (10 : uint32)) ; }; assume { resolve0 y }; - [#"../projections.rs" 18 19 18 26] _0 <- ([#"../projections.rs" 18 19 18 26] ()); + [#"../projections.rs" 18 19 18 26] _0 <- ([#"../projections.rs" 18 19 18 26] [#"../projections.rs" 18 19 18 26] ()); assume { resolve1 x }; goto BB5 } @@ -167,14 +167,14 @@ module Projections_F goto BB0 } BB0 { - [#"../projections.rs" 24 10 24 18] _2 <- ([#"../projections.rs" 24 10 24 18] Core_Option_Option_Type.C_Some (10 : int32)); + [#"../projections.rs" 24 10 24 18] _2 <- ([#"../projections.rs" 24 10 24 18] Core_Option_Option_Type.C_Some ([#"../projections.rs" 24 15 24 17] (10 : int32))); switch (_2) | Core_Option_Option_Type.C_None -> goto BB1 | Core_Option_Option_Type.C_Some _ -> goto BB2 end } BB1 { - [#"../projections.rs" 26 16 26 21] _1 <- ([#"../projections.rs" 26 16 26 21] false); + [#"../projections.rs" 26 16 26 21] _1 <- ([#"../projections.rs" 26 16 26 21] [#"../projections.rs" 26 16 26 21] false); goto BB5 } BB2 { @@ -186,11 +186,11 @@ module Projections_F } BB4 { [#"../projections.rs" 25 13 25 14] x <- ([#"../projections.rs" 25 13 25 14] Core_Option_Option_Type.some_0 _2); - [#"../projections.rs" 25 19 25 25] _1 <- ([#"../projections.rs" 25 19 25 25] x = (0 : int32)); + [#"../projections.rs" 25 19 25 25] _1 <- ([#"../projections.rs" 25 19 25 25] x = ([#"../projections.rs" 25 24 25 25] (0 : int32))); goto BB5 } BB5 { - [#"../projections.rs" 23 11 28 1] _0 <- ([#"../projections.rs" 23 11 28 1] ()); + [#"../projections.rs" 23 11 28 1] _0 <- ([#"../projections.rs" 23 11 28 1] [#"../projections.rs" 23 11 28 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/prophecy.mlcfg b/creusot/tests/should_succeed/prophecy.mlcfg index a25acd9ae6..249210270e 100644 --- a/creusot/tests/should_succeed/prophecy.mlcfg +++ b/creusot/tests/should_succeed/prophecy.mlcfg @@ -17,12 +17,12 @@ module Prophecy_F goto BB0 } BB0 { - [#"../prophecy.rs" 4 16 4 17] x <- ([#"../prophecy.rs" 4 16 4 17] (0 : int32)); + [#"../prophecy.rs" 4 16 4 17] x <- ([#"../prophecy.rs" 4 16 4 17] [#"../prophecy.rs" 4 16 4 17] (0 : int32)); [#"../prophecy.rs" 5 12 5 18] y <- Borrow.borrow_mut x; [#"../prophecy.rs" 5 12 5 18] x <- ^ y; - [#"../prophecy.rs" 9 4 9 10] y <- { y with current = ([#"../prophecy.rs" 9 4 9 10] (5 : int32)) ; }; + [#"../prophecy.rs" 9 4 9 10] y <- { y with current = ([#"../prophecy.rs" 9 4 9 10] [#"../prophecy.rs" 9 9 9 10] (5 : int32)) ; }; assume { resolve0 y }; - [#"../prophecy.rs" 3 11 10 1] _0 <- ([#"../prophecy.rs" 3 11 10 1] ()); + [#"../prophecy.rs" 3 11 10 1] _0 <- ([#"../prophecy.rs" 3 11 10 1] [#"../prophecy.rs" 3 11 10 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/red_black_tree.mlcfg b/creusot/tests/should_succeed/red_black_tree.mlcfg index bc7f67acbf..0f7f07408d 100644 --- a/creusot/tests/should_succeed/red_black_tree.mlcfg +++ b/creusot/tests/should_succeed/red_black_tree.mlcfg @@ -166,9 +166,14 @@ module RedBlackTree_Impl0_ModelAccHasMapping_Impl constant k : deep_model_ty0 function model_acc_has_mapping [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () - goal vc_model_acc_has_mapping : ([#"../red_black_tree.rs" 71 8 71 9] inv2 k) -> ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu) -> ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) -> match self with + goal vc_model_acc_has_mapping : ([#"../red_black_tree.rs" 71 8 71 9] inv2 k) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu) + -> ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) + -> match self with | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> [#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v) - | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left _ key val' right)) -> (([#"../red_black_tree.rs" 71 8 71 9] inv2 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 left)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 left accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 left accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 left k v)) -> (let _ = model_acc_has_mapping left accu k in let accu1 = model_acc0 left accu in let accu2 = Map.set accu1 (deep_model0 key) (Core_Option_Option_Type.C_Some val') in (([#"../red_black_tree.rs" 71 8 71 9] inv2 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu2) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 right)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 right accu2) k = Map.get accu2 k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 right accu2) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 right k v)) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))))) + | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left _ key val' right)) -> (([#"../red_black_tree.rs" 71 8 71 9] inv2 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 left)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 left accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 left accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 left k v)) + -> (let _ = model_acc_has_mapping left accu k in let accu1 = model_acc0 left accu in let accu2 = Map.set accu1 (deep_model0 key) (Core_Option_Option_Type.C_Some val') in (([#"../red_black_tree.rs" 71 8 71 9] inv2 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu2) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 right)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 right accu2) k = Map.get accu2 k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 right accu2) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 right k v)) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))))) end end module Core_Cmp_Ordering_Type @@ -197,7 +202,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -205,7 +212,10 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -213,7 +223,10 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -224,13 +237,19 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -241,7 +260,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -252,7 +273,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -263,7 +286,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -274,7 +299,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant3 (self : v) val invariant3 (self : v) : bool ensures { result = invariant3 self } @@ -350,9 +377,18 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl requires {[#"../red_black_tree.rs" 71 8 71 9] inv2 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv2 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv2 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv3 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv3 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv3 v + -> inv2 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv3 v + -> inv2 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -369,9 +405,20 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl constant k : deep_model_ty0 function has_mapping_model_acc [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () - goal vc_has_mapping_model_acc : ([#"../red_black_tree.rs" 89 81 89 82] inv2 k) -> ([#"../red_black_tree.rs" 89 35 89 39] inv1 accu) -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) -> ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> match self with - | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> [#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v - | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left _ key val' right)) -> (([#"../red_black_tree.rs" 89 81 89 82] inv2 k) && ([#"../red_black_tree.rs" 89 35 89 39] inv1 accu) && ([#"../red_black_tree.rs" 89 29 89 33] inv0 left) && ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 left)) /\ (([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v -> has_mapping0 left k v -> Map.get (model_acc0 left accu) k = Core_Option_Option_Type.C_Some v) -> (let _ = has_mapping_model_acc left accu k in let accu1 = model_acc0 left accu in let accu2 = Map.set accu1 (deep_model0 key) (Core_Option_Option_Type.C_Some val') in (([#"../red_black_tree.rs" 89 81 89 82] inv2 k) && ([#"../red_black_tree.rs" 89 35 89 39] inv1 accu2) && ([#"../red_black_tree.rs" 89 29 89 33] inv0 right) && ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 right)) /\ (([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v -> has_mapping0 right k v -> Map.get (model_acc0 right accu2) k = Core_Option_Option_Type.C_Some v) -> (let _ = has_mapping_model_acc right accu2 k in (([#"../red_black_tree.rs" 71 8 71 9] inv2 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu2) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 right)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 right accu2) k = Map.get accu2 k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 right accu2) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 right k v)) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)))))) + goal vc_has_mapping_model_acc : ([#"../red_black_tree.rs" 89 81 89 82] inv2 k) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv1 accu) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) + -> ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> match self with + | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> [#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v + | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left _ key val' right)) -> (([#"../red_black_tree.rs" 89 81 89 82] inv2 k) && ([#"../red_black_tree.rs" 89 35 89 39] inv1 accu) && ([#"../red_black_tree.rs" 89 29 89 33] inv0 left) && ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 left)) /\ (([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v + -> has_mapping0 left k v -> Map.get (model_acc0 left accu) k = Core_Option_Option_Type.C_Some v) + -> (let _ = has_mapping_model_acc left accu k in let accu1 = model_acc0 left accu in let accu2 = Map.set accu1 (deep_model0 key) (Core_Option_Option_Type.C_Some val') in (([#"../red_black_tree.rs" 89 81 89 82] inv2 k) && ([#"../red_black_tree.rs" 89 35 89 39] inv1 accu2) && ([#"../red_black_tree.rs" 89 29 89 33] inv0 right) && ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 right)) /\ (([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v + -> has_mapping0 right k v -> Map.get (model_acc0 right accu2) k = Core_Option_Option_Type.C_Some v) + -> (let _ = has_mapping_model_acc right accu2 k in (([#"../red_black_tree.rs" 71 8 71 9] inv2 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu2) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 right)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 right accu2) k = Map.get accu2 k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 right accu2) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 right k v)) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)))))) end end module RedBlackTree_Impl0_HasMappingModel_Impl @@ -393,7 +440,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -401,7 +450,10 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -409,7 +461,10 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -420,13 +475,19 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -437,7 +498,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -448,7 +511,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -459,7 +524,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -470,7 +537,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use Core_Option_Option_Type as Core_Option_Option_Type use map.Map predicate invariant3 (self : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) @@ -546,9 +615,18 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../red_black_tree.rs" 71 8 71 9] inv1 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv3 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv1 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv3 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv1 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv2 v -> inv1 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv2 v -> inv1 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv2 v + -> inv1 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv2 v + -> inv1 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -574,7 +652,12 @@ module RedBlackTree_Impl0_HasMappingModel_Impl requires {[#"../red_black_tree.rs" 89 81 89 82] inv1 k} ensures { result = has_mapping_model_acc0 self accu k } - axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv3 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv1 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) + axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv3 accu) + -> ([#"../red_black_tree.rs" 89 81 89 82] inv1 k) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) use map.Const function shallow_model0 [#"../red_black_tree.rs" 172 4 172 50] (self : RedBlackTree_Tree_Type.t_tree k v) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v) @@ -587,7 +670,15 @@ module RedBlackTree_Impl0_HasMappingModel_Impl constant k : deep_model_ty0 function has_mapping_model [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : () - goal vc_has_mapping_model : ([#"../red_black_tree.rs" 110 31 110 32] inv1 k) -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) -> ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> (([#"../red_black_tree.rs" 71 8 71 9] inv1 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv3 (Const.const (Core_Option_Option_Type.C_None))) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 self)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self (Const.const (Core_Option_Option_Type.C_None))) k = Map.get (Const.const (Core_Option_Option_Type.C_None)) k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self (Const.const (Core_Option_Option_Type.C_None))) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) -> (let _ = model_acc_has_mapping0 self (Const.const (Core_Option_Option_Type.C_None)) k in (([#"../red_black_tree.rs" 89 81 89 82] inv1 k) && ([#"../red_black_tree.rs" 89 35 89 39] inv3 (Const.const (Core_Option_Option_Type.C_None))) && ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) && ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)) /\ (([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v -> has_mapping0 self k v -> Map.get (model_acc0 self (Const.const (Core_Option_Option_Type.C_None))) k = Core_Option_Option_Type.C_Some v) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v))))) + goal vc_has_mapping_model : ([#"../red_black_tree.rs" 110 31 110 32] inv1 k) + -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) + -> ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) + -> (([#"../red_black_tree.rs" 71 8 71 9] inv1 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv3 (Const.const (Core_Option_Option_Type.C_None))) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 self)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self (Const.const (Core_Option_Option_Type.C_None))) k = Map.get (Const.const (Core_Option_Option_Type.C_None)) k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self (Const.const (Core_Option_Option_Type.C_None))) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + -> (let _ = model_acc_has_mapping0 self (Const.const (Core_Option_Option_Type.C_None)) k in (([#"../red_black_tree.rs" 89 81 89 82] inv1 k) && ([#"../red_black_tree.rs" 89 35 89 39] inv3 (Const.const (Core_Option_Option_Type.C_None))) && ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) && ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)) /\ (([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v + -> has_mapping0 self k v + -> Map.get (model_acc0 self (Const.const (Core_Option_Option_Type.C_None))) k = Core_Option_Option_Type.C_Some v) + -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v + -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v))))) end module RedBlackTree_Impl0_HasMappingInj_Impl type k @@ -619,7 +710,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -627,7 +720,10 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -635,7 +731,10 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -646,13 +745,19 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -663,7 +768,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -674,7 +781,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -685,7 +794,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -696,7 +807,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant2 (self : v) val invariant2 (self : v) : bool ensures { result = invariant2 self } @@ -769,9 +882,18 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../red_black_tree.rs" 71 8 71 9] inv1 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv3 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv1 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv3 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv1 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv2 v -> inv1 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv2 v -> inv1 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv2 v + -> inv1 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv2 v + -> inv1 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -797,7 +919,12 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../red_black_tree.rs" 89 81 89 82] inv1 k} ensures { result = has_mapping_model_acc0 self accu k } - axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv3 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv1 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) + axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv3 accu) + -> ([#"../red_black_tree.rs" 89 81 89 82] inv1 k) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : () = @@ -808,14 +935,27 @@ module RedBlackTree_Impl0_HasMappingInj_Impl requires {[#"../red_black_tree.rs" 110 31 110 32] inv1 k} ensures { result = has_mapping_model0 self k } - axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv1 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v)) + axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) + -> ([#"../red_black_tree.rs" 110 31 110 32] inv1 k) + -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v + -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v)) constant self : RedBlackTree_Tree_Type.t_tree k v constant k : deep_model_ty0 constant v1 : v constant v2 : v function has_mapping_inj [#"../red_black_tree.rs" 125 4 127 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) (v1 : v) (v2 : v) : () - goal vc_has_mapping_inj : ([#"../red_black_tree.rs" 125 55 125 57] inv2 v2) -> ([#"../red_black_tree.rs" 125 48 125 50] inv2 v1) -> ([#"../red_black_tree.rs" 125 29 125 30] inv1 k) -> ([#"../red_black_tree.rs" 125 23 125 27] inv0 self) -> ([#"../red_black_tree.rs" 123 15 123 38] has_mapping0 self k v2) -> ([#"../red_black_tree.rs" 122 15 122 38] has_mapping0 self k v1) -> ([#"../red_black_tree.rs" 121 15 121 35] bst_invariant0 self) -> (([#"../red_black_tree.rs" 110 31 110 32] inv1 k) && ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) && ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)) /\ (([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v)) -> (let _ = has_mapping_model0 self k in match Map.get (shallow_model0 self) k with + goal vc_has_mapping_inj : ([#"../red_black_tree.rs" 125 55 125 57] inv2 v2) + -> ([#"../red_black_tree.rs" 125 48 125 50] inv2 v1) + -> ([#"../red_black_tree.rs" 125 29 125 30] inv1 k) + -> ([#"../red_black_tree.rs" 125 23 125 27] inv0 self) + -> ([#"../red_black_tree.rs" 123 15 123 38] has_mapping0 self k v2) + -> ([#"../red_black_tree.rs" 122 15 122 38] has_mapping0 self k v1) + -> ([#"../red_black_tree.rs" 121 15 121 35] bst_invariant0 self) + -> (([#"../red_black_tree.rs" 110 31 110 32] inv1 k) && ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) && ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)) /\ (([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v + -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v)) + -> (let _ = has_mapping_model0 self k in match Map.get (shallow_model0 self) k with | Core_Option_Option_Type.C_None -> [#"../red_black_tree.rs" 124 14 124 22] v1 = v2 | Core_Option_Option_Type.C_Some _v -> [#"../red_black_tree.rs" 124 14 124 22] v1 = v2 end)) @@ -912,10 +1052,17 @@ module RedBlackTree_Impl1_HasMapping_Impl constant v : v predicate has_mapping [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v) - goal vc_has_mapping : ([#"../red_black_tree.rs" 140 44 140 45] inv2 v) -> ([#"../red_black_tree.rs" 140 25 140 26] inv1 k) -> ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) -> (if k = deep_model0 (RedBlackTree_Node_Type.node_key self) then - [#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node -> self = node -> ((has_mapping0 (RedBlackTree_Node_Type.node_left self) k v \/ has_mapping0 (RedBlackTree_Node_Type.node_right self) k v) \/ v = RedBlackTree_Node_Type.node_val self) = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v + goal vc_has_mapping : ([#"../red_black_tree.rs" 140 44 140 45] inv2 v) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv1 k) + -> ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) + -> (if k = deep_model0 (RedBlackTree_Node_Type.node_key self) then + [#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node + -> self = node + -> ((has_mapping0 (RedBlackTree_Node_Type.node_left self) k v \/ has_mapping0 (RedBlackTree_Node_Type.node_right self) k v) \/ v = RedBlackTree_Node_Type.node_val self) = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v else - [#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node -> self = node -> ((has_mapping0 (RedBlackTree_Node_Type.node_left self) k v \/ has_mapping0 (RedBlackTree_Node_Type.node_right self) k v) \/ false) = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v + [#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node + -> self = node + -> ((has_mapping0 (RedBlackTree_Node_Type.node_left self) k v \/ has_mapping0 (RedBlackTree_Node_Type.node_right self) k v) \/ false) = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v ) end module RedBlackTree_Cp_Type @@ -944,11 +1091,14 @@ module RedBlackTree_Impl9_Height_Impl use prelude.Int constant self : RedBlackTree_Tree_Type.t_tree k v function height [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int - goal vc_height : ([#"../red_black_tree.rs" 296 14 296 18] inv0 self) -> match self with + goal vc_height : ([#"../red_black_tree.rs" 296 14 296 18] inv0 self) + -> match self with | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> [#"../red_black_tree.rs" 295 14 295 25] 0 >= 0 | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left color _ _ _)) -> match color with - | RedBlackTree_Color_Type.C_Red -> ([#"../red_black_tree.rs" 296 14 296 18] inv0 left) /\ (([#"../red_black_tree.rs" 295 14 295 25] height left >= 0) -> ([#"../red_black_tree.rs" 295 14 295 25] height left >= 0)) - | RedBlackTree_Color_Type.C_Black -> ([#"../red_black_tree.rs" 296 14 296 18] inv0 left) /\ (([#"../red_black_tree.rs" 295 14 295 25] height left >= 0) -> ([#"../red_black_tree.rs" 295 14 295 25] height left + 1 >= 0)) + | RedBlackTree_Color_Type.C_Red -> ([#"../red_black_tree.rs" 296 14 296 18] inv0 left) /\ (([#"../red_black_tree.rs" 295 14 295 25] height left >= 0) + -> ([#"../red_black_tree.rs" 295 14 295 25] height left >= 0)) + | RedBlackTree_Color_Type.C_Black -> ([#"../red_black_tree.rs" 296 14 296 18] inv0 left) /\ (([#"../red_black_tree.rs" 295 14 295 25] height left >= 0) + -> ([#"../red_black_tree.rs" 295 14 295 25] height left + 1 >= 0)) end end end @@ -1000,12 +1150,20 @@ module RedBlackTree_Impl10_Height_Impl requires {[#"../red_black_tree.rs" 296 14 296 18] inv2 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv2 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv2 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) constant self : RedBlackTree_Node_Type.t_node k v function height [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int - goal vc_height : ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) -> match RedBlackTree_Node_Type.node_color self with - | RedBlackTree_Color_Type.C_Red -> ([#"../red_black_tree.rs" 296 14 296 18] inv2 (RedBlackTree_Node_Type.node_left self)) /\ (([#"../red_black_tree.rs" 295 14 295 25] height0 (RedBlackTree_Node_Type.node_left self) >= 0) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))) - | RedBlackTree_Color_Type.C_Black -> ([#"../red_black_tree.rs" 296 14 296 18] inv2 (RedBlackTree_Node_Type.node_left self)) /\ (([#"../red_black_tree.rs" 295 14 295 25] height0 (RedBlackTree_Node_Type.node_left self) >= 0) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height0 (RedBlackTree_Node_Type.node_left self) + 1 = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))) + goal vc_height : ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) + -> match RedBlackTree_Node_Type.node_color self with + | RedBlackTree_Color_Type.C_Red -> ([#"../red_black_tree.rs" 296 14 296 18] inv2 (RedBlackTree_Node_Type.node_left self)) /\ (([#"../red_black_tree.rs" 295 14 295 25] height0 (RedBlackTree_Node_Type.node_left self) >= 0) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node + -> height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))) + | RedBlackTree_Color_Type.C_Black -> ([#"../red_black_tree.rs" 296 14 296 18] inv2 (RedBlackTree_Node_Type.node_left self)) /\ (([#"../red_black_tree.rs" 295 14 295 25] height0 (RedBlackTree_Node_Type.node_left self) >= 0) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node + -> height0 (RedBlackTree_Node_Type.node_left self) + 1 = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))) end end module RedBlackTree_Impl13_IsRed @@ -1056,7 +1214,7 @@ module RedBlackTree_Impl13_IsRed end } BB1 { - [#"../red_black_tree.rs" 391 17 391 22] _0 <- ([#"../red_black_tree.rs" 391 17 391 22] false); + [#"../red_black_tree.rs" 391 17 391 22] _0 <- ([#"../red_black_tree.rs" 391 17 391 22] [#"../red_black_tree.rs" 391 17 391 22] false); goto BB5 } BB2 { @@ -1071,7 +1229,7 @@ module RedBlackTree_Impl13_IsRed goto BB4 } BB4 { - [#"../red_black_tree.rs" 390 49 390 53] _0 <- ([#"../red_black_tree.rs" 390 49 390 53] true); + [#"../red_black_tree.rs" 390 49 390 53] _0 <- ([#"../red_black_tree.rs" 390 49 390 53] [#"../red_black_tree.rs" 390 49 390 53] true); goto BB5 } BB5 { @@ -1129,7 +1287,9 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -1137,7 +1297,10 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -1145,7 +1308,10 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -1156,13 +1322,19 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -1173,7 +1345,9 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -1184,7 +1358,9 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -1195,7 +1371,9 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -1206,7 +1384,9 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use RedBlackTree_Node_Type as RedBlackTree_Node_Type predicate invariant8 (self : borrowed (RedBlackTree_Node_Type.t_node k v)) val invariant8 (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : bool @@ -1306,7 +1486,8 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../red_black_tree.rs" 296 14 296 18] inv3 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) + axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int = [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self) @@ -1316,7 +1497,9 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../red_black_tree.rs" 328 14 328 18] inv5 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node + -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) function deep_model0 (self : k) : deep_model_ty0 val deep_model0 (self : k) : deep_model_ty0 ensures { result = deep_model0 self } @@ -1341,11 +1524,17 @@ module RedBlackTree_Impl14_RotateRight requires {[#"../red_black_tree.rs" 140 44 140 45] inv10 v} ensures { result = has_mapping1 self k v } - axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv11 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv10 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv11 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv10 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node + -> self = node + -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping1 self k v = has_mapping1 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv11 k -> has_mapping1 self k v = has_mapping1 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -1378,7 +1567,13 @@ module RedBlackTree_Impl14_RotateRight ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv11 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv11 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -1612,7 +1807,7 @@ module RedBlackTree_Impl14_RotateRight goto BB11 } BB11 { - [#"../red_black_tree.rs" 412 31 448 5] _0 <- ([#"../red_black_tree.rs" 412 31 448 5] ()); + [#"../red_black_tree.rs" 412 31 448 5] _0 <- ([#"../red_black_tree.rs" 412 31 448 5] [#"../red_black_tree.rs" 412 31 448 5] ()); goto BB12 } BB12 { @@ -1665,7 +1860,9 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -1673,7 +1870,10 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -1681,7 +1881,10 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -1692,13 +1895,19 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -1709,7 +1918,9 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -1720,7 +1931,9 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -1731,7 +1944,9 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -1742,7 +1957,9 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv11 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use RedBlackTree_Node_Type as RedBlackTree_Node_Type predicate invariant8 (self : borrowed (RedBlackTree_Node_Type.t_node k v)) val invariant8 (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : bool @@ -1842,7 +2059,8 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../red_black_tree.rs" 296 14 296 18] inv3 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) + axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int = [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self) @@ -1852,7 +2070,9 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../red_black_tree.rs" 328 14 328 18] inv5 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node + -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) function deep_model0 (self : k) : deep_model_ty0 val deep_model0 (self : k) : deep_model_ty0 ensures { result = deep_model0 self } @@ -1877,11 +2097,17 @@ module RedBlackTree_Impl14_RotateLeft requires {[#"../red_black_tree.rs" 140 44 140 45] inv10 v} ensures { result = has_mapping1 self k v } - axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv11 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv10 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv11 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv10 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node + -> self = node + -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping1 self k v = has_mapping1 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv11 k -> has_mapping1 self k v = has_mapping1 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -1914,7 +2140,13 @@ module RedBlackTree_Impl14_RotateLeft ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv11 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv11 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -2148,7 +2380,7 @@ module RedBlackTree_Impl14_RotateLeft goto BB11 } BB11 { - [#"../red_black_tree.rs" 462 30 470 5] _0 <- ([#"../red_black_tree.rs" 462 30 470 5] ()); + [#"../red_black_tree.rs" 462 30 470 5] _0 <- ([#"../red_black_tree.rs" 462 30 470 5] [#"../red_black_tree.rs" 462 30 470 5] ()); goto BB12 } BB12 { @@ -2175,7 +2407,9 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv9 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv9 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv9 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -2183,7 +2417,10 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv9 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv9 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv9 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -2191,7 +2428,10 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv9 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv9 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv9 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -2202,13 +2442,19 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv9 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv9 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv9 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv9 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv9 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv9 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv9 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -2219,7 +2465,9 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv9 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv9 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv9 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -2230,7 +2478,9 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv9 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv9 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv9 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -2241,7 +2491,9 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv9 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv9 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv9 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -2252,7 +2504,9 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv9 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv9 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv9 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use RedBlackTree_Tree_Type as RedBlackTree_Tree_Type predicate invariant10 (self : RedBlackTree_Tree_Type.t_tree k v) val invariant10 (self : RedBlackTree_Tree_Type.t_tree k v) : bool @@ -2379,11 +2633,17 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../red_black_tree.rs" 140 44 140 45] inv8 v} ensures { result = has_mapping0 self k v } - axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv7 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv9 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv8 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node -> self = node -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv7 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv9 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv8 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node + -> self = node + -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv8 v -> inv9 k -> has_mapping0 self k v = has_mapping0 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv8 v + -> inv9 k -> has_mapping0 self k v = has_mapping0 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -2400,7 +2660,8 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../red_black_tree.rs" 296 14 296 18] inv10 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) + axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int = [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self) @@ -2410,7 +2671,9 @@ module RedBlackTree_Impl14_FlipColors requires {[#"../red_black_tree.rs" 328 14 328 18] inv7 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv7 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv7 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node + -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) function color0 [#"../red_black_tree.rs" 256 4 256 27] (self : RedBlackTree_Tree_Type.t_tree k v) : RedBlackTree_Color_Type.t_color = @@ -2440,7 +2703,13 @@ module RedBlackTree_Impl14_FlipColors ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv8 v -> inv9 k -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv8 v -> inv9 k -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv8 v + -> inv9 k + -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv8 v + -> inv9 k + -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -2491,7 +2760,8 @@ module RedBlackTree_Impl14_FlipColors val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv4 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv1 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv5 result } @@ -2575,7 +2845,7 @@ module RedBlackTree_Impl14_FlipColors assume { resolve1 _18 }; assert { [@expl:type invariant] inv2 self }; assume { resolve2 self }; - [#"../red_black_tree.rs" 486 30 489 5] _0 <- ([#"../red_black_tree.rs" 486 30 489 5] ()); + [#"../red_black_tree.rs" 486 30 489 5] _0 <- ([#"../red_black_tree.rs" 486 30 489 5] [#"../red_black_tree.rs" 486 30 489 5] ()); return _0 } @@ -2653,7 +2923,9 @@ module RedBlackTree_Impl14_Balance requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -2661,7 +2933,10 @@ module RedBlackTree_Impl14_Balance requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -2669,7 +2944,10 @@ module RedBlackTree_Impl14_Balance requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -2680,13 +2958,19 @@ module RedBlackTree_Impl14_Balance requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -2697,7 +2981,9 @@ module RedBlackTree_Impl14_Balance requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -2708,7 +2994,9 @@ module RedBlackTree_Impl14_Balance requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -2719,7 +3007,9 @@ module RedBlackTree_Impl14_Balance requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -2730,7 +3020,9 @@ module RedBlackTree_Impl14_Balance requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant3 (self : RedBlackTree_Tree_Type.t_tree k v) val invariant3 (self : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = invariant3 self } @@ -2838,7 +3130,8 @@ module RedBlackTree_Impl14_Balance requires {[#"../red_black_tree.rs" 296 14 296 18] inv9 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv9 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) + axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv9 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int = [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self) @@ -2848,7 +3141,9 @@ module RedBlackTree_Impl14_Balance requires {[#"../red_black_tree.rs" 328 14 328 18] inv0 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv4 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv4 node + -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) function deep_model0 (self : k) : deep_model_ty0 val deep_model0 (self : k) : deep_model_ty0 ensures { result = deep_model0 self } @@ -2873,11 +3168,17 @@ module RedBlackTree_Impl14_Balance requires {[#"../red_black_tree.rs" 140 44 140 45] inv7 v} ensures { result = has_mapping0 self k v } - axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv8 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv7 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv4 node -> self = node -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv8 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv7 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv4 node + -> self = node + -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv7 v -> inv8 k -> has_mapping0 self k v = has_mapping0 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv7 v + -> inv8 k -> has_mapping0 self k v = has_mapping0 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -2900,7 +3201,13 @@ module RedBlackTree_Impl14_Balance ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv7 v -> inv8 k -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv7 v -> inv8 k -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv7 v + -> inv8 k + -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv7 v + -> inv8 k + -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -2964,7 +3271,8 @@ module RedBlackTree_Impl14_Balance val as_ref0 (self : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)) : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) requires {inv5 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : RedBlackTree_Node_Type.t_node k v . inv1 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) } ensures { inv6 result } @@ -2986,18 +3294,26 @@ module RedBlackTree_Impl14_Balance let rec cfg balance [#"../red_black_tree.rs" 510 4 510 25] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : () requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant0 ( * self)} - requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} - requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} - requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false} + requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} + requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} + requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> false} requires {[#"../red_black_tree.rs" 510 20 510 24] inv2 self} ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) } ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 499 14 499 50] height0 ( * self) = height0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black -> * self = ^ self } - ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } - ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black + -> * self = ^ self } + ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -3053,14 +3369,14 @@ module RedBlackTree_Impl14_Balance goto BB6 } BB6 { - [#"../red_black_tree.rs" 511 54 513 9] _14 <- ([#"../red_black_tree.rs" 511 54 513 9] ()); + [#"../red_black_tree.rs" 511 54 513 9] _14 <- ([#"../red_black_tree.rs" 511 54 513 9] [#"../red_black_tree.rs" 511 54 513 9] ()); goto BB9 } BB7 { goto BB8 } BB8 { - [#"../red_black_tree.rs" 513 9 513 9] _14 <- ([#"../red_black_tree.rs" 513 9 513 9] ()); + [#"../red_black_tree.rs" 513 9 513 9] _14 <- ([#"../red_black_tree.rs" 513 9 513 9] [#"../red_black_tree.rs" 513 9 513 9] ()); goto BB9 } BB9 { @@ -3103,7 +3419,7 @@ module RedBlackTree_Impl14_Balance goto BB16 } BB16 { - [#"../red_black_tree.rs" 515 80 517 9] _21 <- ([#"../red_black_tree.rs" 515 80 517 9] ()); + [#"../red_black_tree.rs" 515 80 517 9] _21 <- ([#"../red_black_tree.rs" 515 80 517 9] [#"../red_black_tree.rs" 515 80 517 9] ()); goto BB20 } BB17 { @@ -3113,7 +3429,7 @@ module RedBlackTree_Impl14_Balance goto BB19 } BB19 { - [#"../red_black_tree.rs" 517 9 517 9] _21 <- ([#"../red_black_tree.rs" 517 9 517 9] ()); + [#"../red_black_tree.rs" 517 9 517 9] _21 <- ([#"../red_black_tree.rs" 517 9 517 9] [#"../red_black_tree.rs" 517 9 517 9] ()); goto BB20 } BB20 { @@ -3147,7 +3463,7 @@ module RedBlackTree_Impl14_Balance BB25 { assert { [@expl:type invariant] inv2 self }; assume { resolve1 self }; - [#"../red_black_tree.rs" 519 53 521 9] _0 <- ([#"../red_black_tree.rs" 519 53 521 9] ()); + [#"../red_black_tree.rs" 519 53 521 9] _0 <- ([#"../red_black_tree.rs" 519 53 521 9] [#"../red_black_tree.rs" 519 53 521 9] ()); goto BB29 } BB26 { @@ -3161,7 +3477,7 @@ module RedBlackTree_Impl14_Balance goto BB28 } BB28 { - [#"../red_black_tree.rs" 521 9 521 9] _0 <- ([#"../red_black_tree.rs" 521 9 521 9] ()); + [#"../red_black_tree.rs" 521 9 521 9] _0 <- ([#"../red_black_tree.rs" 521 9 521 9] [#"../red_black_tree.rs" 521 9 521 9] ()); goto BB29 } BB29 { @@ -3238,7 +3554,9 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -3246,7 +3564,10 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -3254,7 +3575,10 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -3265,13 +3589,19 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -3282,7 +3612,9 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -3293,7 +3625,9 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -3304,7 +3638,9 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -3315,7 +3651,9 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant5 (self : deep_model_ty0) val invariant5 (self : deep_model_ty0) : bool ensures { result = invariant5 self } @@ -3419,7 +3757,12 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../red_black_tree.rs" 140 44 140 45] inv4 v} ensures { result = has_mapping0 self k v } - axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv5 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv4 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv5 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv4 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node + -> self = node + -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) use prelude.Int function height1 [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int = [#"../red_black_tree.rs" 298 12 306 13] match self with @@ -3433,7 +3776,8 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../red_black_tree.rs" 296 14 296 18] inv10 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) + axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int = [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self) @@ -3443,7 +3787,9 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../red_black_tree.rs" 328 14 328 18] inv0 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node + -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type predicate match_t0 [#"../red_black_tree.rs" 232 4 232 52] (self : RedBlackTree_Cp_Type.t_cp) (tree : RedBlackTree_Tree_Type.t_tree k v) @@ -3491,7 +3837,13 @@ module RedBlackTree_Impl14_MoveRedLeft ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k + -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k + -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -3521,7 +3873,8 @@ module RedBlackTree_Impl14_MoveRedLeft predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 self k v = has_mapping0 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k -> has_mapping0 self k v = has_mapping0 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -3566,7 +3919,8 @@ module RedBlackTree_Impl14_MoveRedLeft val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv7 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv8 result } @@ -3589,14 +3943,24 @@ module RedBlackTree_Impl14_MoveRedLeft requires {[#"../red_black_tree.rs" 526 15 526 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)} requires {[#"../red_black_tree.rs" 542 26 542 30] inv3 self} ensures { [#"../red_black_tree.rs" 527 14 527 44] internal_invariant0 ( * result) } - ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant0 ( ^ result) /\ height0 ( * result) = height0 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( ^ result) k v -> has_mapping0 ( * result) k v) -> internal_invariant0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 531 4 531 97] height0 ( * result) = height0 ( ^ result) -> height0 ( * self) = height0 ( ^ self) } + ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant0 ( ^ result) /\ height0 ( * result) = height0 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k -> has_mapping0 ( ^ result) k v -> has_mapping0 ( * result) k v) -> internal_invariant0 ( ^ self) } + ensures { [#"../red_black_tree.rs" 531 4 531 97] height0 ( * result) = height0 ( ^ result) + -> height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 532 14 532 42] RedBlackTree_Node_Type.node_key ( * self) = RedBlackTree_Node_Type.node_key ( * result) } - ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( * result) k v -> has_mapping0 ( * self) k v } - ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( * self) k v /\ le_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) -> has_mapping0 ( * result) k v } - ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( ^ self) k v = (has_mapping0 ( ^ result) k v \/ has_mapping0 ( * self) k v /\ not has_mapping0 ( * result) k v) } + ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k -> has_mapping0 ( * result) k v -> has_mapping0 ( * self) k v } + ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k + -> has_mapping0 ( * self) k v /\ le_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) + -> has_mapping0 ( * result) k v } + ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k + -> has_mapping0 ( ^ self) k v = (has_mapping0 ( ^ result) k v \/ has_mapping0 ( * self) k v /\ not has_mapping0 ( * result) k v) } ensures { [#"../red_black_tree.rs" 538 14 539 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) } - ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant0 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant0 ( ^ self) } + ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant0 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black + -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) + -> color_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 542 35 542 44] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -3802,7 +4166,9 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -3810,7 +4176,10 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -3818,7 +4187,10 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -3829,13 +4201,19 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -3846,7 +4224,9 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -3857,7 +4237,9 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -3868,7 +4250,9 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -3879,7 +4263,9 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv5 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant5 (self : deep_model_ty0) val invariant5 (self : deep_model_ty0) : bool ensures { result = invariant5 self } @@ -3983,7 +4369,12 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../red_black_tree.rs" 140 44 140 45] inv4 v} ensures { result = has_mapping0 self k v } - axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv5 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv4 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv5 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv4 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node + -> self = node + -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) use prelude.Int function height1 [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int = [#"../red_black_tree.rs" 298 12 306 13] match self with @@ -3997,7 +4388,8 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../red_black_tree.rs" 296 14 296 18] inv10 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) + axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0) function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int = [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self) @@ -4007,7 +4399,9 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../red_black_tree.rs" 328 14 328 18] inv0 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node + -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type predicate match_t0 [#"../red_black_tree.rs" 232 4 232 52] (self : RedBlackTree_Cp_Type.t_cp) (tree : RedBlackTree_Tree_Type.t_tree k v) @@ -4055,7 +4449,13 @@ module RedBlackTree_Impl14_MoveRedRight ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k + -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k + -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -4085,7 +4485,8 @@ module RedBlackTree_Impl14_MoveRedRight predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 self k v = has_mapping0 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k -> has_mapping0 self k v = has_mapping0 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -4118,7 +4519,8 @@ module RedBlackTree_Impl14_MoveRedRight val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv7 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv8 result } @@ -4141,14 +4543,24 @@ module RedBlackTree_Impl14_MoveRedRight requires {[#"../red_black_tree.rs" 555 15 555 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)))) ( * self)} requires {[#"../red_black_tree.rs" 571 27 571 31] inv3 self} ensures { [#"../red_black_tree.rs" 556 14 556 44] internal_invariant0 ( * result) } - ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant0 ( ^ result) /\ height0 ( * result) = height0 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( ^ result) k v -> has_mapping0 ( * result) k v) -> internal_invariant0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 560 4 560 97] height0 ( * result) = height0 ( ^ result) -> height0 ( * self) = height0 ( ^ self) } + ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant0 ( ^ result) /\ height0 ( * result) = height0 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k -> has_mapping0 ( ^ result) k v -> has_mapping0 ( * result) k v) -> internal_invariant0 ( ^ self) } + ensures { [#"../red_black_tree.rs" 560 4 560 97] height0 ( * result) = height0 ( ^ result) + -> height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 561 14 561 42] RedBlackTree_Node_Type.node_key ( * result) = RedBlackTree_Node_Type.node_key ( * self) } - ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( * result) k v -> has_mapping0 ( * self) k v } - ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( * self) k v /\ le_log0 (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) k -> has_mapping0 ( * result) k v } - ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( ^ self) k v = (has_mapping0 ( ^ result) k v \/ has_mapping0 ( * self) k v /\ not has_mapping0 ( * result) k v) } + ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k -> has_mapping0 ( * result) k v -> has_mapping0 ( * self) k v } + ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k + -> has_mapping0 ( * self) k v /\ le_log0 (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) k + -> has_mapping0 ( * result) k v } + ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv4 v + -> inv5 k + -> has_mapping0 ( ^ self) k v = (has_mapping0 ( ^ result) k v \/ has_mapping0 ( * self) k v /\ not has_mapping0 ( * result) k v) } ensures { [#"../red_black_tree.rs" 567 14 568 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) } - ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant0 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant0 ( ^ self) } + ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant0 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black + -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) + -> color_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 571 36 571 45] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -4276,7 +4688,9 @@ module RedBlackTree_Impl15_New requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -4284,7 +4698,10 @@ module RedBlackTree_Impl15_New requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -4292,7 +4709,10 @@ module RedBlackTree_Impl15_New requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -4303,13 +4723,19 @@ module RedBlackTree_Impl15_New requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -4320,7 +4746,9 @@ module RedBlackTree_Impl15_New requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -4331,7 +4759,9 @@ module RedBlackTree_Impl15_New requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -4342,7 +4772,9 @@ module RedBlackTree_Impl15_New requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -4353,7 +4785,9 @@ module RedBlackTree_Impl15_New requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant3 (self : deep_model_ty0) val invariant3 (self : deep_model_ty0) : bool ensures { result = invariant3 self } @@ -4417,7 +4851,8 @@ module RedBlackTree_Impl15_New requires {[#"../red_black_tree.rs" 296 14 296 18] inv0 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv0 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv0 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) = [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self) val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool @@ -4446,7 +4881,13 @@ module RedBlackTree_Impl15_New ensures { result = has_mapping0 self k v } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v + -> inv2 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v + -> inv2 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -4540,7 +4981,9 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -4548,7 +4991,10 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -4556,7 +5002,10 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -4567,13 +5016,19 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -4584,7 +5039,9 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -4595,7 +5052,9 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -4606,7 +5065,9 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -4617,7 +5078,9 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant10 (self : deep_model_ty0) val invariant10 (self : deep_model_ty0) : bool ensures { result = invariant10 self } @@ -4785,7 +5248,8 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../red_black_tree.rs" 296 14 296 18] inv3 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) = [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self) val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool @@ -4800,7 +5264,13 @@ module RedBlackTree_Impl15_InsertRec ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv5 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv5 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv5 v + -> inv10 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv5 v + -> inv10 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -4845,7 +5315,9 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../red_black_tree.rs" 328 14 328 18] inv9 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv9 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv9 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) predicate has_mapping1 [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v) = @@ -4856,11 +5328,17 @@ module RedBlackTree_Impl15_InsertRec requires {[#"../red_black_tree.rs" 140 44 140 45] inv5 v} ensures { result = has_mapping1 self k v } - axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv9 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv5 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv9 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv5 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node + -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv5 v -> inv10 k -> has_mapping1 self k v = has_mapping1 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv5 v + -> inv10 k -> has_mapping1 self k v = has_mapping1 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -4881,18 +5359,26 @@ module RedBlackTree_Impl15_InsertRec val balance0 [#"../red_black_tree.rs" 510 4 510 25] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : () requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant1 ( * self)} - requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} - requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} - requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false} + requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} + requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} + requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> false} requires {[#"../red_black_tree.rs" 510 20 510 24] inv11 self} ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) } ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant1 ( ^ self) } ensures { [#"../red_black_tree.rs" 499 14 499 50] height1 ( * self) = height1 ( ^ self) } - ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black -> * self = ^ self } - ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } - ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black + -> * self = ^ self } + ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } predicate resolve5 (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -4936,7 +5422,8 @@ module RedBlackTree_Impl15_InsertRec ensures { [#"../red_black_tree.rs" 595 14 595 50] height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 596 14 597 39] match_t0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) /\ color0 ( * self) = RedBlackTree_Color_Type.C_Red \/ color_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 598 14 598 56] has_mapping0 ( ^ self) (deep_model0 key) val' } - ensures { [#"../red_black_tree.rs" 599 4 599 127] forall v : v . forall k : deep_model_ty0 . inv5 v -> inv10 k -> k = deep_model0 key \/ has_mapping0 ( * self) k v = has_mapping0 ( ^ self) k v } + ensures { [#"../red_black_tree.rs" 599 4 599 127] forall v : v . forall k : deep_model_ty0 . inv5 v + -> inv10 k -> k = deep_model0 key \/ has_mapping0 ( * self) k v = has_mapping0 ( ^ self) k v } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -5059,7 +5546,7 @@ module RedBlackTree_Impl15_InsertRec assume { resolve4 _11 }; assert { [@expl:type invariant] inv8 self }; assume { resolve5 self }; - [#"../red_black_tree.rs" 606 20 606 26] _0 <- ([#"../red_black_tree.rs" 606 20 606 26] ()); + [#"../red_black_tree.rs" 606 20 606 26] _0 <- ([#"../red_black_tree.rs" 606 20 606 26] [#"../red_black_tree.rs" 606 20 606 26] ()); goto BB32 } BB16 { @@ -5080,7 +5567,7 @@ module RedBlackTree_Impl15_InsertRec assume { resolve4 _11 }; assert { [@expl:type invariant] inv8 self }; assume { resolve5 self }; - [#"../red_black_tree.rs" 601 43 611 9] _0 <- ([#"../red_black_tree.rs" 601 43 611 9] ()); + [#"../red_black_tree.rs" 601 43 611 9] _0 <- ([#"../red_black_tree.rs" 601 43 611 9] [#"../red_black_tree.rs" 601 43 611 9] ()); goto BB31 } BB19 { @@ -5137,7 +5624,7 @@ module RedBlackTree_Impl15_InsertRec goto BB30 } BB30 { - [#"../red_black_tree.rs" 619 12 619 18] _0 <- ([#"../red_black_tree.rs" 619 12 619 18] ()); + [#"../red_black_tree.rs" 619 12 619 18] _0 <- ([#"../red_black_tree.rs" 619 12 619 18] [#"../red_black_tree.rs" 619 12 619 18] ()); goto BB32 } BB31 { @@ -5173,7 +5660,9 @@ module RedBlackTree_Impl15_Insert requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -5181,7 +5670,10 @@ module RedBlackTree_Impl15_Insert requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -5189,7 +5681,10 @@ module RedBlackTree_Impl15_Insert requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -5200,13 +5695,19 @@ module RedBlackTree_Impl15_Insert requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -5217,7 +5718,9 @@ module RedBlackTree_Impl15_Insert requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -5228,7 +5731,9 @@ module RedBlackTree_Impl15_Insert requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -5239,7 +5744,9 @@ module RedBlackTree_Impl15_Insert requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -5250,7 +5757,9 @@ module RedBlackTree_Impl15_Insert requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use Core_Option_Option_Type as Core_Option_Option_Type use map.Map predicate invariant11 (self : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) @@ -5419,7 +5928,8 @@ module RedBlackTree_Impl15_Insert requires {[#"../red_black_tree.rs" 296 14 296 18] inv0 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv0 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv0 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) = [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self) val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool @@ -5444,7 +5954,13 @@ module RedBlackTree_Impl15_Insert ensures { result = has_mapping0 self k v } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv5 v -> inv6 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv5 v -> inv6 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv5 v + -> inv6 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv5 v + -> inv6 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -5486,7 +6002,10 @@ module RedBlackTree_Impl15_Insert requires {[#"../red_black_tree.rs" 71 8 71 9] inv6 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv10 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv6 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv5 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv10 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv6 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv5 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -5501,7 +6020,12 @@ module RedBlackTree_Impl15_Insert requires {[#"../red_black_tree.rs" 89 81 89 82] inv6 k} ensures { result = has_mapping_model_acc0 self accu k } - axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv10 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv6 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv5 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) + axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv10 accu) + -> ([#"../red_black_tree.rs" 89 81 89 82] inv6 k) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv5 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : () = @@ -5512,7 +6036,11 @@ module RedBlackTree_Impl15_Insert requires {[#"../red_black_tree.rs" 110 31 110 32] inv6 k} ensures { result = has_mapping_model0 self k } - axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv6 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv5 v -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v)) + axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) + -> ([#"../red_black_tree.rs" 110 31 110 32] inv6 k) + -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv5 v + -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v)) predicate resolve1 (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve1 (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) : bool @@ -5531,7 +6059,8 @@ module RedBlackTree_Impl15_Insert val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv7 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv8 result } @@ -5563,7 +6092,8 @@ module RedBlackTree_Impl15_Insert ensures { [#"../red_black_tree.rs" 595 14 595 50] height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 596 14 597 39] match_t0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) /\ color0 ( * self) = RedBlackTree_Color_Type.C_Red \/ color_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 598 14 598 56] has_mapping0 ( ^ self) (deep_model0 key) val' } - ensures { [#"../red_black_tree.rs" 599 4 599 127] forall v : v . forall k : deep_model_ty0 . inv5 v -> inv6 k -> k = deep_model0 key \/ has_mapping0 ( * self) k v = has_mapping0 ( ^ self) k v } + ensures { [#"../red_black_tree.rs" 599 4 599 127] forall v : v . forall k : deep_model_ty0 . inv5 v + -> inv6 k -> k = deep_model0 key \/ has_mapping0 ( * self) k v = has_mapping0 ( ^ self) k v } let rec cfg insert [#"../red_black_tree.rs" 626 4 626 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) (key : k) (val' : v) : () requires {[#"../red_black_tree.rs" 623 15 623 34] invariant0 ( * self)} @@ -5627,7 +6157,7 @@ module RedBlackTree_Impl15_Insert } BB5 { assume { resolve2 _15 }; - [#"../red_black_tree.rs" 626 45 630 5] _0 <- ([#"../red_black_tree.rs" 626 45 630 5] ()); + [#"../red_black_tree.rs" 626 45 630 5] _0 <- ([#"../red_black_tree.rs" 626 45 630 5] [#"../red_black_tree.rs" 626 45 630 5] ()); goto BB6 } BB6 { @@ -5706,7 +6236,9 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -5714,7 +6246,10 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -5722,7 +6257,10 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -5733,13 +6271,19 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -5750,7 +6294,9 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -5761,7 +6307,9 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -5772,7 +6320,9 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -5783,7 +6333,9 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant10 (self : deep_model_ty0) val invariant10 (self : deep_model_ty0) : bool ensures { result = invariant10 self } @@ -5931,7 +6483,8 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../red_black_tree.rs" 296 14 296 18] inv8 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv8 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv8 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type function cpn0 [#"../red_black_tree.rs" 226 0 226 36] (c : RedBlackTree_Color_Type.t_color) (l : RedBlackTree_Cp_Type.t_cp) (r : RedBlackTree_Cp_Type.t_cp) : RedBlackTree_Cp_Type.t_cp @@ -5964,7 +6517,13 @@ module RedBlackTree_Impl15_DeleteMaxRec ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -6005,7 +6564,9 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../red_black_tree.rs" 328 14 328 18] inv3 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv3 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv3 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) predicate has_mapping1 [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v) = @@ -6016,11 +6577,17 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../red_black_tree.rs" 140 44 140 45] inv9 v} ensures { result = has_mapping1 self k v } - axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv3 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv9 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv3 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv9 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node + -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 self k v = has_mapping1 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k -> has_mapping1 self k v = has_mapping1 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -6041,18 +6608,26 @@ module RedBlackTree_Impl15_DeleteMaxRec val balance0 [#"../red_black_tree.rs" 510 4 510 25] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : () requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant1 ( * self)} - requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} - requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} - requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false} + requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} + requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} + requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> false} requires {[#"../red_black_tree.rs" 510 20 510 24] inv4 self} ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) } ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant1 ( ^ self) } ensures { [#"../red_black_tree.rs" 499 14 499 50] height1 ( * self) = height1 ( ^ self) } - ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black -> * self = ^ self } - ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } - ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black + -> * self = ^ self } + ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } val move_red_right0 [#"../red_black_tree.rs" 571 4 571 45] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : borrowed (RedBlackTree_Node_Type.t_node k v) requires {[#"../red_black_tree.rs" 553 15 553 40] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * self)) <> Core_Option_Option_Type.C_None} @@ -6060,14 +6635,24 @@ module RedBlackTree_Impl15_DeleteMaxRec requires {[#"../red_black_tree.rs" 555 15 555 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)))) ( * self)} requires {[#"../red_black_tree.rs" 571 27 571 31] inv4 self} ensures { [#"../red_black_tree.rs" 556 14 556 44] internal_invariant1 ( * result) } - ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) } - ensures { [#"../red_black_tree.rs" 560 4 560 97] height1 ( * result) = height1 ( ^ result) -> height1 ( * self) = height1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 560 4 560 97] height1 ( * result) = height1 ( ^ result) + -> height1 ( * self) = height1 ( ^ self) } ensures { [#"../red_black_tree.rs" 561 14 561 42] RedBlackTree_Node_Type.node_key ( * result) = RedBlackTree_Node_Type.node_key ( * self) } - ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v } - ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( * self) k v /\ le_log0 (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) k -> has_mapping1 ( * result) k v } - ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) } + ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v } + ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping1 ( * self) k v /\ le_log0 (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) k + -> has_mapping1 ( * result) k v } + ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) } ensures { [#"../red_black_tree.rs" 567 14 568 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) } - ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black + -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) + -> color_invariant1 ( ^ self) } ensures { [#"../red_black_tree.rs" 571 36 571 45] inv4 result } predicate resolve5 (self : RedBlackTree_Node_Type.t_node k v) @@ -6082,7 +6667,8 @@ module RedBlackTree_Impl15_DeleteMaxRec val as_ref0 (self : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)) : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) requires {inv14 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : RedBlackTree_Node_Type.t_node k v . inv7 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) } ensures { inv15 result } @@ -6162,7 +6748,8 @@ module RedBlackTree_Impl15_DeleteMaxRec val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv5 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv12 result } @@ -6173,10 +6760,14 @@ module RedBlackTree_Impl15_DeleteMaxRec ensures { [#"../red_black_tree.rs" 635 14 635 42] internal_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 636 14 636 50] height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 637 14 637 66] has_mapping0 ( * self) (deep_model0 (let (a, _) = result in a)) (let (_, a) = result in a) } - ensures { [#"../red_black_tree.rs" 638 4 638 104] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 ( * self) k v -> le_log0 k (deep_model0 (let (a, _) = result in a)) } - ensures { [#"../red_black_tree.rs" 639 4 640 73] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } + ensures { [#"../red_black_tree.rs" 638 4 638 104] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k -> has_mapping0 ( * self) k v -> le_log0 k (deep_model0 (let (a, _) = result in a)) } + ensures { [#"../red_black_tree.rs" 639 4 640 73] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } ensures { [#"../red_black_tree.rs" 641 14 641 39] color_invariant0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 642 4 642 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } + ensures { [#"../red_black_tree.rs" 642 4 642 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black + -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } ensures { [#"../red_black_tree.rs" 643 36 643 42] inv11 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -6254,7 +6845,7 @@ module RedBlackTree_Impl15_DeleteMaxRec goto BB8 } BB7 { - [#"../red_black_tree.rs" 647 9 647 9] _16 <- ([#"../red_black_tree.rs" 647 9 647 9] ()); + [#"../red_black_tree.rs" 647 9 647 9] _16 <- ([#"../red_black_tree.rs" 647 9 647 9] [#"../red_black_tree.rs" 647 9 647 9] ()); goto BB8 } BB8 { @@ -6357,11 +6948,11 @@ module RedBlackTree_Impl15_DeleteMaxRec _37 <- any borrowed (RedBlackTree_Node_Type.t_node k v); assert { [@expl:type invariant] inv4 _38 }; assume { resolve1 _38 }; - [#"../red_black_tree.rs" 652 84 654 9] _29 <- ([#"../red_black_tree.rs" 652 84 654 9] ()); + [#"../red_black_tree.rs" 652 84 654 9] _29 <- ([#"../red_black_tree.rs" 652 84 654 9] [#"../red_black_tree.rs" 652 84 654 9] ()); goto BB26 } BB25 { - [#"../red_black_tree.rs" 654 9 654 9] _29 <- ([#"../red_black_tree.rs" 654 9 654 9] ()); + [#"../red_black_tree.rs" 654 9 654 9] _29 <- ([#"../red_black_tree.rs" 654 9 654 9] [#"../red_black_tree.rs" 654 9 654 9] ()); goto BB26 } BB26 { @@ -6478,7 +7069,9 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -6486,7 +7079,10 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -6494,7 +7090,10 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -6505,13 +7104,19 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -6522,7 +7127,9 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -6533,7 +7140,9 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -6544,7 +7153,9 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -6555,7 +7166,9 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant8 (self : deep_model_ty0) val invariant8 (self : deep_model_ty0) : bool ensures { result = invariant8 self } @@ -6694,7 +7307,8 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../red_black_tree.rs" 296 14 296 18] inv5 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv5 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv5 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) = [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self) val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool @@ -6719,7 +7333,13 @@ module RedBlackTree_Impl15_DeleteMax ensures { result = has_mapping0 self k v } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv7 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv7 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -6759,7 +7379,10 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../red_black_tree.rs" 71 8 71 9] inv7 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv5 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv13 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv7 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv10 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv5 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv13 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv7 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv10 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -6774,7 +7397,12 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../red_black_tree.rs" 89 81 89 82] inv7 k} ensures { result = has_mapping_model_acc0 self accu k } - axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv5 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv13 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv7 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv10 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) + axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv5 self) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv13 accu) + -> ([#"../red_black_tree.rs" 89 81 89 82] inv7 k) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv10 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : () = @@ -6785,7 +7413,11 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../red_black_tree.rs" 110 31 110 32] inv7 k} ensures { result = has_mapping_model0 self k } - axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv5 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv7 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv10 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) + axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 110 25 110 29] inv5 self) + -> ([#"../red_black_tree.rs" 110 31 110 32] inv7 k) + -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv10 v + -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) val unwrap0 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))) : borrowed (RedBlackTree_Node_Type.t_node k v) requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None} requires {inv12 self} @@ -6794,7 +7426,8 @@ module RedBlackTree_Impl15_DeleteMax val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv4 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv3 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv12 result } @@ -6828,16 +7461,21 @@ module RedBlackTree_Impl15_DeleteMax ensures { [#"../red_black_tree.rs" 635 14 635 42] internal_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 636 14 636 50] height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 637 14 637 66] has_mapping0 ( * self) (deep_model0 (let (a, _) = result in a)) (let (_, a) = result in a) } - ensures { [#"../red_black_tree.rs" 638 4 638 104] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 ( * self) k v -> le_log0 k (deep_model0 (let (a, _) = result in a)) } - ensures { [#"../red_black_tree.rs" 639 4 640 73] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } + ensures { [#"../red_black_tree.rs" 638 4 638 104] forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv7 k -> has_mapping0 ( * self) k v -> le_log0 k (deep_model0 (let (a, _) = result in a)) } + ensures { [#"../red_black_tree.rs" 639 4 640 73] forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv7 k + -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } ensures { [#"../red_black_tree.rs" 641 14 641 39] color_invariant0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 642 4 642 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } + ensures { [#"../red_black_tree.rs" 642 4 642 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black + -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } ensures { [#"../red_black_tree.rs" 643 36 643 42] inv11 result } predicate same_mappings0 [#"../red_black_tree.rs" 42 4 42 43] (self : RedBlackTree_Tree_Type.t_tree k v) (o : RedBlackTree_Tree_Type.t_tree k v) = - [#"../red_black_tree.rs" 43 8 45 9] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 self k v = has_mapping0 o k v + [#"../red_black_tree.rs" 43 8 45 9] forall v : v . forall k : deep_model_ty0 . inv10 v + -> inv7 k -> has_mapping0 self k v = has_mapping0 o k v val same_mappings0 [#"../red_black_tree.rs" 42 4 42 43] (self : RedBlackTree_Tree_Type.t_tree k v) (o : RedBlackTree_Tree_Type.t_tree k v) : bool ensures { result = same_mappings0 self o } @@ -6866,7 +7504,8 @@ module RedBlackTree_Impl15_DeleteMax requires {[#"../red_black_tree.rs" 667 27 667 31] inv6 self} ensures { [#"../red_black_tree.rs" 661 14 661 33] invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 662 14 666 65] match result with - | Core_Option_Option_Type.C_Some (k, v) -> Map.get (shallow_model0 self) (deep_model0 k) = Core_Option_Option_Type.C_Some v /\ (forall k2 : deep_model_ty0 . inv7 k2 -> Map.get (shallow_model0 self) k2 = Core_Option_Option_Type.C_None \/ le_log0 k2 (deep_model0 k)) /\ shallow_model1 ( ^ self) = Map.set (shallow_model0 self) (deep_model0 k) (Core_Option_Option_Type.C_None) + | Core_Option_Option_Type.C_Some (k, v) -> Map.get (shallow_model0 self) (deep_model0 k) = Core_Option_Option_Type.C_Some v /\ (forall k2 : deep_model_ty0 . inv7 k2 + -> Map.get (shallow_model0 self) k2 = Core_Option_Option_Type.C_None \/ le_log0 k2 (deep_model0 k)) /\ shallow_model1 ( ^ self) = Map.set (shallow_model0 self) (deep_model0 k) (Core_Option_Option_Type.C_None) | Core_Option_Option_Type.C_None -> shallow_model1 ( ^ self) = shallow_model0 self /\ shallow_model0 self = Const.const (Core_Option_Option_Type.C_None) end } ensures { [#"../red_black_tree.rs" 667 36 667 50] inv8 result } @@ -6928,7 +7567,7 @@ module RedBlackTree_Impl15_DeleteMax assume { resolve1 node }; assert { [@expl:type invariant] inv4 _8 }; assume { resolve2 _8 }; - [#"../red_black_tree.rs" 672 13 672 13] _7 <- ([#"../red_black_tree.rs" 672 13 672 13] ()); + [#"../red_black_tree.rs" 672 13 672 13] _7 <- ([#"../red_black_tree.rs" 672 13 672 13] [#"../red_black_tree.rs" 672 13 672 13] ()); goto BB7 } BB6 { @@ -6939,7 +7578,7 @@ module RedBlackTree_Impl15_DeleteMax assume { resolve1 node }; assert { [@expl:type invariant] inv4 _8 }; assume { resolve2 _8 }; - [#"../red_black_tree.rs" 670 35 672 13] _7 <- ([#"../red_black_tree.rs" 670 35 672 13] ()); + [#"../red_black_tree.rs" 670 35 672 13] _7 <- ([#"../red_black_tree.rs" 670 35 672 13] [#"../red_black_tree.rs" 670 35 672 13] ()); goto BB7 } BB7 { @@ -6990,13 +7629,13 @@ module RedBlackTree_Impl15_DeleteMax assume { resolve1 _23 }; assert { [@expl:type invariant] inv6 self }; assume { resolve3 self }; - [#"../red_black_tree.rs" 678 25 680 9] _19 <- ([#"../red_black_tree.rs" 678 25 680 9] ()); + [#"../red_black_tree.rs" 678 25 680 9] _19 <- ([#"../red_black_tree.rs" 678 25 680 9] [#"../red_black_tree.rs" 678 25 680 9] ()); goto BB15 } BB14 { assert { [@expl:type invariant] inv6 self }; assume { resolve3 self }; - [#"../red_black_tree.rs" 680 9 680 9] _19 <- ([#"../red_black_tree.rs" 680 9 680 9] ()); + [#"../red_black_tree.rs" 680 9 680 9] _19 <- ([#"../red_black_tree.rs" 680 9 680 9] [#"../red_black_tree.rs" 680 9 680 9] ()); goto BB15 } BB15 { @@ -7088,7 +7727,9 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -7096,7 +7737,10 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -7104,7 +7748,10 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -7115,13 +7762,19 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -7132,7 +7785,9 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -7143,7 +7798,9 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -7154,7 +7811,9 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -7165,7 +7824,9 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant10 (self : deep_model_ty0) val invariant10 (self : deep_model_ty0) : bool ensures { result = invariant10 self } @@ -7313,7 +7974,8 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../red_black_tree.rs" 296 14 296 18] inv8 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv8 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv8 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type function cpn0 [#"../red_black_tree.rs" 226 0 226 36] (c : RedBlackTree_Color_Type.t_color) (l : RedBlackTree_Cp_Type.t_cp) (r : RedBlackTree_Cp_Type.t_cp) : RedBlackTree_Cp_Type.t_cp @@ -7346,7 +8008,13 @@ module RedBlackTree_Impl15_DeleteMinRec ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -7387,7 +8055,9 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../red_black_tree.rs" 328 14 328 18] inv7 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv7 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv7 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) predicate has_mapping1 [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v) = @@ -7398,11 +8068,17 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../red_black_tree.rs" 140 44 140 45] inv9 v} ensures { result = has_mapping1 self k v } - axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv7 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv9 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv7 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv9 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node + -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 self k v = has_mapping1 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k -> has_mapping1 self k v = has_mapping1 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -7423,18 +8099,26 @@ module RedBlackTree_Impl15_DeleteMinRec val balance0 [#"../red_black_tree.rs" 510 4 510 25] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : () requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant1 ( * self)} - requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} - requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} - requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false} + requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} + requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} + requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> false} requires {[#"../red_black_tree.rs" 510 20 510 24] inv3 self} ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) } ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant1 ( ^ self) } ensures { [#"../red_black_tree.rs" 499 14 499 50] height1 ( * self) = height1 ( ^ self) } - ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black -> * self = ^ self } - ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } - ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black + -> * self = ^ self } + ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } val move_red_left0 [#"../red_black_tree.rs" 542 4 542 44] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : borrowed (RedBlackTree_Node_Type.t_node k v) requires {[#"../red_black_tree.rs" 524 15 524 41] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_right ( * self)) <> Core_Option_Option_Type.C_None} @@ -7442,14 +8126,24 @@ module RedBlackTree_Impl15_DeleteMinRec requires {[#"../red_black_tree.rs" 526 15 526 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)} requires {[#"../red_black_tree.rs" 542 26 542 30] inv3 self} ensures { [#"../red_black_tree.rs" 527 14 527 44] internal_invariant1 ( * result) } - ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) } - ensures { [#"../red_black_tree.rs" 531 4 531 97] height1 ( * result) = height1 ( ^ result) -> height1 ( * self) = height1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 531 4 531 97] height1 ( * result) = height1 ( ^ result) + -> height1 ( * self) = height1 ( ^ self) } ensures { [#"../red_black_tree.rs" 532 14 532 42] RedBlackTree_Node_Type.node_key ( * self) = RedBlackTree_Node_Type.node_key ( * result) } - ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v } - ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( * self) k v /\ le_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) -> has_mapping1 ( * result) k v } - ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) } + ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v } + ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping1 ( * self) k v /\ le_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) + -> has_mapping1 ( * result) k v } + ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) } ensures { [#"../red_black_tree.rs" 538 14 539 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) } - ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black + -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) + -> color_invariant1 ( ^ self) } ensures { [#"../red_black_tree.rs" 542 35 542 44] inv3 result } predicate resolve5 (self : RedBlackTree_Node_Type.t_node k v) @@ -7464,7 +8158,8 @@ module RedBlackTree_Impl15_DeleteMinRec val as_ref0 (self : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)) : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) requires {inv14 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : RedBlackTree_Node_Type.t_node k v . inv6 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) } ensures { inv15 result } @@ -7532,7 +8227,8 @@ module RedBlackTree_Impl15_DeleteMinRec val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv4 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv12 result } @@ -7543,10 +8239,14 @@ module RedBlackTree_Impl15_DeleteMinRec ensures { [#"../red_black_tree.rs" 688 14 688 42] internal_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 689 14 689 50] height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 690 14 690 66] has_mapping0 ( * self) (deep_model0 (let (a, _) = result in a)) (let (_, a) = result in a) } - ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 ( * self) k v -> le_log0 (deep_model0 (let (a, _) = result in a)) k } - ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } + ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k -> has_mapping0 ( * self) k v -> le_log0 (deep_model0 (let (a, _) = result in a)) k } + ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv10 k + -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } ensures { [#"../red_black_tree.rs" 694 14 694 39] color_invariant0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } + ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black + -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } ensures { [#"../red_black_tree.rs" 696 36 696 42] inv11 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -7699,11 +8399,11 @@ module RedBlackTree_Impl15_DeleteMinRec _33 <- any borrowed (RedBlackTree_Node_Type.t_node k v); assert { [@expl:type invariant] inv3 _34 }; assume { resolve1 _34 }; - [#"../red_black_tree.rs" 702 82 704 9] _25 <- ([#"../red_black_tree.rs" 702 82 704 9] ()); + [#"../red_black_tree.rs" 702 82 704 9] _25 <- ([#"../red_black_tree.rs" 702 82 704 9] [#"../red_black_tree.rs" 702 82 704 9] ()); goto BB21 } BB20 { - [#"../red_black_tree.rs" 704 9 704 9] _25 <- ([#"../red_black_tree.rs" 704 9 704 9] ()); + [#"../red_black_tree.rs" 704 9 704 9] _25 <- ([#"../red_black_tree.rs" 704 9 704 9] [#"../red_black_tree.rs" 704 9 704 9] ()); goto BB21 } BB21 { @@ -7820,7 +8520,9 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -7828,7 +8530,10 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -7836,7 +8541,10 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -7847,13 +8555,19 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -7864,7 +8578,9 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -7875,7 +8591,9 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -7886,7 +8604,9 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -7897,7 +8617,9 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv6 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant7 (self : deep_model_ty0) val invariant7 (self : deep_model_ty0) : bool ensures { result = invariant7 self } @@ -8026,7 +8748,8 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../red_black_tree.rs" 296 14 296 18] inv4 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv4 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv4 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) = [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self) val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool @@ -8051,7 +8774,13 @@ module RedBlackTree_Impl15_DeleteMin ensures { result = has_mapping0 self k v } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv8 v -> inv6 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv8 v -> inv6 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv8 v + -> inv6 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv8 v + -> inv6 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -8082,7 +8811,8 @@ module RedBlackTree_Impl15_DeleteMin val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv3 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv11 result } @@ -8116,10 +8846,14 @@ module RedBlackTree_Impl15_DeleteMin ensures { [#"../red_black_tree.rs" 688 14 688 42] internal_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 689 14 689 50] height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 690 14 690 66] has_mapping0 ( * self) (deep_model0 (let (a, _) = result in a)) (let (_, a) = result in a) } - ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv8 v -> inv6 k -> has_mapping0 ( * self) k v -> le_log0 (deep_model0 (let (a, _) = result in a)) k } - ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv8 v -> inv6 k -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } + ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv8 v + -> inv6 k -> has_mapping0 ( * self) k v -> le_log0 (deep_model0 (let (a, _) = result in a)) k } + ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv8 v + -> inv6 k + -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } ensures { [#"../red_black_tree.rs" 694 14 694 39] color_invariant0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } + ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black + -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } ensures { [#"../red_black_tree.rs" 696 36 696 42] inv10 result } predicate resolve2 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) = @@ -8154,7 +8888,10 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../red_black_tree.rs" 71 8 71 9] inv6 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv4 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv6 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv8 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv4 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv6 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv8 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -8169,7 +8906,12 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../red_black_tree.rs" 89 81 89 82] inv6 k} ensures { result = has_mapping_model_acc0 self accu k } - axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv4 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv6 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv8 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) + axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv4 self) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu) + -> ([#"../red_black_tree.rs" 89 81 89 82] inv6 k) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv8 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : () = @@ -8180,13 +8922,18 @@ module RedBlackTree_Impl15_DeleteMin requires {[#"../red_black_tree.rs" 110 31 110 32] inv6 k} ensures { result = has_mapping_model0 self k } - axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv4 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv6 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv8 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) + axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 110 25 110 29] inv4 self) + -> ([#"../red_black_tree.rs" 110 31 110 32] inv6 k) + -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv8 v + -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) let rec cfg delete_min [#"../red_black_tree.rs" 719 4 719 50] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) : Core_Option_Option_Type.t_option (k, v) requires {[#"../red_black_tree.rs" 710 15 710 34] invariant0 ( * self)} requires {[#"../red_black_tree.rs" 719 27 719 31] inv5 self} ensures { [#"../red_black_tree.rs" 711 14 711 33] invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 712 14 718 5] match result with - | Core_Option_Option_Type.C_Some (k, v) -> Map.get (shallow_model0 self) (deep_model0 k) = Core_Option_Option_Type.C_Some v /\ (forall k2 : deep_model_ty0 . inv6 k2 -> Map.get (shallow_model0 self) k2 = Core_Option_Option_Type.C_None \/ le_log0 (deep_model0 k) k2) /\ shallow_model1 ( ^ self) = Map.set (shallow_model0 self) (deep_model0 k) (Core_Option_Option_Type.C_None) + | Core_Option_Option_Type.C_Some (k, v) -> Map.get (shallow_model0 self) (deep_model0 k) = Core_Option_Option_Type.C_Some v /\ (forall k2 : deep_model_ty0 . inv6 k2 + -> Map.get (shallow_model0 self) k2 = Core_Option_Option_Type.C_None \/ le_log0 (deep_model0 k) k2) /\ shallow_model1 ( ^ self) = Map.set (shallow_model0 self) (deep_model0 k) (Core_Option_Option_Type.C_None) | Core_Option_Option_Type.C_None -> shallow_model1 ( ^ self) = shallow_model0 self /\ shallow_model0 self = Const.const (Core_Option_Option_Type.C_None) end } ensures { [#"../red_black_tree.rs" 719 36 719 50] inv7 result } @@ -8246,7 +8993,7 @@ module RedBlackTree_Impl15_DeleteMin assume { resolve1 node }; assert { [@expl:type invariant] inv3 _8 }; assume { resolve2 _8 }; - [#"../red_black_tree.rs" 725 13 725 13] _7 <- ([#"../red_black_tree.rs" 725 13 725 13] ()); + [#"../red_black_tree.rs" 725 13 725 13] _7 <- ([#"../red_black_tree.rs" 725 13 725 13] [#"../red_black_tree.rs" 725 13 725 13] ()); goto BB7 } BB6 { @@ -8257,7 +9004,7 @@ module RedBlackTree_Impl15_DeleteMin assume { resolve1 node }; assert { [@expl:type invariant] inv3 _8 }; assume { resolve2 _8 }; - [#"../red_black_tree.rs" 723 35 725 13] _7 <- ([#"../red_black_tree.rs" 723 35 725 13] ()); + [#"../red_black_tree.rs" 723 35 725 13] _7 <- ([#"../red_black_tree.rs" 723 35 725 13] [#"../red_black_tree.rs" 723 35 725 13] ()); goto BB7 } BB7 { @@ -8307,13 +9054,13 @@ module RedBlackTree_Impl15_DeleteMin assume { resolve1 _21 }; assert { [@expl:type invariant] inv5 self }; assume { resolve3 self }; - [#"../red_black_tree.rs" 730 25 732 9] _17 <- ([#"../red_black_tree.rs" 730 25 732 9] ()); + [#"../red_black_tree.rs" 730 25 732 9] _17 <- ([#"../red_black_tree.rs" 730 25 732 9] [#"../red_black_tree.rs" 730 25 732 9] ()); goto BB15 } BB14 { assert { [@expl:type invariant] inv5 self }; assume { resolve3 self }; - [#"../red_black_tree.rs" 732 9 732 9] _17 <- ([#"../red_black_tree.rs" 732 9 732 9] ()); + [#"../red_black_tree.rs" 732 9 732 9] _17 <- ([#"../red_black_tree.rs" 732 9 732 9] [#"../red_black_tree.rs" 732 9 732 9] ()); goto BB15 } BB15 { @@ -8400,7 +9147,9 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -8408,7 +9157,10 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -8416,7 +9168,10 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -8427,13 +9182,19 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -8444,7 +9205,9 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -8455,7 +9218,9 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -8466,7 +9231,9 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -8477,7 +9244,9 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use prelude.Borrow predicate invariant16 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))) val invariant16 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool @@ -8685,7 +9454,8 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../red_black_tree.rs" 296 14 296 18] inv7 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv7 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv7 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type function cpn0 [#"../red_black_tree.rs" 226 0 226 36] (c : RedBlackTree_Color_Type.t_color) (l : RedBlackTree_Cp_Type.t_cp) (r : RedBlackTree_Cp_Type.t_cp) : RedBlackTree_Cp_Type.t_cp @@ -8718,7 +9488,13 @@ module RedBlackTree_Impl15_DeleteRec ensures { result = height_invariant0 self } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -8760,7 +9536,9 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../red_black_tree.rs" 328 14 328 18] inv5 self} ensures { result = height1 self } - axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) + axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self) + -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))) predicate has_mapping1 [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v) = @@ -8771,11 +9549,17 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../red_black_tree.rs" 140 44 140 45] inv11 v} ensures { result = has_mapping1 self k v } - axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv14 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv11 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) + axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self) + -> ([#"../red_black_tree.rs" 140 25 140 26] inv14 k) + -> ([#"../red_black_tree.rs" 140 44 140 45] inv11 v) + -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node + -> self = node + -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v) predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 self k v = has_mapping1 o k v + [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k -> has_mapping1 self k v = has_mapping1 o k v val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = same_mappings0 self o } @@ -8796,18 +9580,26 @@ module RedBlackTree_Impl15_DeleteRec val balance0 [#"../red_black_tree.rs" 510 4 510 25] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : () requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant1 ( * self)} - requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} - requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} - requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false} + requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))} + requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red + -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))} + requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red + -> false} requires {[#"../red_black_tree.rs" 510 20 510 24] inv6 self} ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) } ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant1 ( ^ self) } ensures { [#"../red_black_tree.rs" 499 14 499 50] height1 ( * self) = height1 ( ^ self) } - ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black -> * self = ^ self } - ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } - ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } - ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black + -> * self = ^ self } + ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } + ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) } + ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) + -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) } val rotate_right0 [#"../red_black_tree.rs" 412 4 412 30] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : () requires {[#"../red_black_tree.rs" 400 15 400 43] internal_invariant1 ( * self)} @@ -8912,7 +9704,10 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../red_black_tree.rs" 71 8 71 9] inv14 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv7 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv21 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv14 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv11 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv7 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv21 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv14 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv11 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -8927,7 +9722,12 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../red_black_tree.rs" 89 81 89 82] inv14 k} ensures { result = has_mapping_model_acc0 self accu k } - axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv7 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv21 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv14 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv11 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) + axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv7 self) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv21 accu) + -> ([#"../red_black_tree.rs" 89 81 89 82] inv14 k) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv11 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : () = @@ -8938,7 +9738,11 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../red_black_tree.rs" 110 31 110 32] inv14 k} ensures { result = has_mapping_model0 self k } - axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv7 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv14 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv11 v -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v)) + axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 110 25 110 29] inv7 self) + -> ([#"../red_black_tree.rs" 110 31 110 32] inv14 k) + -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv11 v + -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v)) function has_mapping_inj0 [#"../red_black_tree.rs" 125 4 127 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) (v1 : v) (v2 : v) : () = @@ -8956,7 +9760,13 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../red_black_tree.rs" 125 55 125 57] inv11 v2} ensures { result = has_mapping_inj0 self k v1 v2 } - axiom has_mapping_inj0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0, v1 : v, v2 : v . ([#"../red_black_tree.rs" 121 15 121 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 122 15 122 38] has_mapping0 self k v1) -> ([#"../red_black_tree.rs" 123 15 123 38] has_mapping0 self k v2) -> ([#"../red_black_tree.rs" 125 23 125 27] inv7 self) -> ([#"../red_black_tree.rs" 125 29 125 30] inv14 k) -> ([#"../red_black_tree.rs" 125 48 125 50] inv11 v1) -> ([#"../red_black_tree.rs" 125 55 125 57] inv11 v2) -> ([#"../red_black_tree.rs" 124 14 124 22] v1 = v2) + axiom has_mapping_inj0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0, v1 : v, v2 : v . ([#"../red_black_tree.rs" 121 15 121 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 122 15 122 38] has_mapping0 self k v1) + -> ([#"../red_black_tree.rs" 123 15 123 38] has_mapping0 self k v2) + -> ([#"../red_black_tree.rs" 125 23 125 27] inv7 self) + -> ([#"../red_black_tree.rs" 125 29 125 30] inv14 k) + -> ([#"../red_black_tree.rs" 125 48 125 50] inv11 v1) + -> ([#"../red_black_tree.rs" 125 55 125 57] inv11 v2) -> ([#"../red_black_tree.rs" 124 14 124 22] v1 = v2) val delete_min_rec0 [#"../red_black_tree.rs" 696 4 696 42] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) : (k, v) requires {[#"../red_black_tree.rs" 685 15 685 43] internal_invariant0 ( * self)} requires {[#"../red_black_tree.rs" 686 15 687 62] match_t0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( * self) \/ match_t0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)} @@ -8964,10 +9774,14 @@ module RedBlackTree_Impl15_DeleteRec ensures { [#"../red_black_tree.rs" 688 14 688 42] internal_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 689 14 689 50] height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 690 14 690 66] has_mapping0 ( * self) (deep_model1 (let (a, _) = result in a)) (let (_, a) = result in a) } - ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 ( * self) k v -> le_log0 (deep_model1 (let (a, _) = result in a)) k } - ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 ( ^ self) k v = (deep_model1 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } + ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k -> has_mapping0 ( * self) k v -> le_log0 (deep_model1 (let (a, _) = result in a)) k } + ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k + -> has_mapping0 ( ^ self) k v = (deep_model1 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) } ensures { [#"../red_black_tree.rs" 694 14 694 39] color_invariant0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } + ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black + -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } ensures { [#"../red_black_tree.rs" 696 36 696 42] inv20 result } val move_red_right0 [#"../red_black_tree.rs" 571 4 571 45] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : borrowed (RedBlackTree_Node_Type.t_node k v) @@ -8976,14 +9790,24 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../red_black_tree.rs" 555 15 555 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)))) ( * self)} requires {[#"../red_black_tree.rs" 571 27 571 31] inv6 self} ensures { [#"../red_black_tree.rs" 556 14 556 44] internal_invariant1 ( * result) } - ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) } - ensures { [#"../red_black_tree.rs" 560 4 560 97] height1 ( * result) = height1 ( ^ result) -> height1 ( * self) = height1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 560 4 560 97] height1 ( * result) = height1 ( ^ result) + -> height1 ( * self) = height1 ( ^ self) } ensures { [#"../red_black_tree.rs" 561 14 561 42] RedBlackTree_Node_Type.node_key ( * result) = RedBlackTree_Node_Type.node_key ( * self) } - ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v } - ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( * self) k v /\ le_log0 (deep_model1 (RedBlackTree_Node_Type.node_key ( * self))) k -> has_mapping1 ( * result) k v } - ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) } + ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v } + ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k + -> has_mapping1 ( * self) k v /\ le_log0 (deep_model1 (RedBlackTree_Node_Type.node_key ( * self))) k + -> has_mapping1 ( * result) k v } + ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k + -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) } ensures { [#"../red_black_tree.rs" 567 14 568 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) } - ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black + -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) + -> color_invariant1 ( ^ self) } ensures { [#"../red_black_tree.rs" 571 36 571 45] inv6 result } predicate resolve4 (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) = @@ -9002,14 +9826,24 @@ module RedBlackTree_Impl15_DeleteRec requires {[#"../red_black_tree.rs" 526 15 526 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)} requires {[#"../red_black_tree.rs" 542 26 542 30] inv6 self} ensures { [#"../red_black_tree.rs" 527 14 527 44] internal_invariant1 ( * result) } - ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) } - ensures { [#"../red_black_tree.rs" 531 4 531 97] height1 ( * result) = height1 ( ^ result) -> height1 ( * self) = height1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 531 4 531 97] height1 ( * result) = height1 ( ^ result) + -> height1 ( * self) = height1 ( ^ self) } ensures { [#"../red_black_tree.rs" 532 14 532 42] RedBlackTree_Node_Type.node_key ( * self) = RedBlackTree_Node_Type.node_key ( * result) } - ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v } - ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( * self) k v /\ le_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key ( * self))) -> has_mapping1 ( * result) k v } - ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) } + ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v } + ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k + -> has_mapping1 ( * self) k v /\ le_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key ( * self))) + -> has_mapping1 ( * result) k v } + ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k + -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) } ensures { [#"../red_black_tree.rs" 538 14 539 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) } - ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant1 ( ^ self) } + ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black + -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) + -> color_invariant1 ( ^ self) } ensures { [#"../red_black_tree.rs" 542 35 542 44] inv6 result } predicate resolve2 (self : RedBlackTree_Node_Type.t_node k v) @@ -9024,7 +9858,8 @@ module RedBlackTree_Impl15_DeleteRec val as_ref0 (self : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)) : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) requires {inv17 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : RedBlackTree_Node_Type.t_node k v . inv4 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) } ensures { inv19 result } @@ -9064,7 +9899,8 @@ module RedBlackTree_Impl15_DeleteRec val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv13 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv16 result } @@ -9076,12 +9912,14 @@ module RedBlackTree_Impl15_DeleteRec ensures { [#"../red_black_tree.rs" 739 14 739 42] internal_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 740 14 740 50] height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 741 14 744 5] match result with - | Core_Option_Option_Type.C_None -> forall v : v . inv11 v -> not has_mapping0 ( * self) (deep_model0 key) v + | Core_Option_Option_Type.C_None -> forall v : v . inv11 v -> not has_mapping0 ( * self) (deep_model0 key) v | Core_Option_Option_Type.C_Some (k, v) -> deep_model0 key = deep_model1 k /\ has_mapping0 ( * self) (deep_model1 k) v end } - ensures { [#"../red_black_tree.rs" 745 4 745 129] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 ( ^ self) k v = (deep_model0 key <> k /\ has_mapping0 ( * self) k v) } + ensures { [#"../red_black_tree.rs" 745 4 745 129] forall v : v . forall k : deep_model_ty0 . inv11 v + -> inv14 k -> has_mapping0 ( ^ self) k v = (deep_model0 key <> k /\ has_mapping0 ( * self) k v) } ensures { [#"../red_black_tree.rs" 746 14 746 39] color_invariant0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 747 4 747 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } + ensures { [#"../red_black_tree.rs" 747 4 747 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black + -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } ensures { [#"../red_black_tree.rs" 748 41 748 55] inv15 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -9267,11 +10105,11 @@ module RedBlackTree_Impl15_DeleteRec _35 <- any borrowed (RedBlackTree_Node_Type.t_node k v); assert { [@expl:type invariant] inv6 _36 }; assume { resolve3 _36 }; - [#"../red_black_tree.rs" 756 90 758 17] _27 <- ([#"../red_black_tree.rs" 756 90 758 17] ()); + [#"../red_black_tree.rs" 756 90 758 17] _27 <- ([#"../red_black_tree.rs" 756 90 758 17] [#"../red_black_tree.rs" 756 90 758 17] ()); goto BB21 } BB20 { - [#"../red_black_tree.rs" 758 17 758 17] _27 <- ([#"../red_black_tree.rs" 758 17 758 17] ()); + [#"../red_black_tree.rs" 758 17 758 17] _27 <- ([#"../red_black_tree.rs" 758 17 758 17] [#"../red_black_tree.rs" 758 17 758 17] ()); goto BB21 } BB21 { @@ -9290,7 +10128,7 @@ module RedBlackTree_Impl15_DeleteRec BB23 { [#"../red_black_tree.rs" 759 16 759 17] r <- ([#"../red_black_tree.rs" 759 16 759 17] _38); _38 <- any Core_Option_Option_Type.t_option (k, v); - [#"../red_black_tree.rs" 759 16 759 45] _17 <- ([#"../red_black_tree.rs" 759 16 759 45] ()); + [#"../red_black_tree.rs" 759 16 759 45] _17 <- ([#"../red_black_tree.rs" 759 16 759 45] [#"../red_black_tree.rs" 759 16 759 45] ()); goto BB25 } BB25 { @@ -9326,7 +10164,7 @@ module RedBlackTree_Impl15_DeleteRec BB30 { [#"../red_black_tree.rs" 764 20 764 21] r <- ([#"../red_black_tree.rs" 764 20 764 21] _46); _46 <- any Core_Option_Option_Type.t_option (k, v); - [#"../red_black_tree.rs" 764 20 764 50] _17 <- ([#"../red_black_tree.rs" 764 20 764 50] ()); + [#"../red_black_tree.rs" 764 20 764 50] _17 <- ([#"../red_black_tree.rs" 764 20 764 50] [#"../red_black_tree.rs" 764 20 764 50] ()); goto BB32 } BB32 { @@ -9422,7 +10260,7 @@ module RedBlackTree_Impl15_DeleteRec end } BB48 { - [#"../red_black_tree.rs" 775 21 775 21] _63 <- ([#"../red_black_tree.rs" 775 21 775 21] ()); + [#"../red_black_tree.rs" 775 21 775 21] _63 <- ([#"../red_black_tree.rs" 775 21 775 21] [#"../red_black_tree.rs" 775 21 775 21] ()); goto BB51 } BB49 { @@ -9443,7 +10281,7 @@ module RedBlackTree_Impl15_DeleteRec _69 <- any borrowed (RedBlackTree_Node_Type.t_node k v); assert { [@expl:type invariant] inv6 _70 }; assume { resolve3 _70 }; - [#"../red_black_tree.rs" 773 72 775 21] _63 <- ([#"../red_black_tree.rs" 773 72 775 21] ()); + [#"../red_black_tree.rs" 773 72 775 21] _63 <- ([#"../red_black_tree.rs" 773 72 775 21] [#"../red_black_tree.rs" 773 72 775 21] ()); goto BB51 } BB51 { @@ -9525,7 +10363,7 @@ module RedBlackTree_Impl15_DeleteRec BB59 { [#"../red_black_tree.rs" 781 24 781 25] r <- ([#"../red_black_tree.rs" 781 24 781 25] _87); _87 <- any Core_Option_Option_Type.t_option (k, v); - [#"../red_black_tree.rs" 781 24 781 36] _17 <- ([#"../red_black_tree.rs" 781 24 781 36] ()); + [#"../red_black_tree.rs" 781 24 781 36] _17 <- ([#"../red_black_tree.rs" 781 24 781 36] [#"../red_black_tree.rs" 781 24 781 36] ()); goto BB61 } BB61 { @@ -9550,7 +10388,7 @@ module RedBlackTree_Impl15_DeleteRec BB65 { [#"../red_black_tree.rs" 783 24 783 25] r <- ([#"../red_black_tree.rs" 783 24 783 25] _89); _89 <- any Core_Option_Option_Type.t_option (k, v); - [#"../red_black_tree.rs" 783 24 783 54] _17 <- ([#"../red_black_tree.rs" 783 24 783 54] ()); + [#"../red_black_tree.rs" 783 24 783 54] _17 <- ([#"../red_black_tree.rs" 783 24 783 54] [#"../red_black_tree.rs" 783 24 783 54] ()); goto BB67 } BB67 { @@ -9615,7 +10453,9 @@ module RedBlackTree_Impl15_Delete requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -9623,7 +10463,10 @@ module RedBlackTree_Impl15_Delete requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -9631,7 +10474,10 @@ module RedBlackTree_Impl15_Delete requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -9642,13 +10488,19 @@ module RedBlackTree_Impl15_Delete requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -9659,7 +10511,9 @@ module RedBlackTree_Impl15_Delete requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -9670,7 +10524,9 @@ module RedBlackTree_Impl15_Delete requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -9681,7 +10537,9 @@ module RedBlackTree_Impl15_Delete requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -9692,7 +10550,9 @@ module RedBlackTree_Impl15_Delete requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use Core_Option_Option_Type as Core_Option_Option_Type use map.Map predicate invariant13 (self : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) @@ -9885,7 +10745,8 @@ module RedBlackTree_Impl15_Delete requires {[#"../red_black_tree.rs" 296 14 296 18] inv4 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv4 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv4 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) = [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self) val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool @@ -9910,7 +10771,13 @@ module RedBlackTree_Impl15_Delete ensures { result = has_mapping0 self k v } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv8 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv8 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv8 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv8 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -9941,7 +10808,8 @@ module RedBlackTree_Impl15_Delete val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)) requires {inv3 self} - ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } + ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77] * self = Core_Option_Option_Type.C_None + -> result = Core_Option_Option_Type.C_None /\ ^ self = Core_Option_Option_Type.C_None } ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18] * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ * self = Core_Option_Option_Type.C_Some ( * r) /\ ^ self = Core_Option_Option_Type.C_Some ( ^ r)) } ensures { inv11 result } @@ -9976,12 +10844,14 @@ module RedBlackTree_Impl15_Delete ensures { [#"../red_black_tree.rs" 739 14 739 42] internal_invariant0 ( ^ self) } ensures { [#"../red_black_tree.rs" 740 14 740 50] height0 ( * self) = height0 ( ^ self) } ensures { [#"../red_black_tree.rs" 741 14 744 5] match result with - | Core_Option_Option_Type.C_None -> forall v : v . inv9 v -> not has_mapping0 ( * self) (deep_model1 key) v + | Core_Option_Option_Type.C_None -> forall v : v . inv9 v -> not has_mapping0 ( * self) (deep_model1 key) v | Core_Option_Option_Type.C_Some (k, v) -> deep_model1 key = deep_model0 k /\ has_mapping0 ( * self) (deep_model0 k) v end } - ensures { [#"../red_black_tree.rs" 745 4 745 129] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv8 k -> has_mapping0 ( ^ self) k v = (deep_model1 key <> k /\ has_mapping0 ( * self) k v) } + ensures { [#"../red_black_tree.rs" 745 4 745 129] forall v : v . forall k : deep_model_ty0 . inv9 v + -> inv8 k -> has_mapping0 ( ^ self) k v = (deep_model1 key <> k /\ has_mapping0 ( * self) k v) } ensures { [#"../red_black_tree.rs" 746 14 746 39] color_invariant0 ( ^ self) } - ensures { [#"../red_black_tree.rs" 747 4 747 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } + ensures { [#"../red_black_tree.rs" 747 4 747 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black + -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black } ensures { [#"../red_black_tree.rs" 748 41 748 55] inv7 result } predicate resolve3 (self : k) @@ -10020,7 +10890,10 @@ module RedBlackTree_Impl15_Delete requires {[#"../red_black_tree.rs" 71 8 71 9] inv8 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv4 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv8 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv9 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv4 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv8 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv9 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -10035,7 +10908,12 @@ module RedBlackTree_Impl15_Delete requires {[#"../red_black_tree.rs" 89 81 89 82] inv8 k} ensures { result = has_mapping_model_acc0 self accu k } - axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv4 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv8 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv9 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) + axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv4 self) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu) + -> ([#"../red_black_tree.rs" 89 81 89 82] inv8 k) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv9 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : () = @@ -10046,7 +10924,11 @@ module RedBlackTree_Impl15_Delete requires {[#"../red_black_tree.rs" 110 31 110 32] inv8 k} ensures { result = has_mapping_model0 self k } - axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv4 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv8 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv9 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) + axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 110 25 110 29] inv4 self) + -> ([#"../red_black_tree.rs" 110 31 110 32] inv8 k) + -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv9 v + -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) let rec cfg delete [#"../red_black_tree.rs" 800 4 800 55] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) (key : k) : Core_Option_Option_Type.t_option (k, v) requires {[#"../red_black_tree.rs" 792 15 792 34] invariant0 ( * self)} requires {[#"../red_black_tree.rs" 800 23 800 27] inv6 self} @@ -10115,7 +10997,7 @@ module RedBlackTree_Impl15_Delete assume { resolve1 node }; assert { [@expl:type invariant] inv3 _10 }; assume { resolve2 _10 }; - [#"../red_black_tree.rs" 806 13 806 13] _9 <- ([#"../red_black_tree.rs" 806 13 806 13] ()); + [#"../red_black_tree.rs" 806 13 806 13] _9 <- ([#"../red_black_tree.rs" 806 13 806 13] [#"../red_black_tree.rs" 806 13 806 13] ()); goto BB7 } BB6 { @@ -10126,7 +11008,7 @@ module RedBlackTree_Impl15_Delete assume { resolve1 node }; assert { [@expl:type invariant] inv3 _10 }; assume { resolve2 _10 }; - [#"../red_black_tree.rs" 804 35 806 13] _9 <- ([#"../red_black_tree.rs" 804 35 806 13] ()); + [#"../red_black_tree.rs" 804 35 806 13] _9 <- ([#"../red_black_tree.rs" 804 35 806 13] [#"../red_black_tree.rs" 804 35 806 13] ()); goto BB7 } BB7 { @@ -10180,13 +11062,13 @@ module RedBlackTree_Impl15_Delete assume { resolve1 _24 }; assert { [@expl:type invariant] inv6 self }; assume { resolve4 self }; - [#"../red_black_tree.rs" 811 25 813 9] _20 <- ([#"../red_black_tree.rs" 811 25 813 9] ()); + [#"../red_black_tree.rs" 811 25 813 9] _20 <- ([#"../red_black_tree.rs" 811 25 813 9] [#"../red_black_tree.rs" 811 25 813 9] ()); goto BB15 } BB14 { assert { [@expl:type invariant] inv6 self }; assume { resolve4 self }; - [#"../red_black_tree.rs" 813 9 813 9] _20 <- ([#"../red_black_tree.rs" 813 9 813 9] ()); + [#"../red_black_tree.rs" 813 9 813 9] _20 <- ([#"../red_black_tree.rs" 813 9 813 9] [#"../red_black_tree.rs" 813 9 813 9] ()); goto BB15 } BB15 { @@ -10232,7 +11114,9 @@ module RedBlackTree_Impl15_Get requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -10240,7 +11124,10 @@ module RedBlackTree_Impl15_Get requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -10248,7 +11135,10 @@ module RedBlackTree_Impl15_Get requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -10259,13 +11149,19 @@ module RedBlackTree_Impl15_Get requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -10276,7 +11172,9 @@ module RedBlackTree_Impl15_Get requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -10287,7 +11185,9 @@ module RedBlackTree_Impl15_Get requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -10298,7 +11198,9 @@ module RedBlackTree_Impl15_Get requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -10309,7 +11211,9 @@ module RedBlackTree_Impl15_Get requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) predicate invariant9 (self : deep_model_ty0) val invariant9 (self : deep_model_ty0) : bool ensures { result = invariant9 self } @@ -10458,7 +11362,8 @@ module RedBlackTree_Impl15_Get requires {[#"../red_black_tree.rs" 296 14 296 18] inv7 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv7 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv7 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) = [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self) val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool @@ -10483,7 +11388,13 @@ module RedBlackTree_Impl15_Get ensures { result = has_mapping0 self k v } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv8 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv8 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v + -> inv8 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v + -> inv8 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -10554,7 +11465,10 @@ module RedBlackTree_Impl15_Get requires {[#"../red_black_tree.rs" 71 8 71 9] inv8 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv7 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv9 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv8 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv1 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv7 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv9 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv8 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv1 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -10569,7 +11483,12 @@ module RedBlackTree_Impl15_Get requires {[#"../red_black_tree.rs" 89 81 89 82] inv8 k} ensures { result = has_mapping_model_acc0 self accu k } - axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv7 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv9 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv8 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv1 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) + axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv7 self) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv9 accu) + -> ([#"../red_black_tree.rs" 89 81 89 82] inv8 k) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv1 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : () = @@ -10580,7 +11499,11 @@ module RedBlackTree_Impl15_Get requires {[#"../red_black_tree.rs" 110 31 110 32] inv8 k} ensures { result = has_mapping_model0 self k } - axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv7 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv8 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv1 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) + axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 110 25 110 29] inv7 self) + -> ([#"../red_black_tree.rs" 110 31 110 32] inv8 k) + -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv1 v + -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) let rec cfg get [#"../red_black_tree.rs" 822 4 822 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : RedBlackTree_Tree_Type.t_tree k v) (key : k) : Core_Option_Option_Type.t_option v requires {[#"../red_black_tree.rs" 817 15 817 34] invariant0 self} requires {[#"../red_black_tree.rs" 822 16 822 20] inv0 self} @@ -10621,7 +11544,8 @@ module RedBlackTree_Impl15_Get } BB2 { invariant { [#"../red_black_tree.rs" 826 20 826 43] bst_invariant0 tree }; - invariant { [#"../red_black_tree.rs" 826 8 826 45] forall v : v . inv1 v -> has_mapping0 self (deep_model0 key) v = has_mapping0 tree (deep_model0 key) v }; + invariant { [#"../red_black_tree.rs" 826 8 826 45] forall v : v . inv1 v + -> has_mapping0 self (deep_model0 key) v = has_mapping0 tree (deep_model0 key) v }; goto BB3 } BB3 { @@ -10666,7 +11590,7 @@ module RedBlackTree_Impl15_Get assert { [@expl:type invariant] inv0 _27 }; assume { resolve1 _27 }; [#"../red_black_tree.rs" 832 27 832 45] tree <- ([#"../red_black_tree.rs" 832 27 832 45] _27); - [#"../red_black_tree.rs" 832 27 832 45] _12 <- ([#"../red_black_tree.rs" 832 27 832 45] ()); + [#"../red_black_tree.rs" 832 27 832 45] _12 <- ([#"../red_black_tree.rs" 832 27 832 45] [#"../red_black_tree.rs" 832 27 832 45] ()); goto BB13 } BB10 { @@ -10684,7 +11608,7 @@ module RedBlackTree_Impl15_Get assert { [@expl:type invariant] inv0 _22 }; assume { resolve1 _22 }; [#"../red_black_tree.rs" 830 24 830 41] tree <- ([#"../red_black_tree.rs" 830 24 830 41] _22); - [#"../red_black_tree.rs" 830 24 830 41] _12 <- ([#"../red_black_tree.rs" 830 24 830 41] ()); + [#"../red_black_tree.rs" 830 24 830 41] _12 <- ([#"../red_black_tree.rs" 830 24 830 41] [#"../red_black_tree.rs" 830 24 830 41] ()); goto BB13 } BB12 { @@ -10744,7 +11668,9 @@ module RedBlackTree_Impl15_GetMut requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -10752,7 +11678,10 @@ module RedBlackTree_Impl15_GetMut requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -10760,7 +11689,10 @@ module RedBlackTree_Impl15_GetMut requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -10771,13 +11703,19 @@ module RedBlackTree_Impl15_GetMut requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -10788,7 +11726,9 @@ module RedBlackTree_Impl15_GetMut requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -10799,7 +11739,9 @@ module RedBlackTree_Impl15_GetMut requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -10810,7 +11752,9 @@ module RedBlackTree_Impl15_GetMut requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -10821,7 +11765,9 @@ module RedBlackTree_Impl15_GetMut requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use prelude.Borrow predicate invariant12 (self : Core_Option_Option_Type.t_option (borrowed v)) val invariant12 (self : Core_Option_Option_Type.t_option (borrowed v)) : bool @@ -10999,7 +11945,8 @@ module RedBlackTree_Impl15_GetMut requires {[#"../red_black_tree.rs" 296 14 296 18] inv6 self} ensures { result = height0 self } - axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv6 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) + axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv6 self) + -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0) predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) = [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self) val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool @@ -11024,7 +11971,13 @@ module RedBlackTree_Impl15_GetMut ensures { result = has_mapping0 self k v } predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) = - [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k) + [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v + -> inv2 k + -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v + -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v + -> inv2 k + -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v + -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k) val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool ensures { result = bst_invariant_here0 self } @@ -11115,7 +12068,10 @@ module RedBlackTree_Impl15_GetMut requires {[#"../red_black_tree.rs" 71 8 71 9] inv2 k} ensures { result = model_acc_has_mapping0 self accu k } - axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv6 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv2 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv1 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) + axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv6 self) + -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu) + -> ([#"../red_black_tree.rs" 71 8 71 9] inv2 k) + -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv1 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)) function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : () = @@ -11130,7 +12086,12 @@ module RedBlackTree_Impl15_GetMut requires {[#"../red_black_tree.rs" 89 81 89 82] inv2 k} ensures { result = has_mapping_model_acc0 self accu k } - axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv6 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv2 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv1 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) + axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 89 29 89 33] inv6 self) + -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu) + -> ([#"../red_black_tree.rs" 89 81 89 82] inv2 k) + -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv1 v + -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v) function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : () = @@ -11141,7 +12102,11 @@ module RedBlackTree_Impl15_GetMut requires {[#"../red_black_tree.rs" 110 31 110 32] inv2 k} ensures { result = has_mapping_model0 self k } - axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv6 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv2 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv1 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) + axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) + -> ([#"../red_black_tree.rs" 110 25 110 29] inv6 self) + -> ([#"../red_black_tree.rs" 110 31 110 32] inv2 k) + -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv1 v + -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v)) let rec cfg get_mut [#"../red_black_tree.rs" 844 4 844 56] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) (key : k) : Core_Option_Option_Type.t_option (borrowed v) requires {[#"../red_black_tree.rs" 838 15 838 34] invariant0 ( * self)} requires {[#"../red_black_tree.rs" 844 24 844 28] inv7 self} @@ -11194,12 +12159,21 @@ module RedBlackTree_Impl15_GetMut invariant { [#"../red_black_tree.rs" 850 20 850 43] bst_invariant0 ( * tree) }; invariant { [#"../red_black_tree.rs" 851 20 851 46] height_invariant0 ( * tree) }; invariant { [#"../red_black_tree.rs" 852 20 852 45] color_invariant0 ( * tree) }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v -> has_mapping0 ( ^ tree) (deep_model0 key) v = has_mapping0 ( ^ Snapshot.inner old_self) (deep_model0 key) v }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v -> has_mapping0 ( * tree) (deep_model0 key) v = has_mapping0 ( * Snapshot.inner old_self) (deep_model0 key) v }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> k = deep_model0 key \/ has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v) -> bst_invariant0 ( ^ tree) -> bst_invariant0 ( ^ Snapshot.inner old_self) }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] height0 ( * tree) = height0 ( ^ tree) /\ height_invariant0 ( ^ tree) -> height_invariant0 ( ^ Snapshot.inner old_self) }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] match_t0 (RedBlackTree_Cp_Type.C_CPL (color0 ( * tree))) ( ^ tree) -> match_t0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) ( ^ Snapshot.inner old_self) }; - invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v -> has_mapping0 ( * Snapshot.inner old_self) k v = has_mapping0 ( ^ Snapshot.inner old_self) k v }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v + -> has_mapping0 ( ^ tree) (deep_model0 key) v = has_mapping0 ( ^ Snapshot.inner old_self) (deep_model0 key) v }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v + -> has_mapping0 ( * tree) (deep_model0 key) v = has_mapping0 ( * Snapshot.inner old_self) (deep_model0 key) v }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] (forall v : v . forall k : deep_model_ty0 . inv1 v + -> inv2 k -> k = deep_model0 key \/ has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v) + -> bst_invariant0 ( ^ tree) -> bst_invariant0 ( ^ Snapshot.inner old_self) }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] height0 ( * tree) = height0 ( ^ tree) /\ height_invariant0 ( ^ tree) + -> height_invariant0 ( ^ Snapshot.inner old_self) }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] match_t0 (RedBlackTree_Cp_Type.C_CPL (color0 ( * tree))) ( ^ tree) + -> match_t0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) ( ^ Snapshot.inner old_self) }; + invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . forall k : deep_model_ty0 . inv1 v + -> inv2 k + -> has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v + -> has_mapping0 ( * Snapshot.inner old_self) k v = has_mapping0 ( ^ Snapshot.inner old_self) k v }; goto BB4 } BB4 { @@ -11248,7 +12222,7 @@ module RedBlackTree_Impl15_GetMut assume { resolve3 tree }; [#"../red_black_tree.rs" 866 27 866 49] tree <- ([#"../red_black_tree.rs" 866 27 866 49] _36); _36 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v); - [#"../red_black_tree.rs" 866 27 866 49] _22 <- ([#"../red_black_tree.rs" 866 27 866 49] ()); + [#"../red_black_tree.rs" 866 27 866 49] _22 <- ([#"../red_black_tree.rs" 866 27 866 49] [#"../red_black_tree.rs" 866 27 866 49] ()); assert { [@expl:type invariant] inv7 _37 }; assume { resolve3 _37 }; goto BB14 @@ -11276,7 +12250,7 @@ module RedBlackTree_Impl15_GetMut assume { resolve3 tree }; [#"../red_black_tree.rs" 864 24 864 45] tree <- ([#"../red_black_tree.rs" 864 24 864 45] _31); _31 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v); - [#"../red_black_tree.rs" 864 24 864 45] _22 <- ([#"../red_black_tree.rs" 864 24 864 45] ()); + [#"../red_black_tree.rs" 864 24 864 45] _22 <- ([#"../red_black_tree.rs" 864 24 864 45] [#"../red_black_tree.rs" 864 24 864 45] ()); assert { [@expl:type invariant] inv7 _32 }; assume { resolve3 _32 }; goto BB14 @@ -11345,7 +12319,8 @@ module RedBlackTree_Impl16 axiom inv0 : forall x : RedBlackTree_Color_Type.t_color . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../red_black_tree.rs" 8 9 8 14] forall self : RedBlackTree_Color_Type.t_color . inv0 self -> (forall result : RedBlackTree_Color_Type.t_color . result = self -> inv1 result /\ result = self) + goal clone'_refn : [#"../red_black_tree.rs" 8 9 8 14] forall self : RedBlackTree_Color_Type.t_color . inv0 self + -> (forall result : RedBlackTree_Color_Type.t_color . result = self -> inv1 result /\ result = self) end module RedBlackTree_Impl17 diff --git a/creusot/tests/should_succeed/replace.mlcfg b/creusot/tests/should_succeed/replace.mlcfg index f360de269f..7b5eafc777 100644 --- a/creusot/tests/should_succeed/replace.mlcfg +++ b/creusot/tests/should_succeed/replace.mlcfg @@ -33,7 +33,7 @@ module Replace_Test goto BB3 } BB3 { - [#"../replace.rs" 8 45 10 1] _0 <- ([#"../replace.rs" 8 45 10 1] ()); + [#"../replace.rs" 8 45 10 1] _0 <- ([#"../replace.rs" 8 45 10 1] [#"../replace.rs" 8 45 10 1] ()); goto BB4 } BB4 { diff --git a/creusot/tests/should_succeed/resolve_uninit.mlcfg b/creusot/tests/should_succeed/resolve_uninit.mlcfg index f4307d233b..3d4b7b50b8 100644 --- a/creusot/tests/should_succeed/resolve_uninit.mlcfg +++ b/creusot/tests/should_succeed/resolve_uninit.mlcfg @@ -43,7 +43,7 @@ module ResolveUninit_MaybeUninit end } BB1 { - [#"../resolve_uninit.rs" 8 12 8 24] _6 <- ([#"../resolve_uninit.rs" 8 12 8 24] default0 ()); + [#"../resolve_uninit.rs" 8 12 8 24] _6 <- ([#"../resolve_uninit.rs" 8 12 8 24] default0 ([#"../resolve_uninit.rs" 8 12 8 24] ())); goto BB2 } BB2 { @@ -57,11 +57,11 @@ module ResolveUninit_MaybeUninit goto BB5 } BB5 { - [#"../resolve_uninit.rs" 7 9 9 5] _4 <- ([#"../resolve_uninit.rs" 7 9 9 5] ()); + [#"../resolve_uninit.rs" 7 9 9 5] _4 <- ([#"../resolve_uninit.rs" 7 9 9 5] [#"../resolve_uninit.rs" 7 9 9 5] ()); goto BB7 } BB6 { - [#"../resolve_uninit.rs" 9 5 9 5] _4 <- ([#"../resolve_uninit.rs" 9 5 9 5] ()); + [#"../resolve_uninit.rs" 9 5 9 5] _4 <- ([#"../resolve_uninit.rs" 9 5 9 5] [#"../resolve_uninit.rs" 9 5 9 5] ()); goto BB7 } BB7 { @@ -134,7 +134,7 @@ module ResolveUninit_InitJoin [#"../resolve_uninit.rs" 21 8 21 19] y <- ([#"../resolve_uninit.rs" 21 8 21 19] _9); _9 <- any borrowed int32; assume { resolve0 _10 }; - [#"../resolve_uninit.rs" 19 9 23 5] _5 <- ([#"../resolve_uninit.rs" 19 9 23 5] ()); + [#"../resolve_uninit.rs" 19 9 23 5] _5 <- ([#"../resolve_uninit.rs" 19 9 23 5] [#"../resolve_uninit.rs" 19 9 23 5] ()); goto BB7 } BB2 { @@ -145,20 +145,20 @@ module ResolveUninit_InitJoin [#"../resolve_uninit.rs" 24 8 24 18] y <- ([#"../resolve_uninit.rs" 24 8 24 18] _11); _11 <- any borrowed int32; assume { resolve0 _12 }; - [#"../resolve_uninit.rs" 23 11 25 5] _5 <- ([#"../resolve_uninit.rs" 23 11 25 5] ()); + [#"../resolve_uninit.rs" 23 11 25 5] _5 <- ([#"../resolve_uninit.rs" 23 11 25 5] [#"../resolve_uninit.rs" 23 11 25 5] ()); goto BB3 } BB3 { - [#"../resolve_uninit.rs" 27 4 27 10] y <- { y with current = ([#"../resolve_uninit.rs" 27 4 27 10] (5 : int32)) ; }; + [#"../resolve_uninit.rs" 27 4 27 10] y <- { y with current = ([#"../resolve_uninit.rs" 27 4 27 10] [#"../resolve_uninit.rs" 27 9 27 10] (5 : int32)) ; }; assume { resolve0 y }; - [#"../resolve_uninit.rs" 28 12 28 18] _14 <- ([#"../resolve_uninit.rs" 28 12 28 18] x = (5 : int32)); + [#"../resolve_uninit.rs" 28 12 28 18] _14 <- ([#"../resolve_uninit.rs" 28 12 28 18] x = ([#"../resolve_uninit.rs" 28 17 28 18] (5 : int32))); switch (_14) | False -> goto BB5 | True -> goto BB4 end } BB4 { - [#"../resolve_uninit.rs" 15 38 29 1] _0 <- ([#"../resolve_uninit.rs" 15 38 29 1] ()); + [#"../resolve_uninit.rs" 15 38 29 1] _0 <- ([#"../resolve_uninit.rs" 15 38 29 1] [#"../resolve_uninit.rs" 15 38 29 1] ()); return _0 } BB5 { diff --git a/creusot/tests/should_succeed/result/own.mlcfg b/creusot/tests/should_succeed/result/own.mlcfg index 6371b85504..c969ca5575 100644 --- a/creusot/tests/should_succeed/result/own.mlcfg +++ b/creusot/tests/should_succeed/result/own.mlcfg @@ -210,8 +210,10 @@ module Own_Impl0_Ok let rec cfg ok [#"../own.rs" 36 4 36 32] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Core_Option_Option_Type.t_option t requires {[#"../own.rs" 36 14 36 18] inv0 self} - ensures { [#"../own.rs" 34 4 34 75] forall t : t . inv2 t -> self = Own_OwnResult_Type.C_Ok t -> result = Core_Option_Option_Type.C_Some t } - ensures { [#"../own.rs" 35 4 35 75] (exists e : e . inv1 e /\ self = Own_OwnResult_Type.C_Err e) -> result = Core_Option_Option_Type.C_None } + ensures { [#"../own.rs" 34 4 34 75] forall t : t . inv2 t + -> self = Own_OwnResult_Type.C_Ok t -> result = Core_Option_Option_Type.C_Some t } + ensures { [#"../own.rs" 35 4 35 75] (exists e : e . inv1 e /\ self = Own_OwnResult_Type.C_Err e) + -> result = Core_Option_Option_Type.C_None } ensures { [#"../own.rs" 36 23 36 32] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -338,8 +340,10 @@ module Own_Impl0_Err let rec cfg err [#"../own.rs" 46 4 46 33] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Core_Option_Option_Type.t_option e requires {[#"../own.rs" 46 15 46 19] inv1 self} - ensures { [#"../own.rs" 44 4 44 74] (exists t : t . inv0 t /\ self = Own_OwnResult_Type.C_Ok t) -> result = Core_Option_Option_Type.C_None } - ensures { [#"../own.rs" 45 4 45 76] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Core_Option_Option_Type.C_Some e } + ensures { [#"../own.rs" 44 4 44 74] (exists t : t . inv0 t /\ self = Own_OwnResult_Type.C_Ok t) + -> result = Core_Option_Option_Type.C_None } + ensures { [#"../own.rs" 45 4 45 76] forall e : e . inv2 e + -> self = Own_OwnResult_Type.C_Err e -> result = Core_Option_Option_Type.C_Some e } ensures { [#"../own.rs" 46 24 46 33] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -462,8 +466,10 @@ module Own_Impl0_AsRef let rec cfg as_ref [#"../own.rs" 56 4 56 45] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Own_OwnResult_Type.t_ownresult t e requires {[#"../own.rs" 56 19 56 23] inv0 self} - ensures { [#"../own.rs" 54 4 54 87] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t } - ensures { [#"../own.rs" 55 4 55 89] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } + ensures { [#"../own.rs" 54 4 54 87] forall t : t . inv1 t + -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t } + ensures { [#"../own.rs" 55 4 55 89] forall e : e . inv2 e + -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } ensures { [#"../own.rs" 56 28 56 45] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1027,8 +1033,9 @@ module Own_Impl0_UnwrapOr let rec cfg unwrap_or [#"../own.rs" 116 4 116 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) (default : t) : t requires {[#"../own.rs" 116 21 116 25] inv1 self} requires {[#"../own.rs" 116 27 116 34] inv0 default} - ensures { [#"../own.rs" 114 4 114 69] forall t : t . inv0 t -> self = Own_OwnResult_Type.C_Ok t -> result = t } - ensures { [#"../own.rs" 115 4 115 78] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e) -> result = default } + ensures { [#"../own.rs" 114 4 114 69] forall t : t . inv0 t -> self = Own_OwnResult_Type.C_Ok t -> result = t } + ensures { [#"../own.rs" 115 4 115 78] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e) + -> result = default } ensures { [#"../own.rs" 116 42 116 43] inv0 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1159,8 +1166,9 @@ module Own_Impl0_UnwrapOrDefault let rec cfg unwrap_or_default [#"../own.rs" 126 4 128 19] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : t requires {[#"../own.rs" 126 29 126 33] inv0 self} - ensures { [#"../own.rs" 124 4 124 69] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = t } - ensures { [#"../own.rs" 125 4 125 80] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e) -> is_default0 result } + ensures { [#"../own.rs" 124 4 124 69] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = t } + ensures { [#"../own.rs" 125 4 125 80] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e) + -> is_default0 result } ensures { [#"../own.rs" 126 38 126 39] inv1 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1188,7 +1196,7 @@ module Own_Impl0_UnwrapOrDefault BB4 { assert { [@expl:type invariant] inv0 self }; assume { resolve0 self }; - [#"../own.rs" 132 33 132 45] _0 <- ([#"../own.rs" 132 33 132 45] default0 ()); + [#"../own.rs" 132 33 132 45] _0 <- ([#"../own.rs" 132 33 132 45] default0 ([#"../own.rs" 132 33 132 45] ())); goto BB8 } BB5 { @@ -1289,8 +1297,9 @@ module Own_Impl0_And let rec cfg and [#"../own.rs" 138 4 138 64] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) (res : Own_OwnResult_Type.t_ownresult u e) : Own_OwnResult_Type.t_ownresult u e requires {[#"../own.rs" 138 18 138 22] inv1 self} requires {[#"../own.rs" 138 24 138 27] inv2 res} - ensures { [#"../own.rs" 136 4 136 73] (exists t : t . inv0 t /\ self = Own_OwnResult_Type.C_Ok t) -> result = res } - ensures { [#"../own.rs" 137 4 137 86] forall e : e . inv3 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } + ensures { [#"../own.rs" 136 4 136 73] (exists t : t . inv0 t /\ self = Own_OwnResult_Type.C_Ok t) -> result = res } + ensures { [#"../own.rs" 137 4 137 86] forall e : e . inv3 e + -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } ensures { [#"../own.rs" 138 49 138 64] inv2 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1439,8 +1448,10 @@ module Own_Impl0_Or let rec cfg or [#"../own.rs" 148 4 148 63] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) (res : Own_OwnResult_Type.t_ownresult t f) : Own_OwnResult_Type.t_ownresult t f requires {[#"../own.rs" 148 17 148 21] inv1 self} requires {[#"../own.rs" 148 23 148 26] inv0 res} - ensures { [#"../own.rs" 146 4 146 84] forall t : t . inv3 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t } - ensures { [#"../own.rs" 147 4 147 74] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e) -> result = res } + ensures { [#"../own.rs" 146 4 146 84] forall t : t . inv3 t + -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t } + ensures { [#"../own.rs" 147 4 147 74] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e) + -> result = res } ensures { [#"../own.rs" 148 48 148 63] inv0 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1576,8 +1587,10 @@ module Own_Impl1_Copied let rec cfg copied [#"../own.rs" 160 4 162 16] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Own_OwnResult_Type.t_ownresult t e requires {[#"../own.rs" 160 18 160 22] inv0 self} - ensures { [#"../own.rs" 158 4 158 86] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t } - ensures { [#"../own.rs" 159 4 159 86] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } + ensures { [#"../own.rs" 158 4 158 86] forall t : t . inv1 t + -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t } + ensures { [#"../own.rs" 159 4 159 86] forall e : e . inv2 e + -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } ensures { [#"../own.rs" 160 27 160 42] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1714,8 +1727,10 @@ module Own_Impl1_Cloned let rec cfg cloned [#"../own.rs" 173 4 175 17] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Own_OwnResult_Type.t_ownresult t e requires {[#"../own.rs" 173 18 173 22] inv0 self} - ensures { [#"../own.rs" 171 4 171 86] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t } - ensures { [#"../own.rs" 172 4 172 86] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } + ensures { [#"../own.rs" 171 4 171 86] forall t : t . inv1 t + -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t } + ensures { [#"../own.rs" 172 4 172 86] forall e : e . inv2 e + -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } ensures { [#"../own.rs" 173 27 173 42] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1848,8 +1863,10 @@ module Own_Impl2_Copied let rec cfg copied [#"../own.rs" 188 4 190 16] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult (borrowed t) e) : Own_OwnResult_Type.t_ownresult t e requires {[#"../own.rs" 188 18 188 22] inv0 self} - ensures { [#"../own.rs" 186 4 186 105] forall t : borrowed t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok ( * t) /\ resolve1 t } - ensures { [#"../own.rs" 187 4 187 86] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } + ensures { [#"../own.rs" 186 4 186 105] forall t : borrowed t . inv1 t + -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok ( * t) /\ resolve1 t } + ensures { [#"../own.rs" 187 4 187 86] forall e : e . inv2 e + -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } ensures { [#"../own.rs" 188 27 188 42] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1997,8 +2014,10 @@ module Own_Impl2_Cloned let rec cfg cloned [#"../own.rs" 201 4 203 17] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult (borrowed t) e) : Own_OwnResult_Type.t_ownresult t e requires {[#"../own.rs" 201 18 201 22] inv0 self} - ensures { [#"../own.rs" 199 4 199 105] forall t : borrowed t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok ( * t) /\ resolve1 t } - ensures { [#"../own.rs" 200 4 200 86] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } + ensures { [#"../own.rs" 199 4 199 105] forall t : borrowed t . inv1 t + -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok ( * t) /\ resolve1 t } + ensures { [#"../own.rs" 200 4 200 86] forall e : e . inv2 e + -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e } ensures { [#"../own.rs" 201 27 201 42] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -2133,9 +2152,13 @@ module Own_Impl3_Transpose let rec cfg transpose [#"../own.rs" 217 4 217 53] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult (Core_Option_Option_Type.t_option t) e) : Core_Option_Option_Type.t_option (Own_OwnResult_Type.t_ownresult t e) requires {[#"../own.rs" 217 21 217 25] inv0 self} - ensures { [#"../own.rs" 214 4 214 62] self = Own_OwnResult_Type.C_Ok (Core_Option_Option_Type.C_None) -> result = Core_Option_Option_Type.C_None } - ensures { [#"../own.rs" 215 4 215 96] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok (Core_Option_Option_Type.C_Some t) -> result = Core_Option_Option_Type.C_Some (Own_OwnResult_Type.C_Ok t) } - ensures { [#"../own.rs" 216 4 216 92] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Core_Option_Option_Type.C_Some (Own_OwnResult_Type.C_Err e) } + ensures { [#"../own.rs" 214 4 214 62] self = Own_OwnResult_Type.C_Ok (Core_Option_Option_Type.C_None) + -> result = Core_Option_Option_Type.C_None } + ensures { [#"../own.rs" 215 4 215 96] forall t : t . inv1 t + -> self = Own_OwnResult_Type.C_Ok (Core_Option_Option_Type.C_Some t) + -> result = Core_Option_Option_Type.C_Some (Own_OwnResult_Type.C_Ok t) } + ensures { [#"../own.rs" 216 4 216 92] forall e : e . inv2 e + -> self = Own_OwnResult_Type.C_Err e -> result = Core_Option_Option_Type.C_Some (Own_OwnResult_Type.C_Err e) } ensures { [#"../own.rs" 217 30 217 53] inv3 result } = [@vc:do_not_keep_trace] [@vc:sp] diff --git a/creusot/tests/should_succeed/result/result.mlcfg b/creusot/tests/should_succeed/result/result.mlcfg index b01063af64..c8a974761b 100644 --- a/creusot/tests/should_succeed/result/result.mlcfg +++ b/creusot/tests/should_succeed/result/result.mlcfg @@ -178,9 +178,14 @@ module Result_TestResult val transpose0 (self : Core_Result_Result_Type.t_result (Core_Option_Option_Type.t_option int32) int32) : Core_Option_Option_Type.t_option (Core_Result_Result_Type.t_result int32 int32) requires {inv12 self} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 112 16 112 63] self = Core_Result_Result_Type.C_Ok (Core_Option_Option_Type.C_None) -> result = Core_Option_Option_Type.C_None } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 113 16 113 86] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok (Core_Option_Option_Type.C_Some t) -> result = Core_Option_Option_Type.C_Some (Core_Result_Result_Type.C_Ok t) } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 114 16 114 82] forall e : int32 . inv1 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Option_Option_Type.C_Some (Core_Result_Result_Type.C_Err e) } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 112 16 112 63] self = Core_Result_Result_Type.C_Ok (Core_Option_Option_Type.C_None) + -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 113 16 113 86] forall t : int32 . inv1 t + -> self = Core_Result_Result_Type.C_Ok (Core_Option_Option_Type.C_Some t) + -> result = Core_Option_Option_Type.C_Some (Core_Result_Result_Type.C_Ok t) } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 114 16 114 82] forall e : int32 . inv1 e + -> self = Core_Result_Result_Type.C_Err e + -> result = Core_Option_Option_Type.C_Some (Core_Result_Result_Type.C_Err e) } ensures { inv13 result } predicate resolve0 (self : borrowed int32) = @@ -190,14 +195,18 @@ module Result_TestResult val cloned1 (self : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32)) : Core_Result_Result_Type.t_result int32 (borrowed int32) requires {inv9 self} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 104 16 104 95] forall t : borrowed int32 . inv8 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok ( * t) /\ resolve0 t } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 105 16 105 76] forall e : borrowed int32 . inv8 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 104 16 104 95] forall t : borrowed int32 . inv8 t + -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok ( * t) /\ resolve0 t } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 105 16 105 76] forall e : borrowed int32 . inv8 e + -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } ensures { inv11 result } val cloned0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32 requires {inv6 self} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 90 16 90 76] forall t : int32 . inv5 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 91 16 91 76] forall e : int32 . inv5 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 90 16 90 76] forall t : int32 . inv5 t + -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 91 16 91 76] forall e : int32 . inv5 e + -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } ensures { inv10 result } val unwrap_err4 (self : Core_Result_Result_Type.t_result int32 (borrowed int32)) : borrowed int32 @@ -214,8 +223,10 @@ module Result_TestResult val copied1 (self : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32)) : Core_Result_Result_Type.t_result int32 (borrowed int32) requires {inv9 self} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 98 16 98 95] forall t : borrowed int32 . inv8 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok ( * t) /\ resolve0 t } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 99 16 99 76] forall e : borrowed int32 . inv8 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 98 16 98 95] forall t : borrowed int32 . inv8 t + -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok ( * t) /\ resolve0 t } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 99 16 99 76] forall e : borrowed int32 . inv8 e + -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } ensures { inv11 result } val unwrap_err3 (self : Core_Result_Result_Type.t_result int32 int32) : int32 @@ -232,22 +243,28 @@ module Result_TestResult val copied0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32 requires {inv6 self} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 84 16 84 76] forall t : int32 . inv5 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 85 16 85 76] forall e : int32 . inv5 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 84 16 84 76] forall t : int32 . inv5 t + -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 85 16 85 76] forall e : int32 . inv5 e + -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } ensures { inv10 result } val or0 (self : Core_Result_Result_Type.t_result int32 int32) (res : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32 requires {inv2 self} requires {inv2 res} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 78 16 78 74] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 79 16 79 75] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) -> result = res } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 78 16 78 74] forall t : int32 . inv1 t + -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 79 16 79 75] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) + -> result = res } ensures { inv2 result } val and0 (self : Core_Result_Result_Type.t_result int32 int32) (res : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32 requires {inv2 self} requires {inv2 res} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 74 16 74 74] (exists t : int32 . inv1 t /\ self = Core_Result_Result_Type.C_Ok t) -> result = res } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 75 16 75 76] forall e : int32 . inv1 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 74 16 74 74] (exists t : int32 . inv1 t /\ self = Core_Result_Result_Type.C_Ok t) + -> result = res } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 75 16 75 76] forall e : int32 . inv1 e + -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } ensures { inv2 result } use prelude.Int @@ -258,15 +275,19 @@ module Result_TestResult val unwrap_or_default0 (self : Core_Result_Result_Type.t_result int32 int32) : int32 requires {inv2 self} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 68 16 68 70] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok t -> result = t } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 69 16 69 81] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) -> is_default0 result } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 68 16 68 70] forall t : int32 . inv1 t + -> self = Core_Result_Result_Type.C_Ok t -> result = t } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 69 16 69 81] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) + -> is_default0 result } ensures { inv1 result } val unwrap_or0 (self : Core_Result_Result_Type.t_result int32 int32) (default : int32) : int32 requires {inv2 self} requires {inv1 default} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 64 16 64 70] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok t -> result = t } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 65 16 65 79] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) -> result = default } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 64 16 64 70] forall t : int32 . inv1 t + -> self = Core_Result_Result_Type.C_Ok t -> result = t } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 65 16 65 79] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) + -> result = default } ensures { inv1 result } val unwrap_err2 (self : Core_Result_Result_Type.t_result int32 int32) : int32 @@ -312,14 +333,18 @@ module Result_TestResult val as_ref0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32 requires {inv0 self} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 36 16 36 77] forall t : int32 . inv5 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 37 16 37 79] forall e : int32 . inv5 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 36 16 36 77] forall t : int32 . inv5 t + -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 37 16 37 79] forall e : int32 . inv5 e + -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e } ensures { inv6 result } val err0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Option_Option_Type.t_option int32 requires {inv2 self} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 32 16 32 75] (exists t : int32 . inv1 t /\ self = Core_Result_Result_Type.C_Ok t) -> result = Core_Option_Option_Type.C_None } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 33 16 33 77] forall e : int32 . inv1 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Option_Option_Type.C_Some e } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 32 16 32 75] (exists t : int32 . inv1 t /\ self = Core_Result_Result_Type.C_Ok t) + -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 33 16 33 77] forall e : int32 . inv1 e + -> self = Core_Result_Result_Type.C_Err e -> result = Core_Option_Option_Type.C_Some e } ensures { inv3 result } val is_none0 (self : Core_Option_Option_Type.t_option int32) : bool @@ -334,8 +359,10 @@ module Result_TestResult val ok0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Option_Option_Type.t_option int32 requires {inv2 self} - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 28 16 28 76] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Option_Option_Type.C_Some t } - ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 29 16 29 76] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) -> result = Core_Option_Option_Type.C_None } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 28 16 28 76] forall t : int32 . inv1 t + -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Option_Option_Type.C_Some t } + ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 29 16 29 76] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) + -> result = Core_Option_Option_Type.C_None } ensures { inv3 result } val is_err0 (self : Core_Result_Result_Type.t_result int32 int32) : bool @@ -490,8 +517,8 @@ module Result_TestResult goto BB0 } BB0 { - [#"../result.rs" 4 35 4 40] ok <- ([#"../result.rs" 4 35 4 40] Core_Result_Result_Type.C_Ok (1 : int32)); - [#"../result.rs" 5 36 5 43] err <- ([#"../result.rs" 5 36 5 43] Core_Result_Result_Type.C_Err (-1 : int32)); + [#"../result.rs" 4 35 4 40] ok <- ([#"../result.rs" 4 35 4 40] Core_Result_Result_Type.C_Ok ([#"../result.rs" 4 38 4 39] (1 : int32))); + [#"../result.rs" 5 36 5 43] err <- ([#"../result.rs" 5 36 5 43] Core_Result_Result_Type.C_Err ([#"../result.rs" 5 40 5 42] (-1 : int32))); [#"../result.rs" 8 12 8 22] _4 <- ([#"../result.rs" 8 12 8 22] is_ok0 ok); goto BB1 } @@ -561,7 +588,7 @@ module Result_TestResult goto BB16 } BB16 { - [#"../result.rs" 13 12 13 33] _16 <- ([#"../result.rs" 13 12 13 33] _17 = (1 : int32)); + [#"../result.rs" 13 12 13 33] _16 <- ([#"../result.rs" 13 12 13 33] _17 = ([#"../result.rs" 13 32 13 33] (1 : int32))); _17 <- any int32; switch (_16) | False -> goto BB18 @@ -618,7 +645,7 @@ module Result_TestResult goto BB28 } BB28 { - [#"../result.rs" 17 12 17 36] _34 <- ([#"../result.rs" 17 12 17 36] _35 = (-1 : int32)); + [#"../result.rs" 17 12 17 36] _34 <- ([#"../result.rs" 17 12 17 36] _35 = ([#"../result.rs" 17 34 17 36] (-1 : int32))); _35 <- any int32; switch (_34) | False -> goto BB30 @@ -639,7 +666,7 @@ module Result_TestResult goto BB32 } BB32 { - [#"../result.rs" 20 12 20 38] _40 <- ([#"../result.rs" 20 12 20 38] _42 = (1 : int32)); + [#"../result.rs" 20 12 20 38] _40 <- ([#"../result.rs" 20 12 20 38] _42 = ([#"../result.rs" 20 37 20 38] (1 : int32))); switch (_40) | False -> goto BB34 | True -> goto BB33 @@ -659,7 +686,7 @@ module Result_TestResult goto BB36 } BB36 { - [#"../result.rs" 21 12 21 44] _47 <- ([#"../result.rs" 21 12 21 44] _49 = (-1 : int32)); + [#"../result.rs" 21 12 21 44] _47 <- ([#"../result.rs" 21 12 21 44] _49 = ([#"../result.rs" 21 42 21 44] (-1 : int32))); switch (_47) | False -> goto BB38 | True -> goto BB37 @@ -682,13 +709,13 @@ module Result_TestResult goto BB40 } BB40 { - [#"../result.rs" 23 4 23 29] _53 <- { _53 with current = ([#"../result.rs" 23 4 23 29] (0 : int32)) ; }; + [#"../result.rs" 23 4 23 29] _53 <- { _53 with current = ([#"../result.rs" 23 4 23 29] [#"../result.rs" 23 28 23 29] (0 : int32)) ; }; assume { resolve0 _53 }; [#"../result.rs" 24 12 24 23] _58 <- ([#"../result.rs" 24 12 24 23] unwrap3 ok); goto BB41 } BB41 { - [#"../result.rs" 24 12 24 28] _57 <- ([#"../result.rs" 24 12 24 28] _58 = (0 : int32)); + [#"../result.rs" 24 12 24 28] _57 <- ([#"../result.rs" 24 12 24 28] _58 = ([#"../result.rs" 24 27 24 28] (0 : int32))); _58 <- any int32; switch (_57) | False -> goto BB43 @@ -712,13 +739,13 @@ module Result_TestResult goto BB45 } BB45 { - [#"../result.rs" 25 4 25 29] _61 <- { _61 with current = ([#"../result.rs" 25 4 25 29] (1 : int32)) ; }; + [#"../result.rs" 25 4 25 29] _61 <- { _61 with current = ([#"../result.rs" 25 4 25 29] [#"../result.rs" 25 28 25 29] (1 : int32)) ; }; assume { resolve0 _61 }; [#"../result.rs" 26 12 26 23] _66 <- ([#"../result.rs" 26 12 26 23] unwrap3 ok); goto BB46 } BB46 { - [#"../result.rs" 26 12 26 28] _65 <- ([#"../result.rs" 26 12 26 28] _66 = (1 : int32)); + [#"../result.rs" 26 12 26 28] _65 <- ([#"../result.rs" 26 12 26 28] _66 = ([#"../result.rs" 26 27 26 28] (1 : int32))); _66 <- any int32; switch (_65) | False -> goto BB48 @@ -742,13 +769,13 @@ module Result_TestResult goto BB50 } BB50 { - [#"../result.rs" 27 4 27 34] _69 <- { _69 with current = ([#"../result.rs" 27 4 27 34] (0 : int32)) ; }; + [#"../result.rs" 27 4 27 34] _69 <- { _69 with current = ([#"../result.rs" 27 4 27 34] [#"../result.rs" 27 33 27 34] (0 : int32)) ; }; assume { resolve0 _69 }; [#"../result.rs" 28 12 28 28] _74 <- ([#"../result.rs" 28 12 28 28] unwrap_err2 err); goto BB51 } BB51 { - [#"../result.rs" 28 12 28 33] _73 <- ([#"../result.rs" 28 12 28 33] _74 = (0 : int32)); + [#"../result.rs" 28 12 28 33] _73 <- ([#"../result.rs" 28 12 28 33] _74 = ([#"../result.rs" 28 32 28 33] (0 : int32))); _74 <- any int32; switch (_73) | False -> goto BB53 @@ -772,13 +799,13 @@ module Result_TestResult goto BB55 } BB55 { - [#"../result.rs" 29 4 29 35] _77 <- { _77 with current = ([#"../result.rs" 29 4 29 35] (-1 : int32)) ; }; + [#"../result.rs" 29 4 29 35] _77 <- { _77 with current = ([#"../result.rs" 29 4 29 35] [#"../result.rs" 29 33 29 35] (-1 : int32)) ; }; assume { resolve0 _77 }; [#"../result.rs" 30 12 30 28] _82 <- ([#"../result.rs" 30 12 30 28] unwrap_err2 err); goto BB56 } BB56 { - [#"../result.rs" 30 12 30 34] _81 <- ([#"../result.rs" 30 12 30 34] _82 = (-1 : int32)); + [#"../result.rs" 30 12 30 34] _81 <- ([#"../result.rs" 30 12 30 34] _82 = ([#"../result.rs" 30 32 30 34] (-1 : int32))); _82 <- any int32; switch (_81) | False -> goto BB58 @@ -794,7 +821,7 @@ module Result_TestResult absurd } BB59 { - [#"../result.rs" 33 12 33 28] _86 <- ([#"../result.rs" 33 12 33 28] _87 = (1 : int32)); + [#"../result.rs" 33 12 33 28] _86 <- ([#"../result.rs" 33 12 33 28] _87 = ([#"../result.rs" 33 27 33 28] (1 : int32))); _87 <- any int32; switch (_86) | False -> goto BB61 @@ -810,7 +837,7 @@ module Result_TestResult absurd } BB62 { - [#"../result.rs" 37 12 37 34] _91 <- ([#"../result.rs" 37 12 37 34] _92 = (-1 : int32)); + [#"../result.rs" 37 12 37 34] _91 <- ([#"../result.rs" 37 12 37 34] _92 = ([#"../result.rs" 37 32 37 34] (-1 : int32))); _92 <- any int32; switch (_91) | False -> goto BB64 @@ -818,7 +845,7 @@ module Result_TestResult end } BB63 { - [#"../result.rs" 40 12 40 27] _97 <- ([#"../result.rs" 40 12 40 27] unwrap_or0 ok (0 : int32)); + [#"../result.rs" 40 12 40 27] _97 <- ([#"../result.rs" 40 12 40 27] unwrap_or0 ok ([#"../result.rs" 40 25 40 26] (0 : int32))); goto BB65 } BB64 { @@ -826,7 +853,7 @@ module Result_TestResult absurd } BB65 { - [#"../result.rs" 40 12 40 32] _96 <- ([#"../result.rs" 40 12 40 32] _97 = (1 : int32)); + [#"../result.rs" 40 12 40 32] _96 <- ([#"../result.rs" 40 12 40 32] _97 = ([#"../result.rs" 40 31 40 32] (1 : int32))); _97 <- any int32; switch (_96) | False -> goto BB67 @@ -834,7 +861,7 @@ module Result_TestResult end } BB66 { - [#"../result.rs" 41 12 41 28] _102 <- ([#"../result.rs" 41 12 41 28] unwrap_or0 err (0 : int32)); + [#"../result.rs" 41 12 41 28] _102 <- ([#"../result.rs" 41 12 41 28] unwrap_or0 err ([#"../result.rs" 41 26 41 27] (0 : int32))); goto BB68 } BB67 { @@ -842,7 +869,7 @@ module Result_TestResult absurd } BB68 { - [#"../result.rs" 41 12 41 33] _101 <- ([#"../result.rs" 41 12 41 33] _102 = (0 : int32)); + [#"../result.rs" 41 12 41 33] _101 <- ([#"../result.rs" 41 12 41 33] _102 = ([#"../result.rs" 41 32 41 33] (0 : int32))); _102 <- any int32; switch (_101) | False -> goto BB70 @@ -858,7 +885,7 @@ module Result_TestResult absurd } BB71 { - [#"../result.rs" 43 12 43 39] _106 <- ([#"../result.rs" 43 12 43 39] _107 = (1 : int32)); + [#"../result.rs" 43 12 43 39] _106 <- ([#"../result.rs" 43 12 43 39] _107 = ([#"../result.rs" 43 38 43 39] (1 : int32))); _107 <- any int32; switch (_106) | False -> goto BB73 @@ -874,7 +901,7 @@ module Result_TestResult absurd } BB74 { - [#"../result.rs" 44 12 44 40] _111 <- ([#"../result.rs" 44 12 44 40] _112 = (0 : int32)); + [#"../result.rs" 44 12 44 40] _111 <- ([#"../result.rs" 44 12 44 40] _112 = ([#"../result.rs" 44 39 44 40] (0 : int32))); _112 <- any int32; switch (_111) | False -> goto BB76 @@ -882,7 +909,7 @@ module Result_TestResult end } BB75 { - [#"../result.rs" 47 26 47 33] _120 <- ([#"../result.rs" 47 26 47 33] Core_Result_Result_Type.C_Err (-2 : int32)); + [#"../result.rs" 47 26 47 33] _120 <- ([#"../result.rs" 47 26 47 33] Core_Result_Result_Type.C_Err ([#"../result.rs" 47 30 47 32] (-2 : int32))); [#"../result.rs" 47 12 47 34] _118 <- ([#"../result.rs" 47 12 47 34] and0 ok _120); _120 <- any Core_Result_Result_Type.t_result int32 int32; goto BB77 @@ -897,7 +924,7 @@ module Result_TestResult goto BB78 } BB78 { - [#"../result.rs" 47 12 47 53] _116 <- ([#"../result.rs" 47 12 47 53] _117 = (-2 : int32)); + [#"../result.rs" 47 12 47 53] _116 <- ([#"../result.rs" 47 12 47 53] _117 = ([#"../result.rs" 47 51 47 53] (-2 : int32))); _117 <- any int32; switch (_116) | False -> goto BB80 @@ -905,7 +932,7 @@ module Result_TestResult end } BB79 { - [#"../result.rs" 48 19 48 24] _127 <- ([#"../result.rs" 48 19 48 24] Core_Result_Result_Type.C_Ok (2 : int32)); + [#"../result.rs" 48 19 48 24] _127 <- ([#"../result.rs" 48 19 48 24] Core_Result_Result_Type.C_Ok ([#"../result.rs" 48 22 48 23] (2 : int32))); [#"../result.rs" 48 12 48 25] _125 <- ([#"../result.rs" 48 12 48 25] and0 ok _127); _127 <- any Core_Result_Result_Type.t_result int32 int32; goto BB81 @@ -920,7 +947,7 @@ module Result_TestResult goto BB82 } BB82 { - [#"../result.rs" 48 12 48 39] _123 <- ([#"../result.rs" 48 12 48 39] _124 = (2 : int32)); + [#"../result.rs" 48 12 48 39] _123 <- ([#"../result.rs" 48 12 48 39] _124 = ([#"../result.rs" 48 38 48 39] (2 : int32))); _124 <- any int32; switch (_123) | False -> goto BB84 @@ -928,7 +955,7 @@ module Result_TestResult end } BB83 { - [#"../result.rs" 49 27 49 34] _134 <- ([#"../result.rs" 49 27 49 34] Core_Result_Result_Type.C_Err (-2 : int32)); + [#"../result.rs" 49 27 49 34] _134 <- ([#"../result.rs" 49 27 49 34] Core_Result_Result_Type.C_Err ([#"../result.rs" 49 31 49 33] (-2 : int32))); [#"../result.rs" 49 12 49 35] _132 <- ([#"../result.rs" 49 12 49 35] and0 err _134); _134 <- any Core_Result_Result_Type.t_result int32 int32; goto BB85 @@ -943,7 +970,7 @@ module Result_TestResult goto BB86 } BB86 { - [#"../result.rs" 49 12 49 54] _130 <- ([#"../result.rs" 49 12 49 54] _131 = (-1 : int32)); + [#"../result.rs" 49 12 49 54] _130 <- ([#"../result.rs" 49 12 49 54] _131 = ([#"../result.rs" 49 52 49 54] (-1 : int32))); _131 <- any int32; switch (_130) | False -> goto BB88 @@ -951,7 +978,7 @@ module Result_TestResult end } BB87 { - [#"../result.rs" 50 20 50 25] _141 <- ([#"../result.rs" 50 20 50 25] Core_Result_Result_Type.C_Ok (2 : int32)); + [#"../result.rs" 50 20 50 25] _141 <- ([#"../result.rs" 50 20 50 25] Core_Result_Result_Type.C_Ok ([#"../result.rs" 50 23 50 24] (2 : int32))); [#"../result.rs" 50 12 50 26] _139 <- ([#"../result.rs" 50 12 50 26] and0 err _141); _141 <- any Core_Result_Result_Type.t_result int32 int32; goto BB89 @@ -966,7 +993,7 @@ module Result_TestResult goto BB90 } BB90 { - [#"../result.rs" 50 12 50 45] _137 <- ([#"../result.rs" 50 12 50 45] _138 = (-1 : int32)); + [#"../result.rs" 50 12 50 45] _137 <- ([#"../result.rs" 50 12 50 45] _138 = ([#"../result.rs" 50 43 50 45] (-1 : int32))); _138 <- any int32; switch (_137) | False -> goto BB92 @@ -974,7 +1001,7 @@ module Result_TestResult end } BB91 { - [#"../result.rs" 53 18 53 25] _148 <- ([#"../result.rs" 53 18 53 25] Core_Result_Result_Type.C_Err (-2 : int32)); + [#"../result.rs" 53 18 53 25] _148 <- ([#"../result.rs" 53 18 53 25] Core_Result_Result_Type.C_Err ([#"../result.rs" 53 22 53 24] (-2 : int32))); [#"../result.rs" 53 12 53 26] _146 <- ([#"../result.rs" 53 12 53 26] or0 ok _148); _148 <- any Core_Result_Result_Type.t_result int32 int32; goto BB93 @@ -989,7 +1016,7 @@ module Result_TestResult goto BB94 } BB94 { - [#"../result.rs" 53 12 53 40] _144 <- ([#"../result.rs" 53 12 53 40] _145 = (1 : int32)); + [#"../result.rs" 53 12 53 40] _144 <- ([#"../result.rs" 53 12 53 40] _145 = ([#"../result.rs" 53 39 53 40] (1 : int32))); _145 <- any int32; switch (_144) | False -> goto BB96 @@ -997,7 +1024,7 @@ module Result_TestResult end } BB95 { - [#"../result.rs" 54 25 54 30] _155 <- ([#"../result.rs" 54 25 54 30] Core_Result_Result_Type.C_Ok (2 : int32)); + [#"../result.rs" 54 25 54 30] _155 <- ([#"../result.rs" 54 25 54 30] Core_Result_Result_Type.C_Ok ([#"../result.rs" 54 28 54 29] (2 : int32))); [#"../result.rs" 54 12 54 31] _153 <- ([#"../result.rs" 54 12 54 31] or0 ok _155); _155 <- any Core_Result_Result_Type.t_result int32 int32; goto BB97 @@ -1012,7 +1039,7 @@ module Result_TestResult goto BB98 } BB98 { - [#"../result.rs" 54 12 54 45] _151 <- ([#"../result.rs" 54 12 54 45] _152 = (1 : int32)); + [#"../result.rs" 54 12 54 45] _151 <- ([#"../result.rs" 54 12 54 45] _152 = ([#"../result.rs" 54 44 54 45] (1 : int32))); _152 <- any int32; switch (_151) | False -> goto BB100 @@ -1020,7 +1047,7 @@ module Result_TestResult end } BB99 { - [#"../result.rs" 55 19 55 26] _162 <- ([#"../result.rs" 55 19 55 26] Core_Result_Result_Type.C_Err (-2 : int32)); + [#"../result.rs" 55 19 55 26] _162 <- ([#"../result.rs" 55 19 55 26] Core_Result_Result_Type.C_Err ([#"../result.rs" 55 23 55 25] (-2 : int32))); [#"../result.rs" 55 12 55 27] _160 <- ([#"../result.rs" 55 12 55 27] or0 err _162); _162 <- any Core_Result_Result_Type.t_result int32 int32; goto BB101 @@ -1035,7 +1062,7 @@ module Result_TestResult goto BB102 } BB102 { - [#"../result.rs" 55 12 55 46] _158 <- ([#"../result.rs" 55 12 55 46] _159 = (-2 : int32)); + [#"../result.rs" 55 12 55 46] _158 <- ([#"../result.rs" 55 12 55 46] _159 = ([#"../result.rs" 55 44 55 46] (-2 : int32))); _159 <- any int32; switch (_158) | False -> goto BB104 @@ -1043,7 +1070,7 @@ module Result_TestResult end } BB103 { - [#"../result.rs" 56 26 56 31] _169 <- ([#"../result.rs" 56 26 56 31] Core_Result_Result_Type.C_Ok (2 : int32)); + [#"../result.rs" 56 26 56 31] _169 <- ([#"../result.rs" 56 26 56 31] Core_Result_Result_Type.C_Ok ([#"../result.rs" 56 29 56 30] (2 : int32))); [#"../result.rs" 56 12 56 32] _167 <- ([#"../result.rs" 56 12 56 32] or0 err _169); _169 <- any Core_Result_Result_Type.t_result int32 int32; goto BB105 @@ -1058,7 +1085,7 @@ module Result_TestResult goto BB106 } BB106 { - [#"../result.rs" 56 12 56 46] _165 <- ([#"../result.rs" 56 12 56 46] _166 = (2 : int32)); + [#"../result.rs" 56 12 56 46] _165 <- ([#"../result.rs" 56 12 56 46] _166 = ([#"../result.rs" 56 45 56 46] (2 : int32))); _166 <- any int32; switch (_165) | False -> goto BB108 @@ -1084,7 +1111,7 @@ module Result_TestResult goto BB111 } BB111 { - [#"../result.rs" 59 12 59 46] _172 <- ([#"../result.rs" 59 12 59 46] _173 = (1 : int32)); + [#"../result.rs" 59 12 59 46] _172 <- ([#"../result.rs" 59 12 59 46] _173 = ([#"../result.rs" 59 45 59 46] (1 : int32))); _173 <- any int32; switch (_172) | False -> goto BB113 @@ -1110,7 +1137,7 @@ module Result_TestResult goto BB116 } BB116 { - [#"../result.rs" 60 12 60 53] _179 <- ([#"../result.rs" 60 12 60 53] _181 = (-1 : int32)); + [#"../result.rs" 60 12 60 53] _179 <- ([#"../result.rs" 60 12 60 53] _181 = ([#"../result.rs" 60 51 60 53] (-1 : int32))); switch (_179) | False -> goto BB118 | True -> goto BB117 @@ -1138,7 +1165,7 @@ module Result_TestResult goto BB121 } BB121 { - [#"../result.rs" 61 12 61 46] _187 <- ([#"../result.rs" 61 12 61 46] _188 = (1 : int32)); + [#"../result.rs" 61 12 61 46] _187 <- ([#"../result.rs" 61 12 61 46] _188 = ([#"../result.rs" 61 45 61 46] (1 : int32))); _188 <- any int32; switch (_187) | False -> goto BB123 @@ -1168,7 +1195,7 @@ module Result_TestResult } BB126 { assume { resolve0 _196 }; - [#"../result.rs" 62 12 62 53] _194 <- ([#"../result.rs" 62 12 62 53] * _196 = (-1 : int32)); + [#"../result.rs" 62 12 62 53] _194 <- ([#"../result.rs" 62 12 62 53] * _196 = ([#"../result.rs" 62 51 62 53] (-1 : int32))); switch (_194) | False -> goto BB128 | True -> goto BB127 @@ -1193,7 +1220,7 @@ module Result_TestResult goto BB131 } BB131 { - [#"../result.rs" 64 12 64 46] _202 <- ([#"../result.rs" 64 12 64 46] _203 = (1 : int32)); + [#"../result.rs" 64 12 64 46] _202 <- ([#"../result.rs" 64 12 64 46] _203 = ([#"../result.rs" 64 45 64 46] (1 : int32))); _203 <- any int32; switch (_202) | False -> goto BB133 @@ -1219,7 +1246,7 @@ module Result_TestResult goto BB136 } BB136 { - [#"../result.rs" 65 12 65 53] _209 <- ([#"../result.rs" 65 12 65 53] _211 = (-1 : int32)); + [#"../result.rs" 65 12 65 53] _209 <- ([#"../result.rs" 65 12 65 53] _211 = ([#"../result.rs" 65 51 65 53] (-1 : int32))); switch (_209) | False -> goto BB138 | True -> goto BB137 @@ -1247,7 +1274,7 @@ module Result_TestResult goto BB141 } BB141 { - [#"../result.rs" 66 12 66 46] _217 <- ([#"../result.rs" 66 12 66 46] _218 = (1 : int32)); + [#"../result.rs" 66 12 66 46] _217 <- ([#"../result.rs" 66 12 66 46] _218 = ([#"../result.rs" 66 45 66 46] (1 : int32))); _218 <- any int32; switch (_217) | False -> goto BB143 @@ -1277,7 +1304,7 @@ module Result_TestResult } BB146 { assume { resolve0 _226 }; - [#"../result.rs" 67 12 67 53] _224 <- ([#"../result.rs" 67 12 67 53] * _226 = (-1 : int32)); + [#"../result.rs" 67 12 67 53] _224 <- ([#"../result.rs" 67 12 67 53] * _226 = ([#"../result.rs" 67 51 67 53] (-1 : int32))); switch (_224) | False -> goto BB148 | True -> goto BB147 @@ -1305,7 +1332,7 @@ module Result_TestResult end } BB151 { - [#"../result.rs" 72 43 72 50] _240 <- ([#"../result.rs" 72 43 72 50] Core_Option_Option_Type.C_Some (1 : int32)); + [#"../result.rs" 72 43 72 50] _240 <- ([#"../result.rs" 72 43 72 50] Core_Option_Option_Type.C_Some ([#"../result.rs" 72 48 72 49] (1 : int32))); [#"../result.rs" 72 40 72 51] res1 <- ([#"../result.rs" 72 40 72 51] Core_Result_Result_Type.C_Ok _240); _240 <- any Core_Option_Option_Type.t_option int32; [#"../result.rs" 73 12 73 27] _245 <- ([#"../result.rs" 73 12 73 27] transpose0 res1); @@ -1326,7 +1353,7 @@ module Result_TestResult goto BB155 } BB155 { - [#"../result.rs" 73 12 73 50] _242 <- ([#"../result.rs" 73 12 73 50] _243 = (1 : int32)); + [#"../result.rs" 73 12 73 50] _242 <- ([#"../result.rs" 73 12 73 50] _243 = ([#"../result.rs" 73 49 73 50] (1 : int32))); _243 <- any int32; switch (_242) | False -> goto BB157 @@ -1334,7 +1361,7 @@ module Result_TestResult end } BB156 { - [#"../result.rs" 74 40 74 47] res2 <- ([#"../result.rs" 74 40 74 47] Core_Result_Result_Type.C_Err (-1 : int32)); + [#"../result.rs" 74 40 74 47] res2 <- ([#"../result.rs" 74 40 74 47] Core_Result_Result_Type.C_Err ([#"../result.rs" 74 44 74 46] (-1 : int32))); [#"../result.rs" 75 12 75 27] _253 <- ([#"../result.rs" 75 12 75 27] transpose0 res2); goto BB158 } @@ -1353,7 +1380,7 @@ module Result_TestResult goto BB160 } BB160 { - [#"../result.rs" 75 12 75 55] _250 <- ([#"../result.rs" 75 12 75 55] _251 = (-1 : int32)); + [#"../result.rs" 75 12 75 55] _250 <- ([#"../result.rs" 75 12 75 55] _251 = ([#"../result.rs" 75 53 75 55] (-1 : int32))); _251 <- any int32; switch (_250) | False -> goto BB162 @@ -1361,7 +1388,7 @@ module Result_TestResult end } BB161 { - [#"../result.rs" 3 21 76 1] _0 <- ([#"../result.rs" 3 21 76 1] ()); + [#"../result.rs" 3 21 76 1] _0 <- ([#"../result.rs" 3 21 76 1] [#"../result.rs" 3 21 76 1] ()); return _0 } BB162 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_max.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_max.mlcfg index 6bc1d51054..aa6551e937 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_max.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_max.mlcfg @@ -110,7 +110,7 @@ module IncMax_IncMax BB1 { assume { resolve0 _8 }; assume { resolve0 _6 }; - [#"../inc_max.rs" 17 4 17 12] mc <- { mc with current = ([#"../inc_max.rs" 17 4 17 12] * mc + (1 : uint32)) ; }; + [#"../inc_max.rs" 17 4 17 12] mc <- { mc with current = ([#"../inc_max.rs" 17 4 17 12] * mc + ([#"../inc_max.rs" 17 11 17 12] (1 : uint32))) ; }; assume { resolve0 mc }; [#"../inc_max.rs" 18 12 18 18] _10 <- ([#"../inc_max.rs" 18 12 18 18] a <> b); switch (_10) @@ -119,7 +119,7 @@ module IncMax_IncMax end } BB2 { - [#"../inc_max.rs" 15 39 19 1] _0 <- ([#"../inc_max.rs" 15 39 19 1] ()); + [#"../inc_max.rs" 15 39 19 1] _0 <- ([#"../inc_max.rs" 15 39 19 1] [#"../inc_max.rs" 15 39 19 1] ()); return _0 } BB3 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_3.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_max_3.mlcfg index 426d30ec0c..218a4d16d3 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_max_3.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_max_3.mlcfg @@ -73,11 +73,11 @@ module IncMax3_IncMax3 BB2 { assume { resolve0 _14 }; assume { resolve0 _12 }; - [#"../inc_max_3.rs" 13 17 15 5] _6 <- ([#"../inc_max_3.rs" 13 17 15 5] ()); + [#"../inc_max_3.rs" 13 17 15 5] _6 <- ([#"../inc_max_3.rs" 13 17 15 5] [#"../inc_max_3.rs" 13 17 15 5] ()); goto BB4 } BB3 { - [#"../inc_max_3.rs" 15 5 15 5] _6 <- ([#"../inc_max_3.rs" 15 5 15 5] ()); + [#"../inc_max_3.rs" 15 5 15 5] _6 <- ([#"../inc_max_3.rs" 15 5 15 5] [#"../inc_max_3.rs" 15 5 15 5] ()); goto BB4 } BB4 { @@ -105,12 +105,12 @@ module IncMax3_IncMax3 assume { resolve0 _23 }; assume { resolve0 _21 }; assume { resolve1 mc }; - [#"../inc_max_3.rs" 16 17 18 5] _15 <- ([#"../inc_max_3.rs" 16 17 18 5] ()); + [#"../inc_max_3.rs" 16 17 18 5] _15 <- ([#"../inc_max_3.rs" 16 17 18 5] [#"../inc_max_3.rs" 16 17 18 5] ()); goto BB8 } BB7 { assume { resolve1 mc }; - [#"../inc_max_3.rs" 18 5 18 5] _15 <- ([#"../inc_max_3.rs" 18 5 18 5] ()); + [#"../inc_max_3.rs" 18 5 18 5] _15 <- ([#"../inc_max_3.rs" 18 5 18 5] [#"../inc_max_3.rs" 18 5 18 5] ()); goto BB8 } BB8 { @@ -137,19 +137,19 @@ module IncMax3_IncMax3 BB10 { assume { resolve0 _32 }; assume { resolve0 _30 }; - [#"../inc_max_3.rs" 19 17 21 5] _24 <- ([#"../inc_max_3.rs" 19 17 21 5] ()); + [#"../inc_max_3.rs" 19 17 21 5] _24 <- ([#"../inc_max_3.rs" 19 17 21 5] [#"../inc_max_3.rs" 19 17 21 5] ()); goto BB12 } BB11 { - [#"../inc_max_3.rs" 21 5 21 5] _24 <- ([#"../inc_max_3.rs" 21 5 21 5] ()); + [#"../inc_max_3.rs" 21 5 21 5] _24 <- ([#"../inc_max_3.rs" 21 5 21 5] [#"../inc_max_3.rs" 21 5 21 5] ()); goto BB12 } BB12 { - [#"../inc_max_3.rs" 22 4 22 12] ma <- { ma with current = ([#"../inc_max_3.rs" 22 4 22 12] * ma + (2 : uint32)) ; }; + [#"../inc_max_3.rs" 22 4 22 12] ma <- { ma with current = ([#"../inc_max_3.rs" 22 4 22 12] * ma + ([#"../inc_max_3.rs" 22 11 22 12] (2 : uint32))) ; }; assume { resolve1 ma }; - [#"../inc_max_3.rs" 23 4 23 12] mb <- { mb with current = ([#"../inc_max_3.rs" 23 4 23 12] * mb + (1 : uint32)) ; }; + [#"../inc_max_3.rs" 23 4 23 12] mb <- { mb with current = ([#"../inc_max_3.rs" 23 4 23 12] * mb + ([#"../inc_max_3.rs" 23 11 23 12] (1 : uint32))) ; }; assume { resolve1 mb }; - [#"../inc_max_3.rs" 12 80 24 1] _0 <- ([#"../inc_max_3.rs" 12 80 24 1] ()); + [#"../inc_max_3.rs" 12 80 24 1] _0 <- ([#"../inc_max_3.rs" 12 80 24 1] [#"../inc_max_3.rs" 12 80 24 1] ()); return _0 } @@ -232,7 +232,7 @@ module IncMax3_TestIncMax3 end } BB4 { - [#"../inc_max_3.rs" 27 58 30 1] _0 <- ([#"../inc_max_3.rs" 27 58 30 1] ()); + [#"../inc_max_3.rs" 27 58 30 1] _0 <- ([#"../inc_max_3.rs" 27 58 30 1] [#"../inc_max_3.rs" 27 58 30 1] ()); return _0 } BB5 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_many.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_max_many.mlcfg index 62e0af910a..2d21ff1091 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_max_many.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_max_many.mlcfg @@ -137,7 +137,7 @@ module IncMaxMany_IncMaxMany end } BB4 { - [#"../inc_max_many.rs" 15 52 19 1] _0 <- ([#"../inc_max_many.rs" 15 52 19 1] ()); + [#"../inc_max_many.rs" 15 52 19 1] _0 <- ([#"../inc_max_many.rs" 15 52 19 1] [#"../inc_max_many.rs" 15 52 19 1] ()); return _0 } BB5 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg index b673e8b19e..e86d370e18 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg @@ -139,7 +139,9 @@ module IncMaxRepeat_IncMaxRepeat predicate produces0 (self : Core_Ops_Range_Range_Type.t_range uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_Range_Type.t_range uint32) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_Range_Type.t_range uint32) : bool ensures { result = produces0 self visited o } @@ -155,14 +157,22 @@ module IncMaxRepeat_IncMaxRepeat requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range uint32, ab : Seq.seq uint32, b : Core_Ops_Range_Range_Type.t_range uint32, bc : Seq.seq uint32, c : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range uint32, ab : Seq.seq uint32, b : Core_Ops_Range_Range_Type.t_range uint32, bc : Seq.seq uint32, c : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range uint32) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range uint32) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range uint32) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Ops_Range_Range_Type.t_range uint32) : bool @@ -254,7 +264,7 @@ module IncMaxRepeat_IncMaxRepeat goto BB0 } BB0 { - [#"../inc_max_repeat.rs" 18 13 18 17] _7 <- ([#"../inc_max_repeat.rs" 18 13 18 17] Core_Ops_Range_Range_Type.C_Range (0 : uint32) n); + [#"../inc_max_repeat.rs" 18 13 18 17] _7 <- ([#"../inc_max_repeat.rs" 18 13 18 17] Core_Ops_Range_Range_Type.C_Range ([#"../inc_max_repeat.rs" 18 13 18 14] (0 : uint32)) n); [#"../inc_max_repeat.rs" 16 4 16 86] iter <- ([#"../inc_max_repeat.rs" 16 4 16 86] into_iter0 _7); _7 <- any Core_Ops_Range_Range_Type.t_range uint32; goto BB1 @@ -333,7 +343,7 @@ module IncMaxRepeat_IncMaxRepeat BB12 { assume { resolve1 _29 }; assume { resolve1 _27 }; - [#"../inc_max_repeat.rs" 20 8 20 16] mc <- { mc with current = ([#"../inc_max_repeat.rs" 20 8 20 16] * mc + (1 : uint32)) ; }; + [#"../inc_max_repeat.rs" 20 8 20 16] mc <- { mc with current = ([#"../inc_max_repeat.rs" 20 8 20 16] * mc + ([#"../inc_max_repeat.rs" 20 15 20 16] (1 : uint32))) ; }; assume { resolve1 mc }; goto BB4 } @@ -350,7 +360,7 @@ module IncMaxRepeat_IncMaxRepeat end } BB15 { - [#"../inc_max_repeat.rs" 15 54 23 1] _0 <- ([#"../inc_max_repeat.rs" 15 54 23 1] ()); + [#"../inc_max_repeat.rs" 15 54 23 1] _0 <- ([#"../inc_max_repeat.rs" 15 54 23 1] [#"../inc_max_repeat.rs" 15 54 23 1] ()); return _0 } BB16 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg index f91b29fa98..273ac399dc 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg @@ -33,7 +33,8 @@ module IncSome2List_Impl0_LemmaSumNonneg_Impl constant self : IncSome2List_List_Type.t_list function lemma_sum_nonneg [#"../inc_some_2_list.rs" 34 4 34 30] (self : IncSome2List_List_Type.t_list) : () goal vc_lemma_sum_nonneg : match self with - | IncSome2List_List_Type.C_Cons _ l -> ([#"../inc_some_2_list.rs" 33 14 33 29] sum0 l >= 0) -> ([#"../inc_some_2_list.rs" 33 14 33 29] sum0 self >= 0) + | IncSome2List_List_Type.C_Cons _ l -> ([#"../inc_some_2_list.rs" 33 14 33 29] sum0 l >= 0) + -> ([#"../inc_some_2_list.rs" 33 14 33 29] sum0 self >= 0) | IncSome2List_List_Type.C_Nil -> [#"../inc_some_2_list.rs" 33 14 33 29] sum0 self >= 0 end end @@ -74,7 +75,7 @@ module IncSome2List_Impl0_SumX goto BB4 } BB2 { - [#"../inc_some_2_list.rs" 46 19 46 20] _0 <- ([#"../inc_some_2_list.rs" 46 19 46 20] (0 : uint32)); + [#"../inc_some_2_list.rs" 46 19 46 20] _0 <- ([#"../inc_some_2_list.rs" 46 19 46 20] [#"../inc_some_2_list.rs" 46 19 46 20] (0 : uint32)); goto BB6 } BB3 { @@ -189,7 +190,7 @@ module IncSome2List_Impl0_TakeSomeRest goto BB5 } BB5 { - [#"../inc_some_2_list.rs" 58 19 58 27] _10 <- ([#"../inc_some_2_list.rs" 58 19 58 27] random0 ()); + [#"../inc_some_2_list.rs" 58 19 58 27] _10 <- ([#"../inc_some_2_list.rs" 58 19 58 27] random0 ([#"../inc_some_2_list.rs" 58 19 58 27] ())); goto BB6 } BB6 { @@ -351,7 +352,7 @@ module IncSome2List_IncSome2List end } BB6 { - [#"../inc_some_2_list.rs" 70 52 77 1] _0 <- ([#"../inc_some_2_list.rs" 70 52 77 1] ()); + [#"../inc_some_2_list.rs" 70 52 77 1] _0 <- ([#"../inc_some_2_list.rs" 70 52 77 1] [#"../inc_some_2_list.rs" 70 52 77 1] ()); goto BB8 } BB7 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.mlcfg index 81af8dc36f..029d3943a1 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.mlcfg @@ -38,7 +38,9 @@ module IncSome2Tree_Impl0_LemmaSumNonneg_Impl constant self : IncSome2Tree_Tree_Type.t_tree function lemma_sum_nonneg [#"../inc_some_2_tree.rs" 33 4 33 30] (self : IncSome2Tree_Tree_Type.t_tree) : () goal vc_lemma_sum_nonneg : match self with - | IncSome2Tree_Tree_Type.C_Node tl _ tr -> ([#"../inc_some_2_tree.rs" 32 14 32 29] sum0 tl >= 0) -> (let _ = lemma_sum_nonneg tl in ([#"../inc_some_2_tree.rs" 32 14 32 29] sum0 tr >= 0) -> (let _ = lemma_sum_nonneg tr in [#"../inc_some_2_tree.rs" 32 14 32 29] sum0 self >= 0)) + | IncSome2Tree_Tree_Type.C_Node tl _ tr -> ([#"../inc_some_2_tree.rs" 32 14 32 29] sum0 tl >= 0) + -> (let _ = lemma_sum_nonneg tl in ([#"../inc_some_2_tree.rs" 32 14 32 29] sum0 tr >= 0) + -> (let _ = lemma_sum_nonneg tr in [#"../inc_some_2_tree.rs" 32 14 32 29] sum0 self >= 0)) | IncSome2Tree_Tree_Type.C_Leaf -> [#"../inc_some_2_tree.rs" 32 14 32 29] sum0 self >= 0 end end @@ -91,7 +93,7 @@ module IncSome2Tree_Impl0_SumX goto BB4 } BB2 { - [#"../inc_some_2_tree.rs" 55 20 55 21] _0 <- ([#"../inc_some_2_tree.rs" 55 20 55 21] (0 : uint32)); + [#"../inc_some_2_tree.rs" 55 20 55 21] _0 <- ([#"../inc_some_2_tree.rs" 55 20 55 21] [#"../inc_some_2_tree.rs" 55 20 55 21] (0 : uint32)); goto BB7 } BB3 { @@ -217,7 +219,7 @@ module IncSome2Tree_Impl0_TakeSomeRest [#"../inc_some_2_tree.rs" 65 26 65 29] mtr <- Borrow.borrow_final (IncSome2Tree_Tree_Type.node_2 ( * self)) (Borrow.inherit_id (Borrow.get_id self) 3); [#"../inc_some_2_tree.rs" 65 26 65 29] self <- { self with current = (let IncSome2Tree_Tree_Type.C_Node x0 x1 x2 = * self in IncSome2Tree_Tree_Type.C_Node x0 x1 ( ^ mtr)) ; }; assert { [@expl:assertion] [#"../inc_some_2_tree.rs" 67 20 67 42] let _ = lemma_sum_nonneg0 ( * mtl) in let _ = lemma_sum_nonneg0 ( * mtr) in true }; - [#"../inc_some_2_tree.rs" 71 19 71 27] _11 <- ([#"../inc_some_2_tree.rs" 71 19 71 27] random0 ()); + [#"../inc_some_2_tree.rs" 71 19 71 27] _11 <- ([#"../inc_some_2_tree.rs" 71 19 71 27] random0 ([#"../inc_some_2_tree.rs" 71 19 71 27] ())); goto BB5 } BB5 { @@ -229,7 +231,7 @@ module IncSome2Tree_Impl0_TakeSomeRest BB6 { [#"../inc_some_2_tree.rs" 72 21 72 23] _12 <- Borrow.borrow_final ( * ma) (Borrow.get_id ma); [#"../inc_some_2_tree.rs" 72 21 72 23] ma <- { ma with current = ( ^ _12) ; }; - [#"../inc_some_2_tree.rs" 72 28 72 36] _15 <- ([#"../inc_some_2_tree.rs" 72 28 72 36] random0 ()); + [#"../inc_some_2_tree.rs" 72 28 72 36] _15 <- ([#"../inc_some_2_tree.rs" 72 28 72 36] random0 ([#"../inc_some_2_tree.rs" 72 28 72 36] ())); goto BB7 } BB7 { @@ -264,7 +266,7 @@ module IncSome2Tree_Impl0_TakeSomeRest } BB11 { assume { resolve0 ma }; - [#"../inc_some_2_tree.rs" 73 26 73 34] _17 <- ([#"../inc_some_2_tree.rs" 73 26 73 34] random0 ()); + [#"../inc_some_2_tree.rs" 73 26 73 34] _17 <- ([#"../inc_some_2_tree.rs" 73 26 73 34] random0 ([#"../inc_some_2_tree.rs" 73 26 73 34] ())); goto BB12 } BB12 { @@ -431,7 +433,7 @@ module IncSome2Tree_IncSome2Tree end } BB6 { - [#"../inc_some_2_tree.rs" 85 52 92 1] _0 <- ([#"../inc_some_2_tree.rs" 85 52 92 1] ()); + [#"../inc_some_2_tree.rs" 85 52 92 1] _0 <- ([#"../inc_some_2_tree.rs" 85 52 92 1] [#"../inc_some_2_tree.rs" 85 52 92 1] ()); goto BB8 } BB7 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg index 18a224e3c3..71fbe503c1 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg @@ -33,7 +33,8 @@ module IncSomeList_Impl0_LemmaSumNonneg_Impl constant self : IncSomeList_List_Type.t_list function lemma_sum_nonneg [#"../inc_some_list.rs" 33 4 33 30] (self : IncSomeList_List_Type.t_list) : () goal vc_lemma_sum_nonneg : match self with - | IncSomeList_List_Type.C_Cons _ l -> ([#"../inc_some_list.rs" 32 14 32 29] sum0 l >= 0) -> ([#"../inc_some_list.rs" 32 14 32 29] sum0 self >= 0) + | IncSomeList_List_Type.C_Cons _ l -> ([#"../inc_some_list.rs" 32 14 32 29] sum0 l >= 0) + -> ([#"../inc_some_list.rs" 32 14 32 29] sum0 self >= 0) | IncSomeList_List_Type.C_Nil -> [#"../inc_some_list.rs" 32 14 32 29] sum0 self >= 0 end end @@ -74,7 +75,7 @@ module IncSomeList_Impl0_SumX goto BB4 } BB2 { - [#"../inc_some_list.rs" 45 19 45 20] _0 <- ([#"../inc_some_list.rs" 45 19 45 20] (0 : uint32)); + [#"../inc_some_list.rs" 45 19 45 20] _0 <- ([#"../inc_some_list.rs" 45 19 45 20] [#"../inc_some_list.rs" 45 19 45 20] (0 : uint32)); goto BB6 } BB3 { @@ -192,7 +193,7 @@ module IncSomeList_Impl0_TakeSome goto BB5 } BB5 { - [#"../inc_some_list.rs" 55 19 55 27] _13 <- ([#"../inc_some_list.rs" 55 19 55 27] random0 ()); + [#"../inc_some_list.rs" 55 19 55 27] _13 <- ([#"../inc_some_list.rs" 55 19 55 27] random0 ([#"../inc_some_list.rs" 55 19 55 27] ())); goto BB6 } BB6 { @@ -330,7 +331,7 @@ module IncSomeList_IncSomeList end } BB5 { - [#"../inc_some_list.rs" 67 42 72 1] _0 <- ([#"../inc_some_list.rs" 67 42 72 1] ()); + [#"../inc_some_list.rs" 67 42 72 1] _0 <- ([#"../inc_some_list.rs" 67 42 72 1] [#"../inc_some_list.rs" 67 42 72 1] ()); goto BB7 } BB6 { diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_tree.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_tree.mlcfg index 31f1d09150..8b17f81846 100644 --- a/creusot/tests/should_succeed/rusthorn/inc_some_tree.mlcfg +++ b/creusot/tests/should_succeed/rusthorn/inc_some_tree.mlcfg @@ -38,7 +38,9 @@ module IncSomeTree_Impl0_LemmaSumNonneg_Impl constant self : IncSomeTree_Tree_Type.t_tree function lemma_sum_nonneg [#"../inc_some_tree.rs" 33 4 33 30] (self : IncSomeTree_Tree_Type.t_tree) : () goal vc_lemma_sum_nonneg : match self with - | IncSomeTree_Tree_Type.C_Node tl _ tr -> ([#"../inc_some_tree.rs" 32 14 32 29] sum0 tl >= 0) -> (let _ = lemma_sum_nonneg tl in ([#"../inc_some_tree.rs" 32 14 32 29] sum0 tr >= 0) -> (let _ = lemma_sum_nonneg tr in [#"../inc_some_tree.rs" 32 14 32 29] sum0 self >= 0)) + | IncSomeTree_Tree_Type.C_Node tl _ tr -> ([#"../inc_some_tree.rs" 32 14 32 29] sum0 tl >= 0) + -> (let _ = lemma_sum_nonneg tl in ([#"../inc_some_tree.rs" 32 14 32 29] sum0 tr >= 0) + -> (let _ = lemma_sum_nonneg tr in [#"../inc_some_tree.rs" 32 14 32 29] sum0 self >= 0)) | IncSomeTree_Tree_Type.C_Leaf -> [#"../inc_some_tree.rs" 32 14 32 29] sum0 self >= 0 end end @@ -91,7 +93,7 @@ module IncSomeTree_Impl0_SumX goto BB4 } BB2 { - [#"../inc_some_tree.rs" 55 20 55 21] _0 <- ([#"../inc_some_tree.rs" 55 20 55 21] (0 : uint32)); + [#"../inc_some_tree.rs" 55 20 55 21] _0 <- ([#"../inc_some_tree.rs" 55 20 55 21] [#"../inc_some_tree.rs" 55 20 55 21] (0 : uint32)); goto BB7 } BB3 { @@ -219,7 +221,7 @@ module IncSomeTree_Impl0_TakeSome [#"../inc_some_tree.rs" 63 26 63 29] mtr <- Borrow.borrow_final (IncSomeTree_Tree_Type.node_2 ( * self)) (Borrow.inherit_id (Borrow.get_id self) 3); [#"../inc_some_tree.rs" 63 26 63 29] self <- { self with current = (let IncSomeTree_Tree_Type.C_Node x0 x1 x2 = * self in IncSomeTree_Tree_Type.C_Node x0 x1 ( ^ mtr)) ; }; assert { [@expl:assertion] [#"../inc_some_tree.rs" 65 20 65 42] let _ = lemma_sum_nonneg0 ( * mtl) in let _ = lemma_sum_nonneg0 ( * mtr) in true }; - [#"../inc_some_tree.rs" 69 19 69 27] _14 <- ([#"../inc_some_tree.rs" 69 19 69 27] random0 ()); + [#"../inc_some_tree.rs" 69 19 69 27] _14 <- ([#"../inc_some_tree.rs" 69 19 69 27] random0 ([#"../inc_some_tree.rs" 69 19 69 27] ())); goto BB5 } BB5 { @@ -240,7 +242,7 @@ module IncSomeTree_Impl0_TakeSome } BB7 { assume { resolve0 ma }; - [#"../inc_some_tree.rs" 71 26 71 34] _16 <- ([#"../inc_some_tree.rs" 71 26 71 34] random0 ()); + [#"../inc_some_tree.rs" 71 26 71 34] _16 <- ([#"../inc_some_tree.rs" 71 26 71 34] random0 ([#"../inc_some_tree.rs" 71 26 71 34] ())); goto BB8 } BB8 { @@ -390,7 +392,7 @@ module IncSomeTree_IncSomeTree end } BB5 { - [#"../inc_some_tree.rs" 83 42 88 1] _0 <- ([#"../inc_some_tree.rs" 83 42 88 1] ()); + [#"../inc_some_tree.rs" 83 42 88 1] _0 <- ([#"../inc_some_tree.rs" 83 42 88 1] [#"../inc_some_tree.rs" 83 42 88 1] ()); goto BB7 } BB6 { diff --git a/creusot/tests/should_succeed/selection_sort_generic.mlcfg b/creusot/tests/should_succeed/selection_sort_generic.mlcfg index 561b842d2c..eed53ff567 100644 --- a/creusot/tests/should_succeed/selection_sort_generic.mlcfg +++ b/creusot/tests/should_succeed/selection_sort_generic.mlcfg @@ -197,7 +197,8 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv12 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv12 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv12 (shallow_model3 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -224,7 +225,9 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -232,7 +235,10 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -240,7 +246,10 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -251,13 +260,19 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -268,7 +283,9 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -279,7 +296,9 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -290,7 +309,9 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -301,7 +322,9 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv14 x) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y) + -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use seq.Seq predicate inv1 (_x : Core_Ops_Range_Range_Type.t_range usize) val inv1 (_x : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -318,7 +341,9 @@ module SelectionSortGeneric_SelectionSort predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model2 (Core_Ops_Range_Range_Type.range_start self) <= deep_model2 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model2 (Core_Ops_Range_Range_Type.range_start o) <= deep_model2 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model2 (Core_Ops_Range_Range_Type.range_start o) - deep_model2 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model2 (Seq.get visited i) = deep_model2 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model2 (Core_Ops_Range_Range_Type.range_start self) <= deep_model2 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model2 (Core_Ops_Range_Range_Type.range_start o) <= deep_model2 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model2 (Core_Ops_Range_Range_Type.range_start o) - deep_model2 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model2 (Seq.get visited i) = deep_model2 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces0 self visited o } @@ -334,14 +359,22 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv13 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv13 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv13 ab) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv13 bc) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -362,7 +395,8 @@ module SelectionSortGeneric_SelectionSort use seq.Seq predicate sorted_range0 [#"../selection_sort_generic.rs" 10 0 10 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) = - [#"../selection_sort_generic.rs" 11 4 13 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j) + [#"../selection_sort_generic.rs" 11 4 13 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u + -> le_log0 (Seq.get s i) (Seq.get s j) val sorted_range0 [#"../selection_sort_generic.rs" 10 0 10 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) : bool ensures { result = sorted_range0 s l u } @@ -389,7 +423,9 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self} ensures { result = deep_model1 self } - axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv11 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model1 self) i = deep_model4 (index_logic2 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self)) + axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv11 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) + -> Seq.get (deep_model1 self) i = deep_model4 (index_logic2 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self)) predicate resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool @@ -407,7 +443,8 @@ module SelectionSortGeneric_SelectionSort requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model7 self } - axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv12 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) + axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv12 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) function shallow_model6 (self : borrowed (slice t)) : Seq.seq t = [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model7 ( * self) val shallow_model6 (self : borrowed (slice t)) : Seq.seq t @@ -487,7 +524,8 @@ module SelectionSortGeneric_SelectionSort ensures { inv9 result } predicate partition0 [#"../selection_sort_generic.rs" 24 0 24 52] (v : Seq.seq deep_model_ty0) (i : int) = - [#"../selection_sort_generic.rs" 25 4 25 106] forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length v -> le_log0 (Seq.get v k1) (Seq.get v k2) + [#"../selection_sort_generic.rs" 25 4 25 106] forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length v + -> le_log0 (Seq.get v k1) (Seq.get v k2) val partition0 [#"../selection_sort_generic.rs" 24 0 24 52] (v : Seq.seq deep_model_ty0) (i : int) : bool ensures { result = partition0 v i } @@ -606,7 +644,7 @@ module SelectionSortGeneric_SelectionSort goto BB2 } BB2 { - [#"../selection_sort_generic.rs" 38 13 38 23] _7 <- ([#"../selection_sort_generic.rs" 38 13 38 23] Core_Ops_Range_Range_Type.C_Range (0 : usize) _8); + [#"../selection_sort_generic.rs" 38 13 38 23] _7 <- ([#"../selection_sort_generic.rs" 38 13 38 23] Core_Ops_Range_Range_Type.C_Range ([#"../selection_sort_generic.rs" 38 13 38 14] (0 : usize)) _8); _8 <- any usize; [#"../selection_sort_generic.rs" 35 4 35 43] iter <- ([#"../selection_sort_generic.rs" 35 4 35 43] into_iter0 _7); _7 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -650,7 +688,7 @@ module SelectionSortGeneric_SelectionSort BB9 { assert { [@expl:type invariant] inv6 v }; assume { resolve4 v }; - [#"../selection_sort_generic.rs" 35 4 35 43] _0 <- ([#"../selection_sort_generic.rs" 35 4 35 43] ()); + [#"../selection_sort_generic.rs" 35 4 35 43] _0 <- ([#"../selection_sort_generic.rs" 35 4 35 43] [#"../selection_sort_generic.rs" 35 4 35 43] ()); return _0 } BB10 { @@ -670,7 +708,7 @@ module SelectionSortGeneric_SelectionSort _25 <- any Snapshot.snap_ty (Seq.seq usize); [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); [#"../selection_sort_generic.rs" 39 22 39 23] min <- ([#"../selection_sort_generic.rs" 39 22 39 23] i); - [#"../selection_sort_generic.rs" 43 17 43 24] _32 <- ([#"../selection_sort_generic.rs" 43 17 43 24] i + (1 : usize)); + [#"../selection_sort_generic.rs" 43 17 43 24] _32 <- ([#"../selection_sort_generic.rs" 43 17 43 24] i + ([#"../selection_sort_generic.rs" 43 22 43 23] (1 : usize))); [#"../selection_sort_generic.rs" 43 26 43 33] _34 <- ([#"../selection_sort_generic.rs" 43 26 43 33] len0 ( * v)); goto BB14 } @@ -696,7 +734,8 @@ module SelectionSortGeneric_SelectionSort BB18 { invariant { [#"../selection_sort_generic.rs" 41 8 41 121] inv1 iter1 }; invariant { [#"../selection_sort_generic.rs" 41 8 41 121] produces0 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 }; - invariant { [#"../selection_sort_generic.rs" 41 8 41 121] forall k : int . UIntSize.to_int i <= k /\ k < Seq.length (Snapshot.inner produced1) + UIntSize.to_int i + 1 -> le_log0 (Seq.get (deep_model0 v) (UIntSize.to_int min)) (Seq.get (deep_model0 v) k) }; + invariant { [#"../selection_sort_generic.rs" 41 8 41 121] forall k : int . UIntSize.to_int i <= k /\ k < Seq.length (Snapshot.inner produced1) + UIntSize.to_int i + 1 + -> le_log0 (Seq.get (deep_model0 v) (UIntSize.to_int min)) (Seq.get (deep_model0 v) k) }; invariant { [#"../selection_sort_generic.rs" 42 20 42 64] UIntSize.to_int i <= UIntSize.to_int min /\ UIntSize.to_int min < Seq.length (Snapshot.inner produced1) + UIntSize.to_int i + 1 }; goto BB19 } @@ -759,11 +798,11 @@ module SelectionSortGeneric_SelectionSort } BB28 { [#"../selection_sort_generic.rs" 45 16 45 23] min <- ([#"../selection_sort_generic.rs" 45 16 45 23] j); - [#"../selection_sort_generic.rs" 44 29 46 13] _19 <- ([#"../selection_sort_generic.rs" 44 29 46 13] ()); + [#"../selection_sort_generic.rs" 44 29 46 13] _19 <- ([#"../selection_sort_generic.rs" 44 29 46 13] [#"../selection_sort_generic.rs" 44 29 46 13] ()); goto BB30 } BB29 { - [#"../selection_sort_generic.rs" 46 13 46 13] _19 <- ([#"../selection_sort_generic.rs" 46 13 46 13] ()); + [#"../selection_sort_generic.rs" 46 13 46 13] _19 <- ([#"../selection_sort_generic.rs" 46 13 46 13] [#"../selection_sort_generic.rs" 46 13 46 13] ()); goto BB30 } BB30 { @@ -780,8 +819,9 @@ module SelectionSortGeneric_SelectionSort BB32 { assert { [@expl:type invariant] inv5 _65 }; assume { resolve3 _65 }; - assert { [@expl:assertion] [#"../selection_sort_generic.rs" 49 8 50 63] let i = Seq.length (Snapshot.inner produced) in forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length (deep_model0 v) -> le_log0 (Seq.get (deep_model0 v) k1) (Seq.get (deep_model0 v) k2) }; - [#"../selection_sort_generic.rs" 38 24 51 5] _19 <- ([#"../selection_sort_generic.rs" 38 24 51 5] ()); + assert { [@expl:assertion] [#"../selection_sort_generic.rs" 49 8 50 63] let i = Seq.length (Snapshot.inner produced) in forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length (deep_model0 v) + -> le_log0 (Seq.get (deep_model0 v) k1) (Seq.get (deep_model0 v) k2) }; + [#"../selection_sort_generic.rs" 38 24 51 5] _19 <- ([#"../selection_sort_generic.rs" 38 24 51 5] [#"../selection_sort_generic.rs" 38 24 51 5] ()); goto BB6 } BB34 { diff --git a/creusot/tests/should_succeed/slices/01.mlcfg b/creusot/tests/should_succeed/slices/01.mlcfg index 7dcf15e7b8..0f5016e73f 100644 --- a/creusot/tests/should_succeed/slices/01.mlcfg +++ b/creusot/tests/should_succeed/slices/01.mlcfg @@ -35,7 +35,8 @@ module C01_IndexSlice requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) use prelude.Borrow function shallow_model0 (self : slice uint32) : Seq.seq uint32 = [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self @@ -55,7 +56,7 @@ module C01_IndexSlice goto BB0 } BB0 { - [#"../01.rs" 7 6 7 8] _3 <- ([#"../01.rs" 7 6 7 8] (10 : usize)); + [#"../01.rs" 7 6 7 8] _3 <- ([#"../01.rs" 7 6 7 8] [#"../01.rs" 7 6 7 8] (10 : usize)); [#"../01.rs" 7 4 7 9] _4 <- ([#"../01.rs" 7 4 7 9] Slice.length a); [#"../01.rs" 7 4 7 9] _5 <- ([#"../01.rs" 7 4 7 9] _3 < _4); assert { [@expl:index in bounds] [#"../01.rs" 7 4 7 9] _5 }; @@ -105,7 +106,8 @@ module C01_IndexMutSlice requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) function index_logic0 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 = [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model2 self) ix val index_logic0 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 @@ -136,16 +138,16 @@ module C01_IndexMutSlice goto BB0 } BB0 { - [#"../01.rs" 13 6 13 7] _4 <- ([#"../01.rs" 13 6 13 7] (2 : usize)); + [#"../01.rs" 13 6 13 7] _4 <- ([#"../01.rs" 13 6 13 7] [#"../01.rs" 13 6 13 7] (2 : usize)); [#"../01.rs" 13 4 13 8] _5 <- ([#"../01.rs" 13 4 13 8] Slice.length ( * a)); [#"../01.rs" 13 4 13 8] _6 <- ([#"../01.rs" 13 4 13 8] _4 < _5); assert { [@expl:index in bounds] [#"../01.rs" 13 4 13 8] _6 }; goto BB1 } BB1 { - [#"../01.rs" 13 4 13 12] a <- { a with current = Slice.set ( * a) _4 ([#"../01.rs" 13 4 13 12] (3 : uint32)) ; }; + [#"../01.rs" 13 4 13 12] a <- { a with current = Slice.set ( * a) _4 ([#"../01.rs" 13 4 13 12] [#"../01.rs" 13 11 13 12] (3 : uint32)) ; }; assume { resolve0 a }; - [#"../01.rs" 12 38 14 1] _0 <- ([#"../01.rs" 12 38 14 1] ()); + [#"../01.rs" 12 38 14 1] _0 <- ([#"../01.rs" 12 38 14 1] [#"../01.rs" 12 38 14 1] ()); return _0 } @@ -218,7 +220,8 @@ module C01_SliceFirst requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) use prelude.Borrow function shallow_model0 (self : slice t) : Seq.seq t = [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model2 self @@ -268,7 +271,7 @@ module C01_SliceFirst goto BB1 } BB1 { - [#"../01.rs" 21 7 21 18] _3 <- ([#"../01.rs" 21 7 21 18] _4 > (0 : usize)); + [#"../01.rs" 21 7 21 18] _3 <- ([#"../01.rs" 21 7 21 18] _4 > ([#"../01.rs" 21 17 21 18] (0 : usize))); _4 <- any usize; switch (_3) | False -> goto BB4 @@ -276,7 +279,7 @@ module C01_SliceFirst end } BB2 { - [#"../01.rs" 22 16 22 17] _8 <- ([#"../01.rs" 22 16 22 17] (0 : usize)); + [#"../01.rs" 22 16 22 17] _8 <- ([#"../01.rs" 22 16 22 17] [#"../01.rs" 22 16 22 17] (0 : usize)); [#"../01.rs" 22 14 22 18] _9 <- ([#"../01.rs" 22 14 22 18] Slice.length a); [#"../01.rs" 22 14 22 18] _10 <- ([#"../01.rs" 22 14 22 18] _8 < _9); assert { [@expl:index in bounds] [#"../01.rs" 22 14 22 18] _10 }; diff --git a/creusot/tests/should_succeed/slices/02_std.mlcfg b/creusot/tests/should_succeed/slices/02_std.mlcfg index 45e95c27e8..44aa1c6d0e 100644 --- a/creusot/tests/should_succeed/slices/02_std.mlcfg +++ b/creusot/tests/should_succeed/slices/02_std.mlcfg @@ -102,7 +102,8 @@ module C02Std_BinarySearch requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) function index_logic0 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 = [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model3 self) ix val index_logic0 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 @@ -138,10 +139,13 @@ module C02Std_BinarySearch requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv4 self} ensures { result = deep_model1 self } - axiom deep_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 32 4 32 44] inv5 (deep_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 31 4 31 98] forall i : int . 0 <= i /\ i < Seq.length (deep_model1 self) -> Seq.get (deep_model1 self) i = deep_model3 (index_logic0 self i)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 30 14 30 44] Seq.length (shallow_model1 self) = Seq.length (deep_model1 self)) + axiom deep_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 32 4 32 44] inv5 (deep_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 31 4 31 98] forall i : int . 0 <= i /\ i < Seq.length (deep_model1 self) + -> Seq.get (deep_model1 self) i = deep_model3 (index_logic0 self i)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 30 14 30 44] Seq.length (shallow_model1 self) = Seq.length (deep_model1 self)) use int.Int predicate sorted_range0 (self : Seq.seq int) (l : int) (u : int) = - [#"../../../../../creusot-contracts/src/logic/seq.rs" 138 8 140 9] forall j : int . forall i : int . l <= i /\ i <= j /\ j < u -> Seq.get self i <= Seq.get self j + [#"../../../../../creusot-contracts/src/logic/seq.rs" 138 8 140 9] forall j : int . forall i : int . l <= i /\ i <= j /\ j < u + -> Seq.get self i <= Seq.get self j val sorted_range0 (self : Seq.seq int) (l : int) (u : int) : bool ensures { result = sorted_range0 self l u } @@ -159,15 +163,22 @@ module C02Std_BinarySearch requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 238 0 334 1] sorted0 (deep_model0 self)} requires {inv0 self} requires {inv1 x} - ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 304 8 304 118] forall i : usize . result = Core_Result_Result_Type.C_Ok i -> UIntSize.to_int i < Seq.length (shallow_model1 self) /\ Seq.get (deep_model1 self) (UIntSize.to_int i) = deep_model2 x } - ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 305 8 306 96] forall i : usize . result = Core_Result_Result_Type.C_Err i -> UIntSize.to_int i <= Seq.length (shallow_model1 self) /\ (forall j : int . 0 <= j /\ j < Seq.length (shallow_model1 self) -> Seq.get (deep_model0 self) j <> deep_model2 x) } - ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 307 8 308 78] forall i : usize . result = Core_Result_Result_Type.C_Err i -> (forall j : usize . j < i -> Seq.get (deep_model0 self) (UIntSize.to_int j) < deep_model2 x) } - ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 309 8 310 99] forall i : usize . result = Core_Result_Result_Type.C_Err i -> (forall j : usize . i <= j /\ UIntSize.to_int j < Seq.length (shallow_model1 self) -> deep_model2 x < Seq.get (deep_model0 self) (UIntSize.to_int j)) } + ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 304 8 304 118] forall i : usize . result = Core_Result_Result_Type.C_Ok i + -> UIntSize.to_int i < Seq.length (shallow_model1 self) /\ Seq.get (deep_model1 self) (UIntSize.to_int i) = deep_model2 x } + ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 305 8 306 96] forall i : usize . result = Core_Result_Result_Type.C_Err i + -> UIntSize.to_int i <= Seq.length (shallow_model1 self) /\ (forall j : int . 0 <= j /\ j < Seq.length (shallow_model1 self) + -> Seq.get (deep_model0 self) j <> deep_model2 x) } + ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 307 8 308 78] forall i : usize . result = Core_Result_Result_Type.C_Err i + -> (forall j : usize . j < i -> Seq.get (deep_model0 self) (UIntSize.to_int j) < deep_model2 x) } + ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 309 8 310 99] forall i : usize . result = Core_Result_Result_Type.C_Err i + -> (forall j : usize . i <= j /\ UIntSize.to_int j < Seq.length (shallow_model1 self) + -> deep_model2 x < Seq.get (deep_model0 self) (UIntSize.to_int j)) } let constant promoted0 [#"../02_std.rs" 8 0 8 40] : uint32 = [@vc:do_not_keep_trace] [@vc:sp] - let _1 = [#"../02_std.rs" 9 30 9 31] (2 : uint32) in let _0 = [#"../02_std.rs" 9 29 9 31] _1 in _0 + let _1 = [#"../02_std.rs" 9 30 9 31] [#"../02_std.rs" 9 30 9 31] (2 : uint32) in let _0 = [#"../02_std.rs" 9 29 9 31] _1 in _0 let rec cfg binary_search [#"../02_std.rs" 8 0 8 40] [@cfg:stackify] [@cfg:subregion_analysis] (s : slice uint32) : usize - requires {[#"../02_std.rs" 6 0 6 64] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 s) -> UInt32.to_int (index_logic0 s i) = i} + requires {[#"../02_std.rs" 6 0 6 64] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 s) + -> UInt32.to_int (index_logic0 s i) = i} requires {[#"../02_std.rs" 7 11 7 24] Seq.length (shallow_model1 s) = 5} = [@vc:do_not_keep_trace] [@vc:sp] @@ -181,7 +192,7 @@ module C02Std_BinarySearch goto BB0 } BB0 { - [#"../02_std.rs" 9 29 9 31] _12 <- ([#"../02_std.rs" 9 29 9 31] promoted0); + [#"../02_std.rs" 9 29 9 31] _12 <- ([#"../02_std.rs" 9 29 9 31] [#"../02_std.rs" 9 29 9 31] promoted0); [#"../02_std.rs" 9 29 9 31] _8 <- ([#"../02_std.rs" 9 29 9 31] _12); [#"../02_std.rs" 9 13 9 32] _5 <- ([#"../02_std.rs" 9 13 9 32] binary_search0 s _8); goto BB1 diff --git a/creusot/tests/should_succeed/sparse_array.mlcfg b/creusot/tests/should_succeed/sparse_array.mlcfg index 8b16048a60..b83ae2cad9 100644 --- a/creusot/tests/should_succeed/sparse_array.mlcfg +++ b/creusot/tests/should_succeed/sparse_array.mlcfg @@ -105,7 +105,8 @@ module SparseArray_Impl2_Get requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv10 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv10 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv10 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) predicate invariant10 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv11 (shallow_model6 self) val invariant10 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -132,7 +133,8 @@ module SparseArray_Impl2_Get requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self} ensures { result = shallow_model5 self } - axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) + axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) predicate invariant8 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv9 (shallow_model5 self) val invariant8 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -178,7 +180,8 @@ module SparseArray_Impl2_Get ensures { result = shallow_model4 self } predicate invariant7 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) = - [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model4 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model6 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model5 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model5 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic4 (SparseArray_Sparse_Type.sparse_back self) i with + [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model4 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model6 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model5 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model5 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) + -> match index_logic4 (SparseArray_Sparse_Type.sparse_back self) i with | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic4 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i end) val invariant7 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) : bool @@ -439,7 +442,8 @@ module SparseArray_Impl2_LemmaPermutation_Impl requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model1 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -456,7 +460,8 @@ module SparseArray_Impl2_LemmaPermutation_Impl requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model3 self) val invariant1 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -502,7 +507,8 @@ module SparseArray_Impl2_LemmaPermutation_Impl ensures { result = shallow_model2 self } predicate invariant0 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) = - [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic0 (SparseArray_Sparse_Type.sparse_back self) i with + [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) + -> match index_logic0 (SparseArray_Sparse_Type.sparse_back self) i with | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic0 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i end) val invariant0 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) : bool @@ -519,7 +525,10 @@ module SparseArray_Impl2_LemmaPermutation_Impl constant i : int function lemma_permutation [#"../sparse_array.rs" 104 4 104 38] (self : SparseArray_Sparse_Type.t_sparse t) (i : int) : () - goal vc_lemma_permutation : ([#"../sparse_array.rs" 104 25 104 29] inv0 self) -> ([#"../sparse_array.rs" 102 15 102 39] 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self)) -> ([#"../sparse_array.rs" 101 15 101 34] SparseArray_Sparse_Type.sparse_n self = SparseArray_Sparse_Type.sparse_size self) -> ([#"../sparse_array.rs" 103 14 103 28] is_elt0 self i) + goal vc_lemma_permutation : ([#"../sparse_array.rs" 104 25 104 29] inv0 self) + -> ([#"../sparse_array.rs" 102 15 102 39] 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self)) + -> ([#"../sparse_array.rs" 101 15 101 34] SparseArray_Sparse_Type.sparse_n self = SparseArray_Sparse_Type.sparse_size self) + -> ([#"../sparse_array.rs" 103 14 103 28] is_elt0 self i) end module SparseArray_Impl2_Set type t @@ -551,7 +560,8 @@ module SparseArray_Impl2_Set requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self} ensures { result = shallow_model7 self } - axiom shallow_model7_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv13 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) + axiom shallow_model7_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv13 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) predicate invariant12 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv13 (shallow_model7 self) val invariant12 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -607,7 +617,8 @@ module SparseArray_Impl2_Set requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) use seq.Seq use seq.Seq use prelude.Mapping @@ -637,7 +648,8 @@ module SparseArray_Impl2_Set ensures { result = shallow_model2 self } predicate invariant8 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) = - [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model4 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic4 (SparseArray_Sparse_Type.sparse_back self) i with + [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model4 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) + -> match index_logic4 (SparseArray_Sparse_Type.sparse_back self) i with | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic4 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i end) val invariant8 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) : bool @@ -743,7 +755,8 @@ module SparseArray_Impl2_Set use prelude.Slice predicate resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool ensures { result = resolve_elswhere1 self old' fin } @@ -789,7 +802,9 @@ module SparseArray_Impl2_Set requires {[#"../sparse_array.rs" 104 25 104 29] inv8 self} ensures { result = lemma_permutation0 self i } - axiom lemma_permutation0_spec : forall self : SparseArray_Sparse_Type.t_sparse t, i : int . ([#"../sparse_array.rs" 101 15 101 34] SparseArray_Sparse_Type.sparse_n self = SparseArray_Sparse_Type.sparse_size self) -> ([#"../sparse_array.rs" 102 15 102 39] 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self)) -> ([#"../sparse_array.rs" 104 25 104 29] inv8 self) -> ([#"../sparse_array.rs" 103 14 103 28] is_elt0 self i) + axiom lemma_permutation0_spec : forall self : SparseArray_Sparse_Type.t_sparse t, i : int . ([#"../sparse_array.rs" 101 15 101 34] SparseArray_Sparse_Type.sparse_n self = SparseArray_Sparse_Type.sparse_size self) + -> ([#"../sparse_array.rs" 102 15 102 39] 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self)) + -> ([#"../sparse_array.rs" 104 25 104 29] inv8 self) -> ([#"../sparse_array.rs" 103 14 103 28] is_elt0 self i) function shallow_model5 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize = [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model7 self val shallow_model5 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize @@ -812,7 +827,8 @@ module SparseArray_Impl2_Set ensures { result = resolve0 self } predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq t) (fin : Seq.seq t) = - [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq t) (fin : Seq.seq t) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -847,7 +863,8 @@ module SparseArray_Impl2_Set requires {[#"../sparse_array.rs" 112 20 112 24] inv3 self} requires {[#"../sparse_array.rs" 112 36 112 37] inv1 v} ensures { [#"../sparse_array.rs" 109 14 109 43] Seq.length (shallow_model2 ( ^ self)) = Seq.length (shallow_model1 self) } - ensures { [#"../sparse_array.rs" 110 4 110 95] forall j : int . 0 <= j /\ j < Seq.length (shallow_model1 self) /\ j <> UIntSize.to_int i -> Seq.get (shallow_model2 ( ^ self)) j = Seq.get (shallow_model1 self) j } + ensures { [#"../sparse_array.rs" 110 4 110 95] forall j : int . 0 <= j /\ j < Seq.length (shallow_model1 self) /\ j <> UIntSize.to_int i + -> Seq.get (shallow_model2 ( ^ self)) j = Seq.get (shallow_model1 self) j } ensures { [#"../sparse_array.rs" 111 14 111 37] Seq.get (shallow_model2 ( ^ self)) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v } = [@vc:do_not_keep_trace] [@vc:sp] @@ -919,7 +936,7 @@ module SparseArray_Impl2_Set BB9 { assert { [@expl:type invariant] inv3 self }; assume { resolve4 self }; - [#"../sparse_array.rs" 123 9 123 9] _0 <- ([#"../sparse_array.rs" 123 9 123 9] ()); + [#"../sparse_array.rs" 123 9 123 9] _0 <- ([#"../sparse_array.rs" 123 9 123 9] [#"../sparse_array.rs" 123 9 123 9] ()); goto BB16 } BB10 { @@ -953,10 +970,10 @@ module SparseArray_Impl2_Set BB15 { [#"../sparse_array.rs" 121 12 121 33] _34 <- { _34 with current = ([#"../sparse_array.rs" 121 12 121 33] i) ; }; assume { resolve3 _34 }; - [#"../sparse_array.rs" 122 12 122 23] self <- { self with current = (let SparseArray_Sparse_Type.C_Sparse x0 x1 x2 x3 x4 = * self in SparseArray_Sparse_Type.C_Sparse x0 ([#"../sparse_array.rs" 122 12 122 23] SparseArray_Sparse_Type.sparse_n ( * self) + (1 : usize)) x2 x3 x4) ; }; + [#"../sparse_array.rs" 122 12 122 23] self <- { self with current = (let SparseArray_Sparse_Type.C_Sparse x0 x1 x2 x3 x4 = * self in SparseArray_Sparse_Type.C_Sparse x0 ([#"../sparse_array.rs" 122 12 122 23] SparseArray_Sparse_Type.sparse_n ( * self) + ([#"../sparse_array.rs" 122 22 122 23] (1 : usize))) x2 x3 x4) ; }; assert { [@expl:type invariant] inv3 self }; assume { resolve4 self }; - [#"../sparse_array.rs" 115 54 123 9] _0 <- ([#"../sparse_array.rs" 115 54 123 9] ()); + [#"../sparse_array.rs" 115 54 123 9] _0 <- ([#"../sparse_array.rs" 115 54 123 9] [#"../sparse_array.rs" 115 54 123 9] ()); goto BB16 } BB16 { @@ -1006,7 +1023,8 @@ module SparseArray_Create requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model3 self) val invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1033,7 +1051,8 @@ module SparseArray_Create requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model2 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model2 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model2 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1079,7 +1098,8 @@ module SparseArray_Create ensures { result = shallow_model1 self } predicate invariant1 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) = - [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic2 (SparseArray_Sparse_Type.sparse_back self) i with + [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) + -> match index_logic2 (SparseArray_Sparse_Type.sparse_back self) i with | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic2 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i end) val invariant1 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) : bool @@ -1105,13 +1125,15 @@ module SparseArray_Create val from_elem1 (elem : usize) (n : usize) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) requires {inv3 elem} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model3 result) = UIntSize.to_int n } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic2 result i = elem } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic2 result i = elem } ensures { inv4 result } val from_elem0 (elem : t) (n : usize) : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) requires {inv0 elem} ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model2 result) = UIntSize.to_int n } - ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic1 result i = elem } + ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic1 result i = elem } ensures { inv2 result } predicate resolve0 (self : t) @@ -1121,7 +1143,8 @@ module SparseArray_Create let rec cfg create [#"../sparse_array.rs" 134 0 134 64] [@cfg:stackify] [@cfg:subregion_analysis] (sz : usize) (dummy : t) : SparseArray_Sparse_Type.t_sparse t requires {[#"../sparse_array.rs" 134 42 134 47] inv0 dummy} ensures { [#"../sparse_array.rs" 132 10 132 27] SparseArray_Sparse_Type.sparse_size result = sz } - ensures { [#"../sparse_array.rs" 133 0 133 67] forall i : int . 0 <= i /\ i < UIntSize.to_int sz -> Seq.get (shallow_model1 result) i = Core_Option_Option_Type.C_None } + ensures { [#"../sparse_array.rs" 133 0 133 67] forall i : int . 0 <= i /\ i < UIntSize.to_int sz + -> Seq.get (shallow_model1 result) i = Core_Option_Option_Type.C_None } ensures { [#"../sparse_array.rs" 134 55 134 64] inv1 result } = [@vc:do_not_keep_trace] [@vc:sp] @@ -1141,15 +1164,15 @@ module SparseArray_Create goto BB1 } BB1 { - [#"../sparse_array.rs" 135 59 135 70] _9 <- ([#"../sparse_array.rs" 135 59 135 70] from_elem1 (0 : usize) sz); + [#"../sparse_array.rs" 135 59 135 70] _9 <- ([#"../sparse_array.rs" 135 59 135 70] from_elem1 ([#"../sparse_array.rs" 135 64 135 65] (0 : usize)) sz); goto BB2 } BB2 { - [#"../sparse_array.rs" 135 78 135 89] _11 <- ([#"../sparse_array.rs" 135 78 135 89] from_elem1 (0 : usize) sz); + [#"../sparse_array.rs" 135 78 135 89] _11 <- ([#"../sparse_array.rs" 135 78 135 89] from_elem1 ([#"../sparse_array.rs" 135 83 135 84] (0 : usize)) sz); goto BB3 } BB3 { - [#"../sparse_array.rs" 135 4 135 91] _0 <- ([#"../sparse_array.rs" 135 4 135 91] SparseArray_Sparse_Type.C_Sparse sz (0 : usize) _6 _9 _11); + [#"../sparse_array.rs" 135 4 135 91] _0 <- ([#"../sparse_array.rs" 135 4 135 91] SparseArray_Sparse_Type.C_Sparse sz ([#"../sparse_array.rs" 135 26 135 27] (0 : usize)) _6 _9 _11); _6 <- any Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global); _9 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global); _11 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global); @@ -1195,7 +1218,8 @@ module SparseArray_F requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model7 self } - axiom shallow_model7_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) + axiom shallow_model7_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model7 self) val invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1223,7 +1247,8 @@ module SparseArray_F requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) + -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model6 self) val invariant5 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1313,7 +1338,8 @@ module SparseArray_F ensures { result = shallow_model2 self } predicate invariant0 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse int32) = - [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model6 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic2 (SparseArray_Sparse_Type.sparse_back self) i with + [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model6 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) + -> match index_logic2 (SparseArray_Sparse_Type.sparse_back self) i with | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic2 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i end) val invariant0 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse int32) : bool @@ -1342,7 +1368,8 @@ module SparseArray_F requires {[#"../sparse_array.rs" 112 20 112 24] inv4 self} requires {[#"../sparse_array.rs" 112 36 112 37] inv1 v} ensures { [#"../sparse_array.rs" 109 14 109 43] Seq.length (shallow_model2 ( ^ self)) = Seq.length (shallow_model4 self) } - ensures { [#"../sparse_array.rs" 110 4 110 95] forall j : int . 0 <= j /\ j < Seq.length (shallow_model4 self) /\ j <> UIntSize.to_int i -> Seq.get (shallow_model2 ( ^ self)) j = Seq.get (shallow_model4 self) j } + ensures { [#"../sparse_array.rs" 110 4 110 95] forall j : int . 0 <= j /\ j < Seq.length (shallow_model4 self) /\ j <> UIntSize.to_int i + -> Seq.get (shallow_model2 ( ^ self)) j = Seq.get (shallow_model4 self) j } ensures { [#"../sparse_array.rs" 111 14 111 37] Seq.get (shallow_model2 ( ^ self)) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v } function shallow_model3 (self : SparseArray_Sparse_Type.t_sparse int32) : Seq.seq (Core_Option_Option_Type.t_option int32) @@ -1368,7 +1395,8 @@ module SparseArray_F val create0 [#"../sparse_array.rs" 134 0 134 64] (sz : usize) (dummy : int32) : SparseArray_Sparse_Type.t_sparse int32 requires {[#"../sparse_array.rs" 134 42 134 47] inv1 dummy} ensures { [#"../sparse_array.rs" 132 10 132 27] SparseArray_Sparse_Type.sparse_size result = sz } - ensures { [#"../sparse_array.rs" 133 0 133 67] forall i : int . 0 <= i /\ i < UIntSize.to_int sz -> Seq.get (shallow_model2 result) i = Core_Option_Option_Type.C_None } + ensures { [#"../sparse_array.rs" 133 0 133 67] forall i : int . 0 <= i /\ i < UIntSize.to_int sz + -> Seq.get (shallow_model2 result) i = Core_Option_Option_Type.C_None } ensures { [#"../sparse_array.rs" 134 55 134 64] inv0 result } let rec cfg f [#"../sparse_array.rs" 140 0 140 10] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : () @@ -1395,20 +1423,20 @@ module SparseArray_F goto BB0 } BB0 { - [#"../sparse_array.rs" 141 18 141 19] default <- ([#"../sparse_array.rs" 141 18 141 19] (0 : int32)); - [#"../sparse_array.rs" 142 16 142 35] a <- ([#"../sparse_array.rs" 142 16 142 35] create0 (10 : usize) default); + [#"../sparse_array.rs" 141 18 141 19] default <- ([#"../sparse_array.rs" 141 18 141 19] [#"../sparse_array.rs" 141 18 141 19] (0 : int32)); + [#"../sparse_array.rs" 142 16 142 35] a <- ([#"../sparse_array.rs" 142 16 142 35] create0 ([#"../sparse_array.rs" 142 23 142 25] (10 : usize)) default); goto BB1 } BB1 { - [#"../sparse_array.rs" 143 16 143 35] b <- ([#"../sparse_array.rs" 143 16 143 35] create0 (20 : usize) default); + [#"../sparse_array.rs" 143 16 143 35] b <- ([#"../sparse_array.rs" 143 16 143 35] create0 ([#"../sparse_array.rs" 143 23 143 25] (20 : usize)) default); goto BB2 } BB2 { - [#"../sparse_array.rs" 144 16 144 24] x <- ([#"../sparse_array.rs" 144 16 144 24] get0 a (5 : usize)); + [#"../sparse_array.rs" 144 16 144 24] x <- ([#"../sparse_array.rs" 144 16 144 24] get0 a ([#"../sparse_array.rs" 144 22 144 23] (5 : usize))); goto BB3 } BB3 { - [#"../sparse_array.rs" 145 16 145 24] y <- ([#"../sparse_array.rs" 145 16 145 24] get0 b (7 : usize)); + [#"../sparse_array.rs" 145 16 145 24] y <- ([#"../sparse_array.rs" 145 16 145 24] get0 b ([#"../sparse_array.rs" 145 22 145 23] (7 : usize))); goto BB4 } BB4 { @@ -1416,7 +1444,7 @@ module SparseArray_F [#"../sparse_array.rs" 148 4 148 5] _13 <- Borrow.borrow_mut a; [#"../sparse_array.rs" 148 4 148 5] a <- ^ _13; assume { inv0 ( ^ _13) }; - [#"../sparse_array.rs" 148 4 148 15] _12 <- ([#"../sparse_array.rs" 148 4 148 15] set0 _13 (5 : usize) (1 : int32)); + [#"../sparse_array.rs" 148 4 148 15] _12 <- ([#"../sparse_array.rs" 148 4 148 15] set0 _13 ([#"../sparse_array.rs" 148 10 148 11] (5 : usize)) ([#"../sparse_array.rs" 148 13 148 14] (1 : int32))); _13 <- any borrowed (SparseArray_Sparse_Type.t_sparse int32); goto BB5 } @@ -1424,18 +1452,18 @@ module SparseArray_F [#"../sparse_array.rs" 149 4 149 5] _15 <- Borrow.borrow_mut b; [#"../sparse_array.rs" 149 4 149 5] b <- ^ _15; assume { inv0 ( ^ _15) }; - [#"../sparse_array.rs" 149 4 149 15] _14 <- ([#"../sparse_array.rs" 149 4 149 15] set0 _15 (7 : usize) (2 : int32)); + [#"../sparse_array.rs" 149 4 149 15] _14 <- ([#"../sparse_array.rs" 149 4 149 15] set0 _15 ([#"../sparse_array.rs" 149 10 149 11] (7 : usize)) ([#"../sparse_array.rs" 149 13 149 14] (2 : int32))); _15 <- any borrowed (SparseArray_Sparse_Type.t_sparse int32); goto BB6 } BB6 { - [#"../sparse_array.rs" 150 8 150 16] _16 <- ([#"../sparse_array.rs" 150 8 150 16] get0 a (5 : usize)); + [#"../sparse_array.rs" 150 8 150 16] _16 <- ([#"../sparse_array.rs" 150 8 150 16] get0 a ([#"../sparse_array.rs" 150 14 150 15] (5 : usize))); goto BB7 } BB7 { [#"../sparse_array.rs" 150 4 150 16] x <- ([#"../sparse_array.rs" 150 4 150 16] _16); _16 <- any Core_Option_Option_Type.t_option int32; - [#"../sparse_array.rs" 151 8 151 16] _18 <- ([#"../sparse_array.rs" 151 8 151 16] get0 b (7 : usize)); + [#"../sparse_array.rs" 151 8 151 16] _18 <- ([#"../sparse_array.rs" 151 8 151 16] get0 b ([#"../sparse_array.rs" 151 14 151 15] (7 : usize))); goto BB8 } BB8 { @@ -1449,46 +1477,46 @@ module SparseArray_F | Core_Option_Option_Type.C_None -> false | Core_Option_Option_Type.C_Some z -> shallow_model0 z = 2 end }; - [#"../sparse_array.rs" 161 8 161 16] _24 <- ([#"../sparse_array.rs" 161 8 161 16] get0 a (7 : usize)); + [#"../sparse_array.rs" 161 8 161 16] _24 <- ([#"../sparse_array.rs" 161 8 161 16] get0 a ([#"../sparse_array.rs" 161 14 161 15] (7 : usize))); goto BB9 } BB9 { [#"../sparse_array.rs" 161 4 161 16] x <- ([#"../sparse_array.rs" 161 4 161 16] _24); _24 <- any Core_Option_Option_Type.t_option int32; - [#"../sparse_array.rs" 162 8 162 16] _26 <- ([#"../sparse_array.rs" 162 8 162 16] get0 b (5 : usize)); + [#"../sparse_array.rs" 162 8 162 16] _26 <- ([#"../sparse_array.rs" 162 8 162 16] get0 b ([#"../sparse_array.rs" 162 14 162 15] (5 : usize))); goto BB10 } BB10 { [#"../sparse_array.rs" 162 4 162 16] y <- ([#"../sparse_array.rs" 162 4 162 16] _26); _26 <- any Core_Option_Option_Type.t_option int32; assert { [@expl:assertion] [#"../sparse_array.rs" 163 18 163 40] x = Core_Option_Option_Type.C_None /\ y = Core_Option_Option_Type.C_None }; - [#"../sparse_array.rs" 165 8 165 16] _30 <- ([#"../sparse_array.rs" 165 8 165 16] get0 a (0 : usize)); + [#"../sparse_array.rs" 165 8 165 16] _30 <- ([#"../sparse_array.rs" 165 8 165 16] get0 a ([#"../sparse_array.rs" 165 14 165 15] (0 : usize))); goto BB11 } BB11 { [#"../sparse_array.rs" 165 4 165 16] x <- ([#"../sparse_array.rs" 165 4 165 16] _30); _30 <- any Core_Option_Option_Type.t_option int32; - [#"../sparse_array.rs" 166 8 166 16] _32 <- ([#"../sparse_array.rs" 166 8 166 16] get0 b (0 : usize)); + [#"../sparse_array.rs" 166 8 166 16] _32 <- ([#"../sparse_array.rs" 166 8 166 16] get0 b ([#"../sparse_array.rs" 166 14 166 15] (0 : usize))); goto BB12 } BB12 { [#"../sparse_array.rs" 166 4 166 16] y <- ([#"../sparse_array.rs" 166 4 166 16] _32); _32 <- any Core_Option_Option_Type.t_option int32; assert { [@expl:assertion] [#"../sparse_array.rs" 167 18 167 40] x = Core_Option_Option_Type.C_None /\ y = Core_Option_Option_Type.C_None }; - [#"../sparse_array.rs" 169 8 169 16] _36 <- ([#"../sparse_array.rs" 169 8 169 16] get0 a (9 : usize)); + [#"../sparse_array.rs" 169 8 169 16] _36 <- ([#"../sparse_array.rs" 169 8 169 16] get0 a ([#"../sparse_array.rs" 169 14 169 15] (9 : usize))); goto BB13 } BB13 { [#"../sparse_array.rs" 169 4 169 16] x <- ([#"../sparse_array.rs" 169 4 169 16] _36); _36 <- any Core_Option_Option_Type.t_option int32; - [#"../sparse_array.rs" 170 8 170 16] _38 <- ([#"../sparse_array.rs" 170 8 170 16] get0 b (9 : usize)); + [#"../sparse_array.rs" 170 8 170 16] _38 <- ([#"../sparse_array.rs" 170 8 170 16] get0 b ([#"../sparse_array.rs" 170 14 170 15] (9 : usize))); goto BB14 } BB14 { [#"../sparse_array.rs" 170 4 170 16] y <- ([#"../sparse_array.rs" 170 4 170 16] _38); _38 <- any Core_Option_Option_Type.t_option int32; assert { [@expl:assertion] [#"../sparse_array.rs" 171 18 171 40] x = Core_Option_Option_Type.C_None /\ y = Core_Option_Option_Type.C_None }; - [#"../sparse_array.rs" 171 4 171 41] _0 <- ([#"../sparse_array.rs" 171 4 171 41] ()); + [#"../sparse_array.rs" 171 4 171 41] _0 <- ([#"../sparse_array.rs" 171 4 171 41] [#"../sparse_array.rs" 171 4 171 41] ()); goto BB15 } BB15 { diff --git a/creusot/tests/should_succeed/spec_tests.mlcfg b/creusot/tests/should_succeed/spec_tests.mlcfg index a662169771..efa8cc215f 100644 --- a/creusot/tests/should_succeed/spec_tests.mlcfg +++ b/creusot/tests/should_succeed/spec_tests.mlcfg @@ -25,7 +25,7 @@ module SpecTests_TestSpecs goto BB0 } BB0 { - [#"../spec_tests.rs" 18 20 18 22] _0 <- ([#"../spec_tests.rs" 18 20 18 22] ()); + [#"../spec_tests.rs" 18 20 18 22] _0 <- ([#"../spec_tests.rs" 18 20 18 22] [#"../spec_tests.rs" 18 20 18 22] ()); return _0 } diff --git a/creusot/tests/should_succeed/specification/division.mlcfg b/creusot/tests/should_succeed/specification/division.mlcfg index 09d2b1353a..0dbcc0ff2e 100644 --- a/creusot/tests/should_succeed/specification/division.mlcfg +++ b/creusot/tests/should_succeed/specification/division.mlcfg @@ -16,7 +16,7 @@ module Division_Divide } BB0 { [#"../division.rs" 7 8 7 9] _5 <- ([#"../division.rs" 7 8 7 9] x); - [#"../division.rs" 7 4 7 9] _6 <- ([#"../division.rs" 7 4 7 9] _5 = (0 : uint32)); + [#"../division.rs" 7 4 7 9] _6 <- ([#"../division.rs" 7 4 7 9] _5 = ([#"../division.rs" 7 4 7 9] (0 : uint32))); assert { [@expl:division by zero] [#"../division.rs" 7 4 7 9] not _6 }; goto BB1 } diff --git a/creusot/tests/should_succeed/specification/forall.mlcfg b/creusot/tests/should_succeed/specification/forall.mlcfg index d2905b36d8..6eb3d303de 100644 --- a/creusot/tests/should_succeed/specification/forall.mlcfg +++ b/creusot/tests/should_succeed/specification/forall.mlcfg @@ -11,7 +11,7 @@ module Forall_F goto BB0 } BB0 { - [#"../forall.rs" 6 11 6 13] _0 <- ([#"../forall.rs" 6 11 6 13] ()); + [#"../forall.rs" 6 11 6 13] _0 <- ([#"../forall.rs" 6 11 6 13] [#"../forall.rs" 6 11 6 13] ()); return _0 } diff --git a/creusot/tests/should_succeed/specification/logic_call.mlcfg b/creusot/tests/should_succeed/specification/logic_call.mlcfg index 90835dd6b0..9f18d949a6 100644 --- a/creusot/tests/should_succeed/specification/logic_call.mlcfg +++ b/creusot/tests/should_succeed/specification/logic_call.mlcfg @@ -16,7 +16,7 @@ module LogicCall_Dummy goto BB0 } BB0 { - [#"../logic_call.rs" 12 4 12 5] _0 <- ([#"../logic_call.rs" 12 4 12 5] (0 : uint32)); + [#"../logic_call.rs" 12 4 12 5] _0 <- ([#"../logic_call.rs" 12 4 12 5] [#"../logic_call.rs" 12 4 12 5] (0 : uint32)); return _0 } diff --git a/creusot/tests/should_succeed/specification/logic_functions.mlcfg b/creusot/tests/should_succeed/specification/logic_functions.mlcfg index 3be1b9abd5..69ca12751e 100644 --- a/creusot/tests/should_succeed/specification/logic_functions.mlcfg +++ b/creusot/tests/should_succeed/specification/logic_functions.mlcfg @@ -14,7 +14,7 @@ module LogicFunctions_UseLogic goto BB0 } BB0 { - [#"../logic_functions.rs" 10 19 10 21] _0 <- ([#"../logic_functions.rs" 10 19 10 21] ()); + [#"../logic_functions.rs" 10 19 10 21] _0 <- ([#"../logic_functions.rs" 10 19 10 21] [#"../logic_functions.rs" 10 19 10 21] ()); return _0 } @@ -34,7 +34,7 @@ module LogicFunctions_UseLogicPearlite goto BB0 } BB0 { - [#"../logic_functions.rs" 19 28 19 30] _0 <- ([#"../logic_functions.rs" 19 28 19 30] ()); + [#"../logic_functions.rs" 19 28 19 30] _0 <- ([#"../logic_functions.rs" 19 28 19 30] [#"../logic_functions.rs" 19 28 19 30] ()); return _0 } diff --git a/creusot/tests/should_succeed/specification/loops.mlcfg b/creusot/tests/should_succeed/specification/loops.mlcfg index bdf5f2abd2..f607a754b4 100644 --- a/creusot/tests/should_succeed/specification/loops.mlcfg +++ b/creusot/tests/should_succeed/specification/loops.mlcfg @@ -24,7 +24,7 @@ module Loops_WhileLoopVariant goto BB1 } BB4 { - [#"../loops.rs" 6 4 6 14] _0 <- ([#"../loops.rs" 6 4 6 14] ()); + [#"../loops.rs" 6 4 6 14] _0 <- ([#"../loops.rs" 6 4 6 14] [#"../loops.rs" 6 4 6 14] ()); return _0 } diff --git a/creusot/tests/should_succeed/specification/model.mlcfg b/creusot/tests/should_succeed/specification/model.mlcfg index 59a478c112..a0ebc6a546 100644 --- a/creusot/tests/should_succeed/specification/model.mlcfg +++ b/creusot/tests/should_succeed/specification/model.mlcfg @@ -74,7 +74,7 @@ module Model_TestArc goto BB1 } BB1 { - [#"../model.rs" 43 42 43 44] _0 <- ([#"../model.rs" 43 42 43 44] ()); + [#"../model.rs" 43 42 43 44] _0 <- ([#"../model.rs" 43 42 43 44] [#"../model.rs" 43 42 43 44] ()); goto BB2 } BB2 { @@ -126,7 +126,7 @@ module Model_TestRc goto BB1 } BB1 { - [#"../model.rs" 46 38 46 40] _0 <- ([#"../model.rs" 46 38 46 40] ()); + [#"../model.rs" 46 38 46 40] _0 <- ([#"../model.rs" 46 38 46 40] [#"../model.rs" 46 38 46 40] ()); goto BB2 } BB2 { diff --git a/creusot/tests/should_succeed/specification/opaque.mlcfg b/creusot/tests/should_succeed/specification/opaque.mlcfg index f44067afe1..9f2c73d665 100644 --- a/creusot/tests/should_succeed/specification/opaque.mlcfg +++ b/creusot/tests/should_succeed/specification/opaque.mlcfg @@ -19,7 +19,7 @@ module Opaque_Test BB0 { assert { [@expl:assertion] [#"../opaque.rs" 21 18 21 34] transparent0 () }; assert { [@expl:assertion] [#"../opaque.rs" 22 18 22 40] transparent_crate0 () }; - [#"../opaque.rs" 20 14 23 1] _0 <- ([#"../opaque.rs" 20 14 23 1] ()); + [#"../opaque.rs" 20 14 23 1] _0 <- ([#"../opaque.rs" 20 14 23 1] [#"../opaque.rs" 20 14 23 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/specification/trusted.mlcfg b/creusot/tests/should_succeed/specification/trusted.mlcfg index 0cda691d90..97a7981afd 100644 --- a/creusot/tests/should_succeed/specification/trusted.mlcfg +++ b/creusot/tests/should_succeed/specification/trusted.mlcfg @@ -14,7 +14,7 @@ module Trusted_VictimOfLie goto BB0 } BB0 { - [#"../trusted.rs" 19 4 19 9] _0 <- ([#"../trusted.rs" 19 4 19 9] lie0 ()); + [#"../trusted.rs" 19 4 19 9] _0 <- ([#"../trusted.rs" 19 4 19 9] lie0 ([#"../trusted.rs" 19 4 19 9] ())); goto BB1 } BB1 { diff --git a/creusot/tests/should_succeed/split_borrow.mlcfg b/creusot/tests/should_succeed/split_borrow.mlcfg index ee3c4ab203..88564e5e8f 100644 --- a/creusot/tests/should_succeed/split_borrow.mlcfg +++ b/creusot/tests/should_succeed/split_borrow.mlcfg @@ -7,7 +7,7 @@ module SplitBorrow_Z goto BB0 } BB0 { - [#"../split_borrow.rs" 6 4 6 8] _0 <- ([#"../split_borrow.rs" 6 4 6 8] true); + [#"../split_borrow.rs" 6 4 6 8] _0 <- ([#"../split_borrow.rs" 6 4 6 8] [#"../split_borrow.rs" 6 4 6 8] true); return _0 } @@ -55,14 +55,14 @@ module SplitBorrow_F goto BB0 } BB0 { - [#"../split_borrow.rs" 10 17 10 25] _2 <- ([#"../split_borrow.rs" 10 17 10 25] SplitBorrow_MyInt_Type.C_MyInt (1 : usize)); - [#"../split_borrow.rs" 10 27 10 35] _3 <- ([#"../split_borrow.rs" 10 27 10 35] SplitBorrow_MyInt_Type.C_MyInt (2 : usize)); + [#"../split_borrow.rs" 10 17 10 25] _2 <- ([#"../split_borrow.rs" 10 17 10 25] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 10 23 10 24] (1 : usize))); + [#"../split_borrow.rs" 10 27 10 35] _3 <- ([#"../split_borrow.rs" 10 27 10 35] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 10 33 10 34] (2 : usize))); [#"../split_borrow.rs" 10 16 10 36] x <- ([#"../split_borrow.rs" 10 16 10 36] (_2, _3)); _2 <- any SplitBorrow_MyInt_Type.t_myint; _3 <- any SplitBorrow_MyInt_Type.t_myint; [#"../split_borrow.rs" 11 12 11 18] y <- Borrow.borrow_mut x; [#"../split_borrow.rs" 11 12 11 18] x <- ^ y; - [#"../split_borrow.rs" 13 7 13 10] _6 <- ([#"../split_borrow.rs" 13 7 13 10] z0 ()); + [#"../split_borrow.rs" 13 7 13 10] _6 <- ([#"../split_borrow.rs" 13 7 13 10] z0 ([#"../split_borrow.rs" 13 7 13 10] ())); goto BB1 } BB1 { @@ -72,23 +72,23 @@ module SplitBorrow_F end } BB2 { - [#"../split_borrow.rs" 14 17 14 25] _7 <- ([#"../split_borrow.rs" 14 17 14 25] SplitBorrow_MyInt_Type.C_MyInt (4 : usize)); + [#"../split_borrow.rs" 14 17 14 25] _7 <- ([#"../split_borrow.rs" 14 17 14 25] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 14 23 14 24] (4 : usize))); [#"../split_borrow.rs" 14 8 14 25] y <- { y with current = (let (x0, x1) = * y in (x0, ([#"../split_borrow.rs" 14 8 14 25] _7))) ; }; _7 <- any SplitBorrow_MyInt_Type.t_myint; - [#"../split_borrow.rs" 13 11 15 5] _5 <- ([#"../split_borrow.rs" 13 11 15 5] ()); + [#"../split_borrow.rs" 13 11 15 5] _5 <- ([#"../split_borrow.rs" 13 11 15 5] [#"../split_borrow.rs" 13 11 15 5] ()); goto BB4 } BB3 { - [#"../split_borrow.rs" 16 17 16 26] _8 <- ([#"../split_borrow.rs" 16 17 16 26] SplitBorrow_MyInt_Type.C_MyInt (10 : usize)); + [#"../split_borrow.rs" 16 17 16 26] _8 <- ([#"../split_borrow.rs" 16 17 16 26] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 16 23 16 25] (10 : usize))); [#"../split_borrow.rs" 16 8 16 26] y <- { y with current = (let (x0, x1) = * y in (([#"../split_borrow.rs" 16 8 16 26] _8), x1)) ; }; _8 <- any SplitBorrow_MyInt_Type.t_myint; - [#"../split_borrow.rs" 15 11 17 5] _5 <- ([#"../split_borrow.rs" 15 11 17 5] ()); + [#"../split_borrow.rs" 15 11 17 5] _5 <- ([#"../split_borrow.rs" 15 11 17 5] [#"../split_borrow.rs" 15 11 17 5] ()); goto BB4 } BB4 { assume { resolve0 y }; assume { resolve1 x }; - [#"../split_borrow.rs" 9 11 21 1] _0 <- ([#"../split_borrow.rs" 9 11 21 1] ()); + [#"../split_borrow.rs" 9 11 21 1] _0 <- ([#"../split_borrow.rs" 9 11 21 1] [#"../split_borrow.rs" 9 11 21 1] ()); return _0 } @@ -131,8 +131,8 @@ module SplitBorrow_G goto BB0 } BB0 { - [#"../split_borrow.rs" 24 17 24 25] _2 <- ([#"../split_borrow.rs" 24 17 24 25] SplitBorrow_MyInt_Type.C_MyInt (1 : usize)); - [#"../split_borrow.rs" 24 27 24 35] _3 <- ([#"../split_borrow.rs" 24 27 24 35] SplitBorrow_MyInt_Type.C_MyInt (2 : usize)); + [#"../split_borrow.rs" 24 17 24 25] _2 <- ([#"../split_borrow.rs" 24 17 24 25] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 24 23 24 24] (1 : usize))); + [#"../split_borrow.rs" 24 27 24 35] _3 <- ([#"../split_borrow.rs" 24 27 24 35] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 24 33 24 34] (2 : usize))); [#"../split_borrow.rs" 24 16 24 36] a <- ([#"../split_borrow.rs" 24 16 24 36] (_2, _3)); _2 <- any SplitBorrow_MyInt_Type.t_myint; _3 <- any SplitBorrow_MyInt_Type.t_myint; @@ -141,12 +141,12 @@ module SplitBorrow_G [#"../split_borrow.rs" 27 13 27 21] _z <- Borrow.borrow_final (let (_, a) = * x in a) (Borrow.inherit_id (Borrow.get_id x) 2); [#"../split_borrow.rs" 27 13 27 21] x <- { x with current = (let (x0, x1) = * x in (x0, ^ _z)) ; }; assume { resolve0 _z }; - [#"../split_borrow.rs" 29 13 29 21] _6 <- ([#"../split_borrow.rs" 29 13 29 21] SplitBorrow_MyInt_Type.C_MyInt (3 : usize)); + [#"../split_borrow.rs" 29 13 29 21] _6 <- ([#"../split_borrow.rs" 29 13 29 21] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 29 19 29 20] (3 : usize))); [#"../split_borrow.rs" 29 4 29 21] x <- { x with current = (let (x0, x1) = * x in (([#"../split_borrow.rs" 29 4 29 21] _6), x1)) ; }; _6 <- any SplitBorrow_MyInt_Type.t_myint; assume { resolve1 x }; assume { resolve2 a }; - [#"../split_borrow.rs" 23 11 32 1] _0 <- ([#"../split_borrow.rs" 23 11 32 1] ()); + [#"../split_borrow.rs" 23 11 32 1] _0 <- ([#"../split_borrow.rs" 23 11 32 1] [#"../split_borrow.rs" 23 11 32 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/std_types.mlcfg b/creusot/tests/should_succeed/std_types.mlcfg index 8517de6b44..740099b545 100644 --- a/creusot/tests/should_succeed/std_types.mlcfg +++ b/creusot/tests/should_succeed/std_types.mlcfg @@ -23,7 +23,7 @@ module StdTypes_X goto BB0 } BB0 { - [#"../std_types.rs" 5 21 5 23] _0 <- ([#"../std_types.rs" 5 21 5 23] ()); + [#"../std_types.rs" 5 21 5 23] _0 <- ([#"../std_types.rs" 5 21 5 23] [#"../std_types.rs" 5 21 5 23] ()); return _0 } diff --git a/creusot/tests/should_succeed/sum.mlcfg b/creusot/tests/should_succeed/sum.mlcfg index b17661743f..11977f77cf 100644 --- a/creusot/tests/should_succeed/sum.mlcfg +++ b/creusot/tests/should_succeed/sum.mlcfg @@ -96,7 +96,9 @@ module Sum_SumFirstN requires {[#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self} ensures { result = is_empty_log0 self } - axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self) -> ([#"../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self)) + axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self + -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self)) function range_inclusive_len0 (r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) : int = [#"../../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5] if is_empty_log0 r then 0 @@ -107,12 +109,15 @@ module Sum_SumFirstN requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r} ensures { result = range_inclusive_len0 r } - axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0)) + axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0)) use seq.Seq predicate produces0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) = - [#"../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i) + [#"../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self + -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i) val produces0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) : bool ensures { result = produces0 self visited o } @@ -130,7 +135,14 @@ module Sum_SumFirstN requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32, ab : Seq.seq uint32, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32, bc : Seq.seq uint32, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv0 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv4 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv0 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv4 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32, ab : Seq.seq uint32, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32, bc : Seq.seq uint32, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces0 a ab b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces0 b bc c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv0 a) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv4 ab) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv0 b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv4 bc) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) : () = [#"../../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10] () @@ -138,7 +150,8 @@ module Sum_SumFirstN requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) = [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) : bool @@ -193,7 +206,8 @@ module Sum_SumFirstN requires {inv1 end'} ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 220 26 220 53] start_log0 result = start } ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 221 26 221 49] end_log0 result = end' } - ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end' -> not is_empty_log0 result } + ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end' + -> not is_empty_log0 result } ensures { inv0 result } let rec cfg sum_first_n [#"../sum.rs" 6 0 6 33] [@cfg:stackify] [@cfg:subregion_analysis] (n : uint32) : uint32 @@ -218,8 +232,8 @@ module Sum_SumFirstN goto BB0 } BB0 { - [#"../sum.rs" 7 18 7 19] sum <- ([#"../sum.rs" 7 18 7 19] (0 : uint32)); - [#"../sum.rs" 9 13 9 18] _7 <- ([#"../sum.rs" 9 13 9 18] new0 (1 : uint32) n); + [#"../sum.rs" 7 18 7 19] sum <- ([#"../sum.rs" 7 18 7 19] [#"../sum.rs" 7 18 7 19] (0 : uint32)); + [#"../sum.rs" 9 13 9 18] _7 <- ([#"../sum.rs" 9 13 9 18] new0 ([#"../sum.rs" 9 13 9 14] (1 : uint32)) n); goto BB1 } BB1 { diff --git a/creusot/tests/should_succeed/sum_of_odds.mlcfg b/creusot/tests/should_succeed/sum_of_odds.mlcfg index a40475b1ea..1f31f3448e 100644 --- a/creusot/tests/should_succeed/sum_of_odds.mlcfg +++ b/creusot/tests/should_succeed/sum_of_odds.mlcfg @@ -26,8 +26,10 @@ module SumOfOdds_SumOfOddIsSqr_Impl constant x : int function sum_of_odd_is_sqr [#"../sum_of_odds.rs" 30 0 30 28] (x : int) : () - goal vc_sum_of_odd_is_sqr : ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0) -> match x > 0 with - | True -> (([#"../sum_of_odds.rs" 27 11 27 17] x - 1 >= 0) /\ 0 <= ([#"../sum_of_odds.rs" 29 10 29 11] x) /\ ([#"../sum_of_odds.rs" 29 10 29 11] x - 1) < ([#"../sum_of_odds.rs" 29 10 29 11] x)) /\ (([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 (x - 1) = sqr0 (x - 1)) -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x)) + goal vc_sum_of_odd_is_sqr : ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0) + -> match x > 0 with + | True -> (([#"../sum_of_odds.rs" 27 11 27 17] x - 1 >= 0) /\ 0 <= ([#"../sum_of_odds.rs" 29 10 29 11] x) /\ ([#"../sum_of_odds.rs" 29 10 29 11] x - 1) < ([#"../sum_of_odds.rs" 29 10 29 11] x)) /\ (([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 (x - 1) = sqr0 (x - 1)) + -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x)) | False -> [#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x end end @@ -109,7 +111,9 @@ module SumOfOdds_ComputeSumOfOdd predicate produces0 (self : Core_Ops_Range_Range_Type.t_range uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_Range_Type.t_range uint32) = - [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_Range_Type.t_range uint32) : bool ensures { result = produces0 self visited o } @@ -125,14 +129,22 @@ module SumOfOdds_ComputeSumOfOdd requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range uint32, ab : Seq.seq uint32, b : Core_Ops_Range_Range_Type.t_range uint32, bc : Seq.seq uint32, c : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range uint32, ab : Seq.seq uint32, b : Core_Ops_Range_Range_Type.t_range uint32, bc : Seq.seq uint32, c : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range uint32) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range uint32) : () requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) + -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range uint32) = [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Ops_Range_Range_Type.t_range uint32) : bool @@ -164,7 +176,8 @@ module SumOfOdds_ComputeSumOfOdd requires {[#"../sum_of_odds.rs" 27 11 27 17] x >= 0} ensures { result = sum_of_odd_is_sqr0 x } - axiom sum_of_odd_is_sqr0_spec : forall x : int . ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0) -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x) + axiom sum_of_odd_is_sqr0_spec : forall x : int . ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0) + -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x) use seq.Seq predicate resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range uint32)) = [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self @@ -231,8 +244,8 @@ module SumOfOdds_ComputeSumOfOdd goto BB0 } BB0 { - [#"../sum_of_odds.rs" 37 21 37 22] s <- ([#"../sum_of_odds.rs" 37 21 37 22] (0 : uint32)); - [#"../sum_of_odds.rs" 39 13 39 17] _8 <- ([#"../sum_of_odds.rs" 39 13 39 17] Core_Ops_Range_Range_Type.C_Range (0 : uint32) x); + [#"../sum_of_odds.rs" 37 21 37 22] s <- ([#"../sum_of_odds.rs" 37 21 37 22] [#"../sum_of_odds.rs" 37 21 37 22] (0 : uint32)); + [#"../sum_of_odds.rs" 39 13 39 17] _8 <- ([#"../sum_of_odds.rs" 39 13 39 17] Core_Ops_Range_Range_Type.C_Range ([#"../sum_of_odds.rs" 39 13 39 14] (0 : uint32)) x); [#"../sum_of_odds.rs" 38 4 38 50] iter <- ([#"../sum_of_odds.rs" 38 4 38 50] into_iter0 _8); _8 <- any Core_Ops_Range_Range_Type.t_range uint32; goto BB1 @@ -291,8 +304,8 @@ module SumOfOdds_ComputeSumOfOdd _23 <- any Snapshot.snap_ty (Seq.seq uint32); [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); assert { [@expl:assertion] [#"../sum_of_odds.rs" 41 12 41 33] let _ = sum_of_odd_is_sqr0 (UInt32.to_int i) in true }; - [#"../sum_of_odds.rs" 44 13 44 18] _29 <- ([#"../sum_of_odds.rs" 44 13 44 18] (2 : uint32) * i); - [#"../sum_of_odds.rs" 44 13 44 22] _28 <- ([#"../sum_of_odds.rs" 44 13 44 22] _29 + (1 : uint32)); + [#"../sum_of_odds.rs" 44 13 44 18] _29 <- ([#"../sum_of_odds.rs" 44 13 44 18] ([#"../sum_of_odds.rs" 44 13 44 14] (2 : uint32)) * i); + [#"../sum_of_odds.rs" 44 13 44 22] _28 <- ([#"../sum_of_odds.rs" 44 13 44 22] _29 + ([#"../sum_of_odds.rs" 44 21 44 22] (1 : uint32))); _29 <- any uint32; [#"../sum_of_odds.rs" 44 8 44 22] s <- ([#"../sum_of_odds.rs" 44 8 44 22] s + _28); _28 <- any uint32; @@ -332,7 +345,8 @@ module SumOfOdds_Test requires {[#"../sum_of_odds.rs" 27 11 27 17] x >= 0} ensures { result = sum_of_odd_is_sqr0 x } - axiom sum_of_odd_is_sqr0_spec : forall x : int . ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0) -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x) + axiom sum_of_odd_is_sqr0_spec : forall x : int . ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0) + -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x) use prelude.UInt32 val compute_sum_of_odd0 [#"../sum_of_odds.rs" 36 0 36 36] (x : uint32) : uint32 requires {[#"../sum_of_odds.rs" 34 11 34 23] UInt32.to_int x < 65536} @@ -354,7 +368,7 @@ module SumOfOdds_Test } BB1 { assert { [@expl:assertion] [#"../sum_of_odds.rs" 53 8 53 29] let _ = sum_of_odd_is_sqr0 (UInt32.to_int x) in is_square0 (UInt32.to_int y) }; - [#"../sum_of_odds.rs" 52 4 55 5] _0 <- ([#"../sum_of_odds.rs" 52 4 55 5] ()); + [#"../sum_of_odds.rs" 52 4 55 5] _0 <- ([#"../sum_of_odds.rs" 52 4 55 5] [#"../sum_of_odds.rs" 52 4 55 5] ()); return _0 } diff --git a/creusot/tests/should_succeed/swap_borrows.mlcfg b/creusot/tests/should_succeed/swap_borrows.mlcfg index 1dfaf453a0..0bcfab730c 100644 --- a/creusot/tests/should_succeed/swap_borrows.mlcfg +++ b/creusot/tests/should_succeed/swap_borrows.mlcfg @@ -106,7 +106,7 @@ module SwapBorrows_F goto BB0 } BB0 { - [#"../swap_borrows.rs" 11 25 11 31] _3 <- ([#"../swap_borrows.rs" 11 25 11 31] ((0 : uint32), (0 : uint32))); + [#"../swap_borrows.rs" 11 25 11 31] _3 <- ([#"../swap_borrows.rs" 11 25 11 31] (([#"../swap_borrows.rs" 11 26 11 27] (0 : uint32)), ([#"../swap_borrows.rs" 11 29 11 30] (0 : uint32)))); [#"../swap_borrows.rs" 11 9 11 14] a <- ([#"../swap_borrows.rs" 11 9 11 14] let (a, _) = _3 in a); [#"../swap_borrows.rs" 11 16 11 21] b <- ([#"../swap_borrows.rs" 11 16 11 21] let (_, a) = _3 in a); assume { resolve0 _3 }; @@ -125,11 +125,11 @@ module SwapBorrows_F } BB1 { assume { resolve1 _8 }; - [#"../swap_borrows.rs" 13 4 13 13] p <- (let (x0, x1) = p in ({ (let (a, _) = p in a) with current = ([#"../swap_borrows.rs" 13 4 13 13] (10 : uint32)) ; }, x1)); + [#"../swap_borrows.rs" 13 4 13 13] p <- (let (x0, x1) = p in ({ (let (a, _) = p in a) with current = ([#"../swap_borrows.rs" 13 4 13 13] [#"../swap_borrows.rs" 13 11 13 13] (10 : uint32)) ; }, x1)); assume { resolve2 p }; assert { [@expl:assertion] [#"../swap_borrows.rs" 15 20 15 30] b = (10 : uint32) }; assert { [@expl:assertion] [#"../swap_borrows.rs" 16 20 16 29] a = (0 : uint32) }; - [#"../swap_borrows.rs" 10 11 17 1] _0 <- ([#"../swap_borrows.rs" 10 11 17 1] ()); + [#"../swap_borrows.rs" 10 11 17 1] _0 <- ([#"../swap_borrows.rs" 10 11 17 1] [#"../swap_borrows.rs" 10 11 17 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/switch.mlcfg b/creusot/tests/should_succeed/switch.mlcfg index 589df93f59..881225a54d 100644 --- a/creusot/tests/should_succeed/switch.mlcfg +++ b/creusot/tests/should_succeed/switch.mlcfg @@ -33,7 +33,7 @@ module Switch_Test goto BB4 } BB2 { - [#"../switch.rs" 12 16 12 21] _0 <- ([#"../switch.rs" 12 16 12 21] false); + [#"../switch.rs" 12 16 12 21] _0 <- ([#"../switch.rs" 12 16 12 21] [#"../switch.rs" 12 16 12 21] false); goto BB5 } BB3 { @@ -42,7 +42,7 @@ module Switch_Test } BB4 { [#"../switch.rs" 11 13 11 14] x <- ([#"../switch.rs" 11 13 11 14] Switch_Option_Type.some_0 o); - [#"../switch.rs" 11 19 11 24] _0 <- ([#"../switch.rs" 11 19 11 24] x > (0 : uint32)); + [#"../switch.rs" 11 19 11 24] _0 <- ([#"../switch.rs" 11 19 11 24] x > ([#"../switch.rs" 11 23 11 24] (0 : uint32))); goto BB5 } BB5 { diff --git a/creusot/tests/should_succeed/switch_struct.mlcfg b/creusot/tests/should_succeed/switch_struct.mlcfg index dceefd3ca6..add5733e50 100644 --- a/creusot/tests/should_succeed/switch_struct.mlcfg +++ b/creusot/tests/should_succeed/switch_struct.mlcfg @@ -42,7 +42,7 @@ module SwitchStruct_Test } BB2 { [#"../switch_struct.rs" 12 12 12 18] field2 <- ([#"../switch_struct.rs" 12 12 12 18] SwitchStruct_M_Type.g_field2 o); - [#"../switch_struct.rs" 12 24 12 35] _0 <- ([#"../switch_struct.rs" 12 24 12 35] field2 = (0 : uint32)); + [#"../switch_struct.rs" 12 24 12 35] _0 <- ([#"../switch_struct.rs" 12 24 12 35] field2 = ([#"../switch_struct.rs" 12 34 12 35] (0 : uint32))); goto BB5 } BB3 { @@ -51,7 +51,7 @@ module SwitchStruct_Test } BB4 { [#"../switch_struct.rs" 11 12 11 18] field1 <- ([#"../switch_struct.rs" 11 12 11 18] SwitchStruct_M_Type.f_field1 o); - [#"../switch_struct.rs" 11 24 11 34] _0 <- ([#"../switch_struct.rs" 11 24 11 34] field1 > (0 : uint32)); + [#"../switch_struct.rs" 11 24 11 34] _0 <- ([#"../switch_struct.rs" 11 24 11 34] field1 > ([#"../switch_struct.rs" 11 33 11 34] (0 : uint32))); goto BB5 } BB5 { diff --git a/creusot/tests/should_succeed/syntax/01_idents.mlcfg b/creusot/tests/should_succeed/syntax/01_idents.mlcfg index f2db50cf1c..24569dbecd 100644 --- a/creusot/tests/should_succeed/syntax/01_idents.mlcfg +++ b/creusot/tests/should_succeed/syntax/01_idents.mlcfg @@ -7,7 +7,7 @@ module C01Idents_Clone goto BB0 } BB0 { - [#"../01_idents.rs" 3 15 3 17] _0 <- ([#"../01_idents.rs" 3 15 3 17] ()); + [#"../01_idents.rs" 3 15 3 17] _0 <- ([#"../01_idents.rs" 3 15 3 17] [#"../01_idents.rs" 3 15 3 17] ()); return _0 } @@ -20,7 +20,7 @@ module C01Idents_Function goto BB0 } BB0 { - [#"../01_idents.rs" 5 18 5 20] _0 <- ([#"../01_idents.rs" 5 18 5 20] ()); + [#"../01_idents.rs" 5 18 5 20] _0 <- ([#"../01_idents.rs" 5 18 5 20] [#"../01_idents.rs" 5 18 5 20] ()); return _0 } @@ -33,7 +33,7 @@ module C01Idents_Import goto BB0 } BB0 { - [#"../01_idents.rs" 7 16 7 18] _0 <- ([#"../01_idents.rs" 7 16 7 18] ()); + [#"../01_idents.rs" 7 16 7 18] _0 <- ([#"../01_idents.rs" 7 16 7 18] [#"../01_idents.rs" 7 16 7 18] ()); return _0 } @@ -46,7 +46,7 @@ module C01Idents_Export goto BB0 } BB0 { - [#"../01_idents.rs" 9 16 9 18] _0 <- ([#"../01_idents.rs" 9 16 9 18] ()); + [#"../01_idents.rs" 9 16 9 18] _0 <- ([#"../01_idents.rs" 9 16 9 18] [#"../01_idents.rs" 9 16 9 18] ()); return _0 } @@ -59,7 +59,7 @@ module C01Idents_Result goto BB0 } BB0 { - [#"../01_idents.rs" 11 16 11 18] _0 <- ([#"../01_idents.rs" 11 16 11 18] ()); + [#"../01_idents.rs" 11 16 11 18] _0 <- ([#"../01_idents.rs" 11 16 11 18] [#"../01_idents.rs" 11 16 11 18] ()); return _0 } diff --git a/creusot/tests/should_succeed/syntax/02_operators.mlcfg b/creusot/tests/should_succeed/syntax/02_operators.mlcfg index 52a2159d64..f69547e003 100644 --- a/creusot/tests/should_succeed/syntax/02_operators.mlcfg +++ b/creusot/tests/should_succeed/syntax/02_operators.mlcfg @@ -17,7 +17,7 @@ module C02Operators_Division } BB0 { [#"../02_operators.rs" 9 8 9 9] _5 <- ([#"../02_operators.rs" 9 8 9 9] y); - [#"../02_operators.rs" 9 4 9 9] _6 <- ([#"../02_operators.rs" 9 4 9 9] _5 = (0 : usize)); + [#"../02_operators.rs" 9 4 9 9] _6 <- ([#"../02_operators.rs" 9 4 9 9] _5 = ([#"../02_operators.rs" 9 4 9 9] (0 : usize))); assert { [@expl:division by zero] [#"../02_operators.rs" 9 4 9 9] not _6 }; goto BB1 } @@ -46,7 +46,7 @@ module C02Operators_Modulus } BB0 { [#"../02_operators.rs" 24 8 24 9] _5 <- ([#"../02_operators.rs" 24 8 24 9] y); - [#"../02_operators.rs" 24 4 24 9] _6 <- ([#"../02_operators.rs" 24 4 24 9] _5 = (0 : usize)); + [#"../02_operators.rs" 24 4 24 9] _6 <- ([#"../02_operators.rs" 24 4 24 9] _5 = ([#"../02_operators.rs" 24 4 24 9] (0 : usize))); assert { [@expl:remainder by zero] [#"../02_operators.rs" 24 4 24 9] not _6 }; goto BB1 } @@ -150,7 +150,7 @@ module C02Operators_Expression } BB0 { [#"../02_operators.rs" 78 8 78 9] _10 <- ([#"../02_operators.rs" 78 8 78 9] y); - [#"../02_operators.rs" 78 4 78 9] _11 <- ([#"../02_operators.rs" 78 4 78 9] _10 = (0 : usize)); + [#"../02_operators.rs" 78 4 78 9] _11 <- ([#"../02_operators.rs" 78 4 78 9] _10 = ([#"../02_operators.rs" 78 4 78 9] (0 : usize))); assert { [@expl:division by zero] [#"../02_operators.rs" 78 4 78 9] not _11 }; goto BB1 } @@ -160,7 +160,7 @@ module C02Operators_Expression [#"../02_operators.rs" 78 4 78 13] _7 <- ([#"../02_operators.rs" 78 4 78 13] _8 * z); _8 <- any usize; [#"../02_operators.rs" 78 22 78 23] _16 <- ([#"../02_operators.rs" 78 22 78 23] y); - [#"../02_operators.rs" 78 17 78 24] _17 <- ([#"../02_operators.rs" 78 17 78 24] _16 = (0 : usize)); + [#"../02_operators.rs" 78 17 78 24] _17 <- ([#"../02_operators.rs" 78 17 78 24] _16 = ([#"../02_operators.rs" 78 17 78 24] (0 : usize))); assert { [@expl:division by zero] [#"../02_operators.rs" 78 17 78 24] not _17 }; goto BB2 } @@ -208,7 +208,7 @@ module C02Operators_PrimitiveComparison goto BB0 } BB0 { - [#"../02_operators.rs" 92 30 92 32] _0 <- ([#"../02_operators.rs" 92 30 92 32] ()); + [#"../02_operators.rs" 92 30 92 32] _0 <- ([#"../02_operators.rs" 92 30 92 32] [#"../02_operators.rs" 92 30 92 32] ()); return _0 } @@ -241,7 +241,7 @@ module C02Operators_OldTest goto BB0 } BB0 { - [#"../02_operators.rs" 100 21 100 23] _0 <- ([#"../02_operators.rs" 100 21 100 23] ()); + [#"../02_operators.rs" 100 21 100 23] _0 <- ([#"../02_operators.rs" 100 21 100 23] [#"../02_operators.rs" 100 21 100 23] ()); return _0 } diff --git a/creusot/tests/should_succeed/syntax/04_assoc_prec.mlcfg b/creusot/tests/should_succeed/syntax/04_assoc_prec.mlcfg index c5083b7d7b..a8d7f742d2 100644 --- a/creusot/tests/should_succeed/syntax/04_assoc_prec.mlcfg +++ b/creusot/tests/should_succeed/syntax/04_assoc_prec.mlcfg @@ -13,7 +13,7 @@ module C04AssocPrec_RespectPrec ensures { result = resolve0 self } let rec cfg respect_prec [#"../04_assoc_prec.rs" 10 0 10 34] [@cfg:stackify] [@cfg:subregion_analysis] (x : (uint32, uint32)) : () - ensures { [#"../04_assoc_prec.rs" 7 0 7 33] 5 = 3 -> 2 + 1 = 3 } + ensures { [#"../04_assoc_prec.rs" 7 0 7 33] 5 = 3 -> 2 + 1 = 3 } ensures { [#"../04_assoc_prec.rs" 8 10 8 35] div (5 * 3) 2 <> 4 * (40 + 1) } ensures { [#"../04_assoc_prec.rs" 9 10 9 20] (let (a, _) = x in a) = (let (_, a) = x in a) } @@ -25,7 +25,7 @@ module C04AssocPrec_RespectPrec } BB0 { assume { resolve0 x }; - [#"../04_assoc_prec.rs" 10 35 10 37] _0 <- ([#"../04_assoc_prec.rs" 10 35 10 37] ()); + [#"../04_assoc_prec.rs" 10 35 10 37] _0 <- ([#"../04_assoc_prec.rs" 10 35 10 37] [#"../04_assoc_prec.rs" 10 35 10 37] ()); return _0 } @@ -41,7 +41,7 @@ module C04AssocPrec_RespectAssoc goto BB0 } BB0 { - [#"../04_assoc_prec.rs" 13 23 13 25] _0 <- ([#"../04_assoc_prec.rs" 13 23 13 25] ()); + [#"../04_assoc_prec.rs" 13 23 13 25] _0 <- ([#"../04_assoc_prec.rs" 13 23 13 25] [#"../04_assoc_prec.rs" 13 23 13 25] ()); return _0 } diff --git a/creusot/tests/should_succeed/syntax/05_annotations.mlcfg b/creusot/tests/should_succeed/syntax/05_annotations.mlcfg index 78a410f58d..7d9918a914 100644 --- a/creusot/tests/should_succeed/syntax/05_annotations.mlcfg +++ b/creusot/tests/should_succeed/syntax/05_annotations.mlcfg @@ -30,7 +30,7 @@ module C05Annotations_Assertion goto BB1 } BB1 { - [#"../05_annotations.rs" 5 26 7 1] _0 <- ([#"../05_annotations.rs" 5 26 7 1] ()); + [#"../05_annotations.rs" 5 26 7 1] _0 <- ([#"../05_annotations.rs" 5 26 7 1] [#"../05_annotations.rs" 5 26 7 1] ()); goto BB2 } BB2 { diff --git a/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg b/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg index b2873eb912..49296ded96 100644 --- a/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg +++ b/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg @@ -36,7 +36,8 @@ module C05Pearlite_HasLen3_Impl requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) function shallow_model0 (self : slice uint32) : Seq.seq uint32 = [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self val shallow_model0 (self : slice uint32) : Seq.seq uint32 @@ -66,7 +67,7 @@ module C05Pearlite_StructInPearlite goto BB0 } BB0 { - [#"../05_pearlite.rs" 24 32 24 34] _0 <- ([#"../05_pearlite.rs" 24 32 24 34] ()); + [#"../05_pearlite.rs" 24 32 24 34] _0 <- ([#"../05_pearlite.rs" 24 32 24 34] [#"../05_pearlite.rs" 24 32 24 34] ()); return _0 } @@ -91,7 +92,7 @@ module C05Pearlite_StructOrder goto BB0 } BB0 { - [#"../05_pearlite.rs" 32 26 32 28] _0 <- ([#"../05_pearlite.rs" 32 26 32 28] ()); + [#"../05_pearlite.rs" 32 26 32 28] _0 <- ([#"../05_pearlite.rs" 32 26 32 28] [#"../05_pearlite.rs" 32 26 32 28] ()); return _0 } @@ -115,7 +116,7 @@ module C05Pearlite_GhostClosure goto BB1 } BB1 { - [#"../05_pearlite.rs" 48 23 50 1] _0 <- ([#"../05_pearlite.rs" 48 23 50 1] ()); + [#"../05_pearlite.rs" 48 23 50 1] _0 <- ([#"../05_pearlite.rs" 48 23 50 1] [#"../05_pearlite.rs" 48 23 50 1] ()); return _0 } @@ -133,7 +134,7 @@ module C05Pearlite_PearliteClosure goto BB0 } BB0 { - [#"../05_pearlite.rs" 52 58 52 60] _0 <- ([#"../05_pearlite.rs" 52 58 52 60] ()); + [#"../05_pearlite.rs" 52 58 52 60] _0 <- ([#"../05_pearlite.rs" 52 58 52 60] [#"../05_pearlite.rs" 52 58 52 60] ()); return _0 } @@ -164,7 +165,7 @@ module C05Pearlite_Caller goto BB2 } BB2 { - [#"../05_pearlite.rs" 54 16 56 1] _0 <- ([#"../05_pearlite.rs" 54 16 56 1] ()); + [#"../05_pearlite.rs" 54 16 56 1] _0 <- ([#"../05_pearlite.rs" 54 16 56 1] [#"../05_pearlite.rs" 54 16 56 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/syntax/07_extern_spec.mlcfg b/creusot/tests/should_succeed/syntax/07_extern_spec.mlcfg index bf420021a7..c1687a288a 100644 --- a/creusot/tests/should_succeed/syntax/07_extern_spec.mlcfg +++ b/creusot/tests/should_succeed/syntax/07_extern_spec.mlcfg @@ -9,7 +9,7 @@ module C07ExternSpec_Impl0_Func goto BB0 } BB0 { - [#"../07_extern_spec.rs" 12 8 12 12] _0 <- ([#"../07_extern_spec.rs" 12 8 12 12] true); + [#"../07_extern_spec.rs" 12 8 12 12] _0 <- ([#"../07_extern_spec.rs" 12 8 12 12] [#"../07_extern_spec.rs" 12 8 12 12] true); return _0 } diff --git a/creusot/tests/should_succeed/syntax/09_maintains.mlcfg b/creusot/tests/should_succeed/syntax/09_maintains.mlcfg index bf775481c0..5372bc1fb9 100644 --- a/creusot/tests/should_succeed/syntax/09_maintains.mlcfg +++ b/creusot/tests/should_succeed/syntax/09_maintains.mlcfg @@ -23,7 +23,7 @@ module C09Maintains_Test1 goto BB0 } BB0 { - [#"../09_maintains.rs" 28 37 28 39] _0 <- ([#"../09_maintains.rs" 28 37 28 39] ()); + [#"../09_maintains.rs" 28 37 28 39] _0 <- ([#"../09_maintains.rs" 28 37 28 39] [#"../09_maintains.rs" 28 37 28 39] ()); return _0 } @@ -55,7 +55,7 @@ module C09Maintains_Test2 } BB0 { assume { resolve0 a }; - [#"../09_maintains.rs" 31 42 31 44] _0 <- ([#"../09_maintains.rs" 31 42 31 44] ()); + [#"../09_maintains.rs" 31 42 31 44] _0 <- ([#"../09_maintains.rs" 31 42 31 44] [#"../09_maintains.rs" 31 42 31 44] ()); return _0 } @@ -94,7 +94,7 @@ module C09Maintains_Test3 BB0 { assume { resolve0 b }; assume { resolve1 a }; - [#"../09_maintains.rs" 34 47 34 49] _0 <- ([#"../09_maintains.rs" 34 47 34 49] ()); + [#"../09_maintains.rs" 34 47 34 49] _0 <- ([#"../09_maintains.rs" 34 47 34 49] [#"../09_maintains.rs" 34 47 34 49] ()); return _0 } @@ -119,7 +119,7 @@ module C09Maintains_Test5 goto BB0 } BB0 { - [#"../09_maintains.rs" 37 30 37 32] _0 <- ([#"../09_maintains.rs" 37 30 37 32] ()); + [#"../09_maintains.rs" 37 30 37 32] _0 <- ([#"../09_maintains.rs" 37 30 37 32] [#"../09_maintains.rs" 37 30 37 32] ()); return _0 } @@ -141,7 +141,7 @@ module C09Maintains_Test6 goto BB0 } BB0 { - [#"../09_maintains.rs" 40 29 40 31] _0 <- ([#"../09_maintains.rs" 40 29 40 31] ()); + [#"../09_maintains.rs" 40 29 40 31] _0 <- ([#"../09_maintains.rs" 40 29 40 31] [#"../09_maintains.rs" 40 29 40 31] ()); return _0 } diff --git a/creusot/tests/should_succeed/syntax/10_mutual_rec_types.mlcfg b/creusot/tests/should_succeed/syntax/10_mutual_rec_types.mlcfg index d3af288582..43065ad5d2 100644 --- a/creusot/tests/should_succeed/syntax/10_mutual_rec_types.mlcfg +++ b/creusot/tests/should_succeed/syntax/10_mutual_rec_types.mlcfg @@ -46,7 +46,7 @@ module C10MutualRecTypes_UseTree goto BB0 } BB0 { - [#"../10_mutual_rec_types.rs" 13 26 13 28] _0 <- ([#"../10_mutual_rec_types.rs" 13 26 13 28] ()); + [#"../10_mutual_rec_types.rs" 13 26 13 28] _0 <- ([#"../10_mutual_rec_types.rs" 13 26 13 28] [#"../10_mutual_rec_types.rs" 13 26 13 28] ()); return _0 } @@ -88,8 +88,10 @@ module C10MutualRecTypes_Impl0_Height ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 53 26 53 66] deep_model0 result >= deep_model0 self } ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 54 26 54 63] deep_model0 result >= deep_model0 other } ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 7 0 62 1] result = self \/ result = other } - ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 56 16 56 79] deep_model0 self <= deep_model0 other -> result = other } - ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 57 16 57 81] deep_model0 other < deep_model0 self -> result = self } + ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 56 16 56 79] deep_model0 self <= deep_model0 other + -> result = other } + ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 57 16 57 81] deep_model0 other < deep_model0 self + -> result = self } ensures { inv0 result } use C10MutualRecTypes_Node_Type as C10MutualRecTypes_Node_Type @@ -126,7 +128,7 @@ module C10MutualRecTypes_Impl0_Height absurd } BB4 { - [#"../10_mutual_rec_types.rs" 18 26 18 27] _0 <- ([#"../10_mutual_rec_types.rs" 18 26 18 27] (0 : uint64)); + [#"../10_mutual_rec_types.rs" 18 26 18 27] _0 <- ([#"../10_mutual_rec_types.rs" 18 26 18 27] [#"../10_mutual_rec_types.rs" 18 26 18 27] (0 : uint64)); goto BB8 } BB5 { @@ -140,7 +142,7 @@ module C10MutualRecTypes_Impl0_Height goto BB7 } BB7 { - [#"../10_mutual_rec_types.rs" 19 29 19 70] _0 <- ([#"../10_mutual_rec_types.rs" 19 29 19 70] _4 + (1 : uint64)); + [#"../10_mutual_rec_types.rs" 19 29 19 70] _0 <- ([#"../10_mutual_rec_types.rs" 19 29 19 70] _4 + ([#"../10_mutual_rec_types.rs" 19 69 19 70] (1 : uint64))); _4 <- any uint64; goto BB8 } diff --git a/creusot/tests/should_succeed/syntax/11_array_types.mlcfg b/creusot/tests/should_succeed/syntax/11_array_types.mlcfg index 1c35d39d16..b6a4c2c827 100644 --- a/creusot/tests/should_succeed/syntax/11_array_types.mlcfg +++ b/creusot/tests/should_succeed/syntax/11_array_types.mlcfg @@ -42,16 +42,16 @@ module C11ArrayTypes_Omg goto BB0 } BB0 { - [#"../11_array_types.rs" 9 8 9 9] _3 <- ([#"../11_array_types.rs" 9 8 9 9] (0 : usize)); + [#"../11_array_types.rs" 9 8 9 9] _3 <- ([#"../11_array_types.rs" 9 8 9 9] [#"../11_array_types.rs" 9 8 9 9] (0 : usize)); [#"../11_array_types.rs" 9 4 9 10] _4 <- ([#"../11_array_types.rs" 9 4 9 10] Slice.length (C11ArrayTypes_UsesArray_Type.usesarray_0 x)); [#"../11_array_types.rs" 9 4 9 10] _5 <- ([#"../11_array_types.rs" 9 4 9 10] _3 < _4); assert { [@expl:index in bounds] [#"../11_array_types.rs" 9 4 9 10] _5 }; goto BB1 } BB1 { - [#"../11_array_types.rs" 9 4 9 14] x <- (let C11ArrayTypes_UsesArray_Type.C_UsesArray x0 = x in C11ArrayTypes_UsesArray_Type.C_UsesArray (Slice.set (C11ArrayTypes_UsesArray_Type.usesarray_0 x) _3 ([#"../11_array_types.rs" 9 4 9 14] (5 : int64)))); + [#"../11_array_types.rs" 9 4 9 14] x <- (let C11ArrayTypes_UsesArray_Type.C_UsesArray x0 = x in C11ArrayTypes_UsesArray_Type.C_UsesArray (Slice.set (C11ArrayTypes_UsesArray_Type.usesarray_0 x) _3 ([#"../11_array_types.rs" 9 4 9 14] [#"../11_array_types.rs" 9 13 9 14] (5 : int64)))); assert { [@expl:assertion] [#"../11_array_types.rs" 11 20 11 32] Int64.to_int (index_logic0 (C11ArrayTypes_UsesArray_Type.usesarray_0 x) 0) = 5 }; - [#"../11_array_types.rs" 8 29 12 1] _0 <- ([#"../11_array_types.rs" 8 29 12 1] ()); + [#"../11_array_types.rs" 8 29 12 1] _0 <- ([#"../11_array_types.rs" 8 29 12 1] [#"../11_array_types.rs" 8 29 12 1] ()); return _0 } @@ -79,7 +79,7 @@ module C11ArrayTypes_CallOmg goto BB0 } BB0 { - [#"../11_array_types.rs" 15 14 15 24] arr <- ([#"../11_array_types.rs" 15 14 15 24] Slice.create (5 : usize) (fun _ -> (3 : int64))); + [#"../11_array_types.rs" 15 14 15 24] arr <- ([#"../11_array_types.rs" 15 14 15 24] Slice.create ([#"../11_array_types.rs" 15 14 15 24] (5 : usize)) (fun _ -> [#"../11_array_types.rs" 15 15 15 20] (3 : int64))); [#"../11_array_types.rs" 16 8 16 22] _2 <- ([#"../11_array_types.rs" 16 8 16 22] C11ArrayTypes_UsesArray_Type.C_UsesArray arr); [#"../11_array_types.rs" 16 4 16 23] _0 <- ([#"../11_array_types.rs" 16 4 16 23] omg0 _2); _2 <- any C11ArrayTypes_UsesArray_Type.t_usesarray; diff --git a/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg b/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg index 62fe4c7f44..884cabb418 100644 --- a/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg +++ b/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg @@ -19,7 +19,7 @@ module C12GhostCode_GhostArg goto BB1 } BB1 { - [#"../12_ghost_code.rs" 4 35 6 1] _0 <- ([#"../12_ghost_code.rs" 4 35 6 1] ()); + [#"../12_ghost_code.rs" 4 35 6 1] _0 <- ([#"../12_ghost_code.rs" 4 35 6 1] [#"../12_ghost_code.rs" 4 35 6 1] ()); return _0 } @@ -93,7 +93,8 @@ module C12GhostCode_GhostVec requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -116,7 +117,8 @@ module C12GhostCode_GhostVec ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve1 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve1 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -133,7 +135,7 @@ module C12GhostCode_GhostVec goto BB0 } BB0 { - [#"../12_ghost_code.rs" 9 22 9 32] x <- ([#"../12_ghost_code.rs" 9 22 9 32] new0 ()); + [#"../12_ghost_code.rs" 9 22 9 32] x <- ([#"../12_ghost_code.rs" 9 22 9 32] new0 ([#"../12_ghost_code.rs" 9 22 9 32] ())); goto BB1 } BB1 { @@ -142,7 +144,7 @@ module C12GhostCode_GhostVec goto BB2 } BB2 { - [#"../12_ghost_code.rs" 8 19 11 1] _0 <- ([#"../12_ghost_code.rs" 8 19 11 1] ()); + [#"../12_ghost_code.rs" 8 19 11 1] _0 <- ([#"../12_ghost_code.rs" 8 19 11 1] [#"../12_ghost_code.rs" 8 19 11 1] ()); goto BB3 } BB3 { @@ -169,7 +171,7 @@ module C12GhostCode_GhostCopy goto BB0 } BB0 { - [#"../12_ghost_code.rs" 18 12 18 13] a <- ([#"../12_ghost_code.rs" 18 12 18 13] (0 : int32)); + [#"../12_ghost_code.rs" 18 12 18 13] a <- ([#"../12_ghost_code.rs" 18 12 18 13] [#"../12_ghost_code.rs" 18 12 18 13] (0 : int32)); [#"../12_ghost_code.rs" 19 17 19 52] _s <- ([#"../12_ghost_code.rs" 19 17 19 52] Snapshot.new (Seq.snoc (Seq.empty ) (0 : int32))); goto BB1 } @@ -180,7 +182,7 @@ module C12GhostCode_GhostCopy BB2 { [#"../12_ghost_code.rs" 20 4 20 33] _s <- ([#"../12_ghost_code.rs" 20 4 20 33] _4); _4 <- any Snapshot.snap_ty (Seq.seq int32); - [#"../12_ghost_code.rs" 17 20 21 1] _0 <- ([#"../12_ghost_code.rs" 17 20 21 1] ()); + [#"../12_ghost_code.rs" 17 20 21 1] _0 <- ([#"../12_ghost_code.rs" 17 20 21 1] [#"../12_ghost_code.rs" 17 20 21 1] ()); return _0 } @@ -208,7 +210,7 @@ module C12GhostCode_GhostIsCopy goto BB0 } BB0 { - [#"../12_ghost_code.rs" 24 16 24 17] x <- ([#"../12_ghost_code.rs" 24 16 24 17] (0 : int32)); + [#"../12_ghost_code.rs" 24 16 24 17] x <- ([#"../12_ghost_code.rs" 24 16 24 17] [#"../12_ghost_code.rs" 24 16 24 17] (0 : int32)); [#"../12_ghost_code.rs" 25 12 25 18] r <- Borrow.borrow_mut x; [#"../12_ghost_code.rs" 25 12 25 18] x <- ^ r; assume { resolve0 r }; @@ -219,7 +221,7 @@ module C12GhostCode_GhostIsCopy [#"../12_ghost_code.rs" 27 13 27 14] g1 <- ([#"../12_ghost_code.rs" 27 13 27 14] g); [#"../12_ghost_code.rs" 28 13 28 14] g2 <- ([#"../12_ghost_code.rs" 28 13 28 14] g); assert { [@expl:assertion] [#"../12_ghost_code.rs" 29 18 29 26] g1 = g2 }; - [#"../12_ghost_code.rs" 23 23 30 1] _0 <- ([#"../12_ghost_code.rs" 23 23 30 1] ()); + [#"../12_ghost_code.rs" 23 23 30 1] _0 <- ([#"../12_ghost_code.rs" 23 23 30 1] [#"../12_ghost_code.rs" 23 23 30 1] ()); return _0 } @@ -285,7 +287,8 @@ module C12GhostCode_GhostCheck requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -307,7 +310,8 @@ module C12GhostCode_GhostCheck ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve1 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve1 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -358,7 +362,7 @@ module C12GhostCode_GhostCheck goto BB0 } BB0 { - [#"../12_ghost_code.rs" 36 16 36 26] x <- ([#"../12_ghost_code.rs" 36 16 36 26] new0 ()); + [#"../12_ghost_code.rs" 36 16 36 26] x <- ([#"../12_ghost_code.rs" 36 16 36 26] new0 ([#"../12_ghost_code.rs" 36 16 36 26] ())); goto BB1 } BB1 { @@ -368,7 +372,7 @@ module C12GhostCode_GhostCheck BB2 { [#"../12_ghost_code.rs" 41 4 41 5] _5 <- Borrow.borrow_mut x; [#"../12_ghost_code.rs" 41 4 41 5] x <- ^ _5; - [#"../12_ghost_code.rs" 41 4 41 13] _4 <- ([#"../12_ghost_code.rs" 41 4 41 13] push0 _5 (0 : int32)); + [#"../12_ghost_code.rs" 41 4 41 13] _4 <- ([#"../12_ghost_code.rs" 41 4 41 13] push0 _5 ([#"../12_ghost_code.rs" 41 11 41 12] (0 : int32))); _5 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)); goto BB3 } @@ -378,7 +382,7 @@ module C12GhostCode_GhostCheck } BB4 { assume { resolve0 x }; - [#"../12_ghost_code.rs" 43 12 43 24] _7 <- ([#"../12_ghost_code.rs" 43 12 43 24] _8 = (1 : usize)); + [#"../12_ghost_code.rs" 43 12 43 24] _7 <- ([#"../12_ghost_code.rs" 43 12 43 24] _8 = ([#"../12_ghost_code.rs" 43 23 43 24] (1 : usize))); _8 <- any usize; switch (_7) | False -> goto BB6 @@ -386,7 +390,7 @@ module C12GhostCode_GhostCheck end } BB5 { - [#"../12_ghost_code.rs" 35 21 44 1] _0 <- ([#"../12_ghost_code.rs" 35 21 44 1] ()); + [#"../12_ghost_code.rs" 35 21 44 1] _0 <- ([#"../12_ghost_code.rs" 35 21 44 1] [#"../12_ghost_code.rs" 35 21 44 1] ()); goto BB7 } BB6 { @@ -451,7 +455,7 @@ module C12GhostCode_TakesStruct BB1 { [#"../12_ghost_code.rs" 53 4 53 27] x <- (let C12GhostCode_MyStruct_Type.C_MyStruct x0 x1 = x in C12GhostCode_MyStruct_Type.C_MyStruct x0 ([#"../12_ghost_code.rs" 53 4 53 27] _3)); _3 <- any Snapshot.snap_ty uint32; - [#"../12_ghost_code.rs" 52 37 54 1] _0 <- ([#"../12_ghost_code.rs" 52 37 54 1] ()); + [#"../12_ghost_code.rs" 52 37 54 1] _0 <- ([#"../12_ghost_code.rs" 52 37 54 1] [#"../12_ghost_code.rs" 52 37 54 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg b/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg index d3c48b6e7b..64ea1e72d9 100644 --- a/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg +++ b/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg @@ -95,7 +95,8 @@ module C13VecMacro_X requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model1 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -133,7 +134,8 @@ module C13VecMacro_X requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -146,7 +148,8 @@ module C13VecMacro_X requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : slice int32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : slice int32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) function shallow_model3 (self : slice int32) : Seq.seq int32 = [#"../../../../../creusot-contracts/src/std/boxed.rs" 20 8 20 31] shallow_model4 self val shallow_model3 (self : slice int32) : Seq.seq int32 @@ -171,14 +174,16 @@ module C13VecMacro_X ensures { result = index_logic1 self ix } predicate resolve1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve3 (index_logic1 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) + -> resolve3 (index_logic1 self i) val resolve1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve1 self } val from_elem0 (elem : int32) (n : usize) : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) requires {inv2 elem} ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model1 result) = UIntSize.to_int n } - ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic1 result i = elem } + ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic1 result i = elem } ensures { inv3 result } predicate resolve2 (self : uint32) = @@ -195,7 +200,8 @@ module C13VecMacro_X ensures { result = index_logic0 self ix } predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve2 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -214,7 +220,7 @@ module C13VecMacro_X goto BB0 } BB0 { - [#"../13_vec_macro.rs" 6 23 6 29] v0 <- ([#"../13_vec_macro.rs" 6 23 6 29] new0 ()); + [#"../13_vec_macro.rs" 6 23 6 29] v0 <- ([#"../13_vec_macro.rs" 6 23 6 29] new0 ([#"../../../../../creusot-contracts/src/lib.rs" 290 8 290 30] ())); goto BB1 } BB1 { @@ -223,7 +229,7 @@ module C13VecMacro_X goto BB2 } BB2 { - [#"../13_vec_macro.rs" 9 13 9 23] v1 <- ([#"../13_vec_macro.rs" 9 13 9 23] from_elem0 (0 : int32) (2 : usize)); + [#"../13_vec_macro.rs" 9 13 9 23] v1 <- ([#"../13_vec_macro.rs" 9 13 9 23] from_elem0 ([#"../13_vec_macro.rs" 9 18 9 19] (0 : int32)) ([#"../13_vec_macro.rs" 9 21 9 22] (2 : usize))); goto BB3 } BB3 { @@ -232,7 +238,7 @@ module C13VecMacro_X goto BB4 } BB4 { - [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _10 <- ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = (1 : int32)}; assume {Seq.get (__arr_temp.elts) 1 = (2 : int32)}; assume {Seq.get (__arr_temp.elts) 2 = (3 : int32)}; assume {Slice.length __arr_temp = 3}; __arr_temp); + [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _10 <- ([#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../13_vec_macro.rs" 12 18 12 19] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../13_vec_macro.rs" 12 21 12 22] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../13_vec_macro.rs" 12 24 12 25] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp); goto BB5 } BB5 { @@ -249,7 +255,7 @@ module C13VecMacro_X goto BB8 } BB8 { - [#"../13_vec_macro.rs" 5 11 14 1] _0 <- ([#"../13_vec_macro.rs" 5 11 14 1] ()); + [#"../13_vec_macro.rs" 5 11 14 1] _0 <- ([#"../13_vec_macro.rs" 5 11 14 1] [#"../13_vec_macro.rs" 5 11 14 1] ()); goto BB9 } BB9 { diff --git a/creusot/tests/should_succeed/syntax/14_const_fns.mlcfg b/creusot/tests/should_succeed/syntax/14_const_fns.mlcfg index cf4c6cc585..4090c4ffdd 100644 --- a/creusot/tests/should_succeed/syntax/14_const_fns.mlcfg +++ b/creusot/tests/should_succeed/syntax/14_const_fns.mlcfg @@ -13,7 +13,7 @@ module C14ConstFns_Omg goto BB0 } BB0 { - [#"../14_const_fns.rs" 6 4 6 9] _0 <- ([#"../14_const_fns.rs" 6 4 6 9] x - (1 : int32)); + [#"../14_const_fns.rs" 6 4 6 9] _0 <- ([#"../14_const_fns.rs" 6 4 6 9] x - ([#"../14_const_fns.rs" 6 8 6 9] (1 : int32))); return _0 } diff --git a/creusot/tests/should_succeed/syntax/derive_macros.mlcfg b/creusot/tests/should_succeed/syntax/derive_macros.mlcfg index 48f558447b..6719efb634 100644 --- a/creusot/tests/should_succeed/syntax/derive_macros.mlcfg +++ b/creusot/tests/should_succeed/syntax/derive_macros.mlcfg @@ -270,7 +270,7 @@ module DeriveMacros_Impl3_Eq assume { resolve1 rhs }; assert { [@expl:type invariant] inv1 self }; assume { resolve1 self }; - [#"../derive_macros.rs" 10 4 11 8] _0 <- ([#"../derive_macros.rs" 10 4 11 8] false); + [#"../derive_macros.rs" 10 4 11 8] _0 <- ([#"../derive_macros.rs" 10 4 11 8] [#"../derive_macros.rs" 10 4 11 8] false); goto BB5 } BB4 { @@ -628,7 +628,7 @@ module DeriveMacros_Impl5_Eq BB3 { assert { [@expl:type invariant] inv1 _4 }; assume { resolve1 _4 }; - [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] false); + [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] false); goto BB16 } BB4 { @@ -659,11 +659,11 @@ module DeriveMacros_Impl5_Eq end } BB8 { - [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] true); + [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] true); goto BB10 } BB9 { - [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] false); + [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] false); goto BB10 } BB10 { @@ -688,11 +688,11 @@ module DeriveMacros_Impl5_Eq end } BB13 { - [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] true); + [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] true); goto BB15 } BB14 { - [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] false); + [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] false); goto BB15 } BB15 { @@ -839,7 +839,9 @@ module DeriveMacros_Impl2 axiom inv0 : forall x : DeriveMacros_Product_Type.t_product a b . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../derive_macros.rs" 8 9 8 14] forall self : DeriveMacros_Product_Type.t_product a b . inv0 self -> inv0 self /\ (forall result : DeriveMacros_Product_Type.t_product a b . inv1 result /\ result = self -> inv1 result /\ result = self) + goal clone'_refn : [#"../derive_macros.rs" 8 9 8 14] forall self : DeriveMacros_Product_Type.t_product a b . inv0 self + -> inv0 self /\ (forall result : DeriveMacros_Product_Type.t_product a b . inv1 result /\ result = self + -> inv1 result /\ result = self) end module DeriveMacros_Impl4 type a @@ -864,7 +866,9 @@ module DeriveMacros_Impl4 axiom inv0 : forall x : DeriveMacros_Sum_Type.t_sum a b . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../derive_macros.rs" 28 9 28 14] forall self : DeriveMacros_Sum_Type.t_sum a b . inv0 self -> inv0 self /\ (forall result : DeriveMacros_Sum_Type.t_sum a b . inv1 result /\ result = self -> inv1 result /\ result = self) + goal clone'_refn : [#"../derive_macros.rs" 28 9 28 14] forall self : DeriveMacros_Sum_Type.t_sum a b . inv0 self + -> inv0 self /\ (forall result : DeriveMacros_Sum_Type.t_sum a b . inv1 result /\ result = self + -> inv1 result /\ result = self) end module DeriveMacros_Impl3 type a @@ -904,7 +908,9 @@ module DeriveMacros_Impl3 val deep_model0 (self : DeriveMacros_Product_Type.t_product a b) : DeriveMacros_Product_Type.t_product deep_model_ty0 deep_model_ty1 ensures { result = deep_model0 self } - goal eq_refn : [#"../derive_macros.rs" 8 16 8 25] forall self : DeriveMacros_Product_Type.t_product a b . forall other : DeriveMacros_Product_Type.t_product a b . inv0 other /\ inv0 self -> inv0 other /\ inv0 self /\ (forall result : bool . result = (deep_model0 self = deep_model0 other) -> result = (deep_model0 self = deep_model0 other)) + goal eq_refn : [#"../derive_macros.rs" 8 16 8 25] forall self : DeriveMacros_Product_Type.t_product a b . forall other : DeriveMacros_Product_Type.t_product a b . inv0 other /\ inv0 self + -> inv0 other /\ inv0 self /\ (forall result : bool . result = (deep_model0 self = deep_model0 other) + -> result = (deep_model0 self = deep_model0 other)) end module DeriveMacros_Impl5 type a @@ -947,7 +953,9 @@ module DeriveMacros_Impl5 val deep_model0 (self : DeriveMacros_Sum_Type.t_sum a b) : DeriveMacros_Sum_Type.t_sum deep_model_ty0 deep_model_ty1 ensures { result = deep_model0 self } - goal eq_refn : [#"../derive_macros.rs" 28 16 28 25] forall self : DeriveMacros_Sum_Type.t_sum a b . forall other : DeriveMacros_Sum_Type.t_sum a b . inv0 other /\ inv0 self -> inv0 other /\ inv0 self /\ (forall result : bool . result = (deep_model0 self = deep_model0 other) -> result = (deep_model0 self = deep_model0 other)) + goal eq_refn : [#"../derive_macros.rs" 28 16 28 25] forall self : DeriveMacros_Sum_Type.t_sum a b . forall other : DeriveMacros_Sum_Type.t_sum a b . inv0 other /\ inv0 self + -> inv0 other /\ inv0 self /\ (forall result : bool . result = (deep_model0 self = deep_model0 other) + -> result = (deep_model0 self = deep_model0 other)) end module DeriveMacros_Impl0 type a diff --git a/creusot/tests/should_succeed/take_first_mut.mlcfg b/creusot/tests/should_succeed/take_first_mut.mlcfg index 8c80823cf2..9fbf1b24c7 100644 --- a/creusot/tests/should_succeed/take_first_mut.mlcfg +++ b/creusot/tests/should_succeed/take_first_mut.mlcfg @@ -107,7 +107,8 @@ module TakeFirstMut_TakeFirstMut requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv7 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self) + -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv7 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) use seq.Seq function index_logic0 [@inline:trivial] (self : slice t) (ix : int) : t = [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model0 self) ix diff --git a/creusot/tests/should_succeed/trait.mlcfg b/creusot/tests/should_succeed/trait.mlcfg index 37b9f6d5b8..b091b2062b 100644 --- a/creusot/tests/should_succeed/trait.mlcfg +++ b/creusot/tests/should_succeed/trait.mlcfg @@ -26,7 +26,7 @@ module Trait_UsesCustom goto BB0 } BB0 { - [#"../trait.rs" 9 55 9 57] _0 <- ([#"../trait.rs" 9 55 9 57] ()); + [#"../trait.rs" 9 55 9 57] _0 <- ([#"../trait.rs" 9 55 9 57] [#"../trait.rs" 9 55 9 57] ()); assert { [@expl:type invariant] inv0 _t }; assume { resolve0 _t }; goto BB1 @@ -63,7 +63,7 @@ module Trait_UsesCustom2 goto BB0 } BB0 { - [#"../trait.rs" 13 62 13 64] _0 <- ([#"../trait.rs" 13 62 13 64] ()); + [#"../trait.rs" 13 62 13 64] _0 <- ([#"../trait.rs" 13 62 13 64] [#"../trait.rs" 13 62 13 64] ()); assert { [@expl:type invariant] inv0 _t }; assume { resolve0 _t }; goto BB1 diff --git a/creusot/tests/should_succeed/trait_impl.mlcfg b/creusot/tests/should_succeed/trait_impl.mlcfg index 72dd32901b..6da53136a4 100644 --- a/creusot/tests/should_succeed/trait_impl.mlcfg +++ b/creusot/tests/should_succeed/trait_impl.mlcfg @@ -35,7 +35,7 @@ module TraitImpl_Impl0_X goto BB0 } BB0 { - [#"../trait_impl.rs" 25 15 25 17] _0 <- ([#"../trait_impl.rs" 25 15 25 17] ()); + [#"../trait_impl.rs" 25 15 25 17] _0 <- ([#"../trait_impl.rs" 25 15 25 17] [#"../trait_impl.rs" 25 15 25 17] ()); assert { [@expl:type invariant] inv0 self }; assume { resolve0 self }; goto BB1 @@ -56,7 +56,7 @@ module TraitImpl_Impl1_X goto BB0 } BB0 { - [#"../trait_impl.rs" 29 15 29 17] _0 <- ([#"../trait_impl.rs" 29 15 29 17] ()); + [#"../trait_impl.rs" 29 15 29 17] _0 <- ([#"../trait_impl.rs" 29 15 29 17] [#"../trait_impl.rs" 29 15 29 17] ()); return _0 } @@ -74,7 +74,7 @@ module TraitImpl_Impl0 ensures { result = inv0 _x } axiom inv0 : forall x : (t1, t2) . inv0 x = true - goal x_refn : [#"../trait_impl.rs" 25 4 25 14] forall self : (t1, t2) . inv0 self -> inv0 self + goal x_refn : [#"../trait_impl.rs" 25 4 25 14] forall self : (t1, t2) . inv0 self -> inv0 self end module TraitImpl_Impl1 type b diff --git a/creusot/tests/should_succeed/traits/03.mlcfg b/creusot/tests/should_succeed/traits/03.mlcfg index 76415daf96..427b3d0584 100644 --- a/creusot/tests/should_succeed/traits/03.mlcfg +++ b/creusot/tests/should_succeed/traits/03.mlcfg @@ -10,7 +10,7 @@ module C03_Impl0_F goto BB0 } BB0 { - [#"../03.rs" 10 8 10 9] _0 <- ([#"../03.rs" 10 8 10 9] (0 : int32)); + [#"../03.rs" 10 8 10 9] _0 <- ([#"../03.rs" 10 8 10 9] [#"../03.rs" 10 8 10 9] (0 : int32)); return _0 } @@ -26,7 +26,7 @@ module C03_Impl1_G goto BB0 } BB0 { - [#"../03.rs" 21 8 21 9] _0 <- ([#"../03.rs" 21 8 21 9] (1 : uint32)); + [#"../03.rs" 21 8 21 9] _0 <- ([#"../03.rs" 21 8 21 9] [#"../03.rs" 21 8 21 9] (1 : uint32)); return _0 } @@ -89,7 +89,7 @@ module C03_Impl0 axiom inv0 : forall x : int32 . inv0 x = true use prelude.Int use prelude.Borrow - goal f_refn : [#"../03.rs" 9 4 9 23] forall self : int32 . inv0 self -> (forall result : int32 . inv1 result) + goal f_refn : [#"../03.rs" 9 4 9 23] forall self : int32 . inv0 self -> (forall result : int32 . inv1 result) end module C03_Impl1 use prelude.UInt32 @@ -115,7 +115,8 @@ module C03_Impl1 axiom inv0 : forall x : uint32 . inv0 x = true use prelude.Int use prelude.Borrow - goal g_refn : [#"../03.rs" 20 4 20 23] forall self : uint32 . inv0 self -> (forall result : uint32 . inv1 result /\ result = result) + goal g_refn : [#"../03.rs" 20 4 20 23] forall self : uint32 . inv0 self + -> (forall result : uint32 . inv1 result /\ result = result) end module C03_Impl2 type g @@ -129,5 +130,6 @@ module C03_Impl2 axiom inv0 : forall x : g . inv0 x = true use prelude.Borrow - goal h_refn : [#"../03.rs" 30 4 30 24] forall x : g . inv0 x -> inv0 x /\ (forall result : g . inv0 result -> inv0 result) + goal h_refn : [#"../03.rs" 30 4 30 24] forall x : g . inv0 x + -> inv0 x /\ (forall result : g . inv0 result -> inv0 result) end diff --git a/creusot/tests/should_succeed/traits/04.mlcfg b/creusot/tests/should_succeed/traits/04.mlcfg index f29b5ed62e..12f055d489 100644 --- a/creusot/tests/should_succeed/traits/04.mlcfg +++ b/creusot/tests/should_succeed/traits/04.mlcfg @@ -84,7 +84,7 @@ module C04_User goto BB7 } BB7 { - [#"../04.rs" 13 4 13 42] _0 <- ([#"../04.rs" 13 4 13 42] false); + [#"../04.rs" 13 4 13 42] _0 <- ([#"../04.rs" 13 4 13 42] [#"../04.rs" 13 4 13 42] false); goto BB9 } BB8 { diff --git a/creusot/tests/should_succeed/traits/06.mlcfg b/creusot/tests/should_succeed/traits/06.mlcfg index e1f7551ba1..592474a80b 100644 --- a/creusot/tests/should_succeed/traits/06.mlcfg +++ b/creusot/tests/should_succeed/traits/06.mlcfg @@ -44,7 +44,7 @@ module C06_Test BB0 { assert { [@expl:type invariant] inv0 a }; assume { resolve0 a }; - [#"../06.rs" 13 4 13 11] _0 <- ([#"../06.rs" 13 4 13 11] ix0 a (0 : usize)); + [#"../06.rs" 13 4 13 11] _0 <- ([#"../06.rs" 13 4 13 11] ix0 a ([#"../06.rs" 13 9 13 10] (0 : usize))); goto BB1 } BB1 { diff --git a/creusot/tests/should_succeed/traits/07.mlcfg b/creusot/tests/should_succeed/traits/07.mlcfg index 5b1ef00955..000a84b85f 100644 --- a/creusot/tests/should_succeed/traits/07.mlcfg +++ b/creusot/tests/should_succeed/traits/07.mlcfg @@ -29,7 +29,7 @@ module C07_Test goto BB0 } BB0 { - [#"../07.rs" 17 4 17 8] _0 <- ([#"../07.rs" 17 4 17 8] true); + [#"../07.rs" 17 4 17 8] _0 <- ([#"../07.rs" 17 4 17 8] [#"../07.rs" 17 4 17 8] true); return _0 } @@ -79,5 +79,5 @@ module C07_Impl0 axiom inv0 : forall x : int32 . inv0 x = true use prelude.Int use prelude.Borrow - goal ix_refn : [#"../07.rs" 11 4 11 36] forall self : int32 . inv0 self -> (forall result : () . inv1 result) + goal ix_refn : [#"../07.rs" 11 4 11 36] forall self : int32 . inv0 self -> (forall result : () . inv1 result) end diff --git a/creusot/tests/should_succeed/traits/08.mlcfg b/creusot/tests/should_succeed/traits/08.mlcfg index fb7f9560b3..55c34ef5bc 100644 --- a/creusot/tests/should_succeed/traits/08.mlcfg +++ b/creusot/tests/should_succeed/traits/08.mlcfg @@ -25,7 +25,7 @@ module C08_Tr_Program goto BB0 } BB0 { - [#"../08.rs" 12 22 12 24] _0 <- ([#"../08.rs" 12 22 12 24] ()); + [#"../08.rs" 12 22 12 24] _0 <- ([#"../08.rs" 12 22 12 24] [#"../08.rs" 12 22 12 24] ()); assert { [@expl:type invariant] inv0 self }; assume { resolve0 self }; return _0 @@ -57,7 +57,7 @@ module C08_Test goto BB0 } BB0 { - [#"../08.rs" 15 25 15 27] _0 <- ([#"../08.rs" 15 25 15 27] ()); + [#"../08.rs" 15 25 15 27] _0 <- ([#"../08.rs" 15 25 15 27] [#"../08.rs" 15 25 15 27] ()); assert { [@expl:type invariant] inv0 _1 }; assume { resolve0 _1 }; goto BB1 diff --git a/creusot/tests/should_succeed/traits/09.mlcfg b/creusot/tests/should_succeed/traits/09.mlcfg index df092dc7c1..88df5428a8 100644 --- a/creusot/tests/should_succeed/traits/09.mlcfg +++ b/creusot/tests/should_succeed/traits/09.mlcfg @@ -11,7 +11,7 @@ module C09_Test goto BB0 } BB0 { - [#"../09.rs" 8 4 8 9] _0 <- ([#"../09.rs" 8 4 8 9] t + (0 : uint32)); + [#"../09.rs" 8 4 8 9] _0 <- ([#"../09.rs" 8 4 8 9] t + ([#"../09.rs" 8 8 8 9] (0 : uint32))); return _0 } diff --git a/creusot/tests/should_succeed/traits/11.mlcfg b/creusot/tests/should_succeed/traits/11.mlcfg index 70fb6a02cf..4f7deb31f0 100644 --- a/creusot/tests/should_succeed/traits/11.mlcfg +++ b/creusot/tests/should_succeed/traits/11.mlcfg @@ -24,7 +24,7 @@ module C11_Test goto BB0 } BB0 { - [#"../11.rs" 18 24 18 26] _0 <- ([#"../11.rs" 18 24 18 26] ()); + [#"../11.rs" 18 24 18 26] _0 <- ([#"../11.rs" 18 24 18 26] [#"../11.rs" 18 24 18 26] ()); assert { [@expl:type invariant] inv0 _1 }; assume { resolve0 _1 }; goto BB1 diff --git a/creusot/tests/should_succeed/traits/12_default_method.mlcfg b/creusot/tests/should_succeed/traits/12_default_method.mlcfg index d57d1dff80..a13d16aa60 100644 --- a/creusot/tests/should_succeed/traits/12_default_method.mlcfg +++ b/creusot/tests/should_succeed/traits/12_default_method.mlcfg @@ -27,7 +27,7 @@ module C12DefaultMethod_T_Default goto BB0 } BB0 { - [#"../12_default_method.rs" 7 8 7 9] _0 <- ([#"../12_default_method.rs" 7 8 7 9] (0 : uint32)); + [#"../12_default_method.rs" 7 8 7 9] _0 <- ([#"../12_default_method.rs" 7 8 7 9] [#"../12_default_method.rs" 7 8 7 9] (0 : uint32)); assert { [@expl:type invariant] inv0 self }; assume { resolve0 self }; return _0 @@ -71,7 +71,7 @@ module C12DefaultMethod_ShouldUseImpl goto BB1 } BB1 { - [#"../12_default_method.rs" 20 31 22 1] _0 <- ([#"../12_default_method.rs" 20 31 22 1] ()); + [#"../12_default_method.rs" 20 31 22 1] _0 <- ([#"../12_default_method.rs" 20 31 22 1] [#"../12_default_method.rs" 20 31 22 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/traits/13_assoc_types.mlcfg b/creusot/tests/should_succeed/traits/13_assoc_types.mlcfg index 93b5b4cce1..cf4ce49501 100644 --- a/creusot/tests/should_succeed/traits/13_assoc_types.mlcfg +++ b/creusot/tests/should_succeed/traits/13_assoc_types.mlcfg @@ -68,5 +68,6 @@ module C13AssocTypes_Impl0 axiom inv0 : forall x : t . inv0 x = true use prelude.Borrow - goal model_refn : [#"../13_assoc_types.rs" 13 4 13 35] forall self : t . inv0 self -> inv0 self /\ (forall result : model_ty0 . inv1 result -> inv1 result) + goal model_refn : [#"../13_assoc_types.rs" 13 4 13 35] forall self : t . inv0 self + -> inv0 self /\ (forall result : model_ty0 . inv1 result -> inv1 result) end diff --git a/creusot/tests/should_succeed/traits/15_impl_interfaces.mlcfg b/creusot/tests/should_succeed/traits/15_impl_interfaces.mlcfg index caff2ea273..8cc5a1ce08 100644 --- a/creusot/tests/should_succeed/traits/15_impl_interfaces.mlcfg +++ b/creusot/tests/should_succeed/traits/15_impl_interfaces.mlcfg @@ -13,7 +13,7 @@ module C15ImplInterfaces_Calls goto BB0 } BB0 { - [#"../15_impl_interfaces.rs" 23 37 23 39] _0 <- ([#"../15_impl_interfaces.rs" 23 37 23 39] ()); + [#"../15_impl_interfaces.rs" 23 37 23 39] _0 <- ([#"../15_impl_interfaces.rs" 23 37 23 39] [#"../15_impl_interfaces.rs" 23 37 23 39] ()); return _0 } diff --git a/creusot/tests/should_succeed/traits/16_impl_cloning.mlcfg b/creusot/tests/should_succeed/traits/16_impl_cloning.mlcfg index 8a88e4f01e..2bd5179205 100644 --- a/creusot/tests/should_succeed/traits/16_impl_cloning.mlcfg +++ b/creusot/tests/should_succeed/traits/16_impl_cloning.mlcfg @@ -86,7 +86,7 @@ module C16ImplCloning_Test BB0 { assert { [@expl:type invariant] inv0 x }; assume { resolve0 x }; - [#"../16_impl_cloning.rs" 17 31 17 33] _0 <- ([#"../16_impl_cloning.rs" 17 31 17 33] ()); + [#"../16_impl_cloning.rs" 17 31 17 33] _0 <- ([#"../16_impl_cloning.rs" 17 31 17 33] [#"../16_impl_cloning.rs" 17 31 17 33] ()); return _0 } diff --git a/creusot/tests/should_succeed/traits/18_trait_laws.mlcfg b/creusot/tests/should_succeed/traits/18_trait_laws.mlcfg index 91d0278ed4..34e8b7e21e 100644 --- a/creusot/tests/should_succeed/traits/18_trait_laws.mlcfg +++ b/creusot/tests/should_succeed/traits/18_trait_laws.mlcfg @@ -15,7 +15,8 @@ module C18TraitLaws_UsesOp_Impl requires {[#"../18_trait_laws.rs" 10 26 10 27] inv0 b} ensures { result = reflexive0 a b } - axiom reflexive0_spec : forall a : t, b : t . ([#"../18_trait_laws.rs" 10 17 10 18] inv0 a) -> ([#"../18_trait_laws.rs" 10 26 10 27] inv0 b) -> ([#"../18_trait_laws.rs" 9 14 9 32] op0 a b = op0 b a) + axiom reflexive0_spec : forall a : t, b : t . ([#"../18_trait_laws.rs" 10 17 10 18] inv0 a) + -> ([#"../18_trait_laws.rs" 10 26 10 27] inv0 b) -> ([#"../18_trait_laws.rs" 9 14 9 32] op0 a b = op0 b a) predicate invariant0 (self : t) val invariant0 (self : t) : bool ensures { result = invariant0 self } @@ -24,7 +25,9 @@ module C18TraitLaws_UsesOp_Impl constant x : t constant y : t function uses_op [#"../18_trait_laws.rs" 16 0 16 48] (x : t) (y : t) : bool - goal vc_uses_op : ([#"../18_trait_laws.rs" 16 35 16 36] inv0 y) -> ([#"../18_trait_laws.rs" 16 29 16 30] inv0 x) -> ([#"../18_trait_laws.rs" 15 10 15 24] (op0 x y = op0 y x) = true) + goal vc_uses_op : ([#"../18_trait_laws.rs" 16 35 16 36] inv0 y) + -> ([#"../18_trait_laws.rs" 16 29 16 30] inv0 x) + -> ([#"../18_trait_laws.rs" 15 10 15 24] (op0 x y = op0 y x) = true) end module C18TraitLaws_Impl0_Reflexive_Impl function op0 [#"../18_trait_laws.rs" 23 4 23 32] (self : ()) (_2 : ()) : () = @@ -69,5 +72,6 @@ module C18TraitLaws_Impl0 val op0 [#"../18_trait_laws.rs" 23 4 23 32] (self : ()) (_2 : ()) : () ensures { result = op0 self _2 } - goal reflexive_refn : [#"../18_trait_laws.rs" 30 4 30 34] forall a : () . forall b : () . inv0 b /\ inv0 a -> (forall result : () . op0 a b = op0 b a -> op0 a b = op0 b a) + goal reflexive_refn : [#"../18_trait_laws.rs" 30 4 30 34] forall a : () . forall b : () . inv0 b /\ inv0 a + -> (forall result : () . op0 a b = op0 b a -> op0 a b = op0 b a) end diff --git a/creusot/tests/should_succeed/two_modules.mlcfg b/creusot/tests/should_succeed/two_modules.mlcfg index 3852cf68b6..b77eccb7c5 100644 --- a/creusot/tests/should_succeed/two_modules.mlcfg +++ b/creusot/tests/should_succeed/two_modules.mlcfg @@ -16,7 +16,7 @@ module TwoModules_Mod2_X goto BB0 } BB0 { - [#"../two_modules.rs" 16 8 16 12] _0 <- ([#"../two_modules.rs" 16 8 16 12] true); + [#"../two_modules.rs" 16 8 16 12] _0 <- ([#"../two_modules.rs" 16 8 16 12] [#"../two_modules.rs" 16 8 16 12] true); return _0 } @@ -39,7 +39,7 @@ module TwoModules_F goto BB1 } BB1 { - [#"../two_modules.rs" 22 11 24 1] _0 <- ([#"../two_modules.rs" 22 11 24 1] ()); + [#"../two_modules.rs" 22 11 24 1] _0 <- ([#"../two_modules.rs" 22 11 24 1] [#"../two_modules.rs" 22 11 24 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/type_constructors.mlcfg b/creusot/tests/should_succeed/type_constructors.mlcfg index 7951a68f35..103bc9b952 100644 --- a/creusot/tests/should_succeed/type_constructors.mlcfg +++ b/creusot/tests/should_succeed/type_constructors.mlcfg @@ -17,7 +17,7 @@ module TypeConstructors_F } BB0 { [#"../type_constructors.rs" 18 17 18 24] _3 <- ([#"../type_constructors.rs" 18 17 18 24] TypeConstructors_B_X_Type.C_B); - [#"../type_constructors.rs" 16 11 19 1] _0 <- ([#"../type_constructors.rs" 16 11 19 1] ()); + [#"../type_constructors.rs" 16 11 19 1] _0 <- ([#"../type_constructors.rs" 16 11 19 1] [#"../type_constructors.rs" 16 11 19 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/type_invariants/borrows.mlcfg b/creusot/tests/should_succeed/type_invariants/borrows.mlcfg index 71892e8b47..2707ed6d8c 100644 --- a/creusot/tests/should_succeed/type_invariants/borrows.mlcfg +++ b/creusot/tests/should_succeed/type_invariants/borrows.mlcfg @@ -139,9 +139,9 @@ module Borrows_Inc goto BB0 } BB0 { - [#"../borrows.rs" 102 4 102 11] x <- { x with current = ([#"../borrows.rs" 102 4 102 11] * x + (1 : int32)) ; }; + [#"../borrows.rs" 102 4 102 11] x <- { x with current = ([#"../borrows.rs" 102 4 102 11] * x + ([#"../borrows.rs" 102 10 102 11] (1 : int32))) ; }; assume { resolve0 x }; - [#"../borrows.rs" 101 24 103 1] _0 <- ([#"../borrows.rs" 101 24 103 1] ()); + [#"../borrows.rs" 101 24 103 1] _0 <- ([#"../borrows.rs" 101 24 103 1] [#"../borrows.rs" 101 24 103 1] ()); return _0 } @@ -223,7 +223,7 @@ module Borrows_Simple assume { resolve0 _6 }; assert { [@expl:type invariant] inv0 x }; assume { resolve1 x }; - [#"../borrows.rs" 31 31 34 1] _0 <- ([#"../borrows.rs" 31 31 34 1] ()); + [#"../borrows.rs" 31 31 34 1] _0 <- ([#"../borrows.rs" 31 31 34 1] [#"../borrows.rs" 31 31 34 1] ()); return _0 } @@ -317,7 +317,7 @@ module Borrows_Hard assume { resolve0 _6 }; assert { [@expl:type invariant] inv1 x }; assume { resolve1 x }; - [#"../borrows.rs" 38 29 41 1] _0 <- ([#"../borrows.rs" 38 29 41 1] ()); + [#"../borrows.rs" 38 29 41 1] _0 <- ([#"../borrows.rs" 38 29 41 1] [#"../borrows.rs" 38 29 41 1] ()); return _0 } @@ -407,7 +407,7 @@ module Borrows_Tuple goto BB0 } BB0 { - [#"../borrows.rs" 46 4 46 14] x <- (let (x0, x1) = x in ((let Borrows_NonZero_Type.C_NonZero x0 = let (a, _) = x in a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 46 4 46 14] (0 : int32))), x1)); + [#"../borrows.rs" 46 4 46 14] x <- (let (x0, x1) = x in ((let Borrows_NonZero_Type.C_NonZero x0 = let (a, _) = x in a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 46 4 46 14] [#"../borrows.rs" 46 13 46 14] (0 : int32))), x1)); [#"../borrows.rs" 47 8 47 19] _6 <- Borrow.borrow_final (Borrows_NonZero_Type.nonzero_0 ( * (let (_, a) = x in a))) (Borrow.inherit_id (Borrow.get_id (let (_, a) = x in a)) 1); [#"../borrows.rs" 47 8 47 19] x <- (let (x0, x1) = x in (x0, { (let (_, a) = x in a) with current = (let Borrows_NonZero_Type.C_NonZero x0 = * (let (_, a) = x in a) in Borrows_NonZero_Type.C_NonZero ( ^ _6)) ; })); [#"../borrows.rs" 47 8 47 19] _5 <- Borrow.borrow_final ( * _6) (Borrow.get_id _6); @@ -420,7 +420,7 @@ module Borrows_Tuple assume { resolve0 _6 }; assert { [@expl:type invariant] inv0 x }; assume { resolve1 x }; - [#"../borrows.rs" 45 45 49 1] _0 <- ([#"../borrows.rs" 45 45 49 1] ()); + [#"../borrows.rs" 45 45 49 1] _0 <- ([#"../borrows.rs" 45 45 49 1] [#"../borrows.rs" 45 45 49 1] ()); return _0 } @@ -525,8 +525,8 @@ module Borrows_PartialMove assume { resolve0 _7 }; assert { [@expl:type invariant] inv0 x }; assume { resolve1 x }; - [#"../borrows.rs" 56 4 56 11] a <- (let Borrows_NonZero_Type.C_NonZero x0 = a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 56 4 56 11] (0 : int32))); - [#"../borrows.rs" 53 48 57 1] _0 <- ([#"../borrows.rs" 53 48 57 1] ()); + [#"../borrows.rs" 56 4 56 11] a <- (let Borrows_NonZero_Type.C_NonZero x0 = a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 56 4 56 11] [#"../borrows.rs" 56 10 56 11] (0 : int32))); + [#"../borrows.rs" 53 48 57 1] _0 <- ([#"../borrows.rs" 53 48 57 1] [#"../borrows.rs" 53 48 57 1] ()); return _0 } @@ -624,7 +624,7 @@ module Borrows_Destruct x <- (let (x0, x1) = x in (x0, any borrowed (Borrows_NonZero_Type.t_nonzero))); assert { [@expl:type invariant] inv0 x }; assume { resolve0 x }; - [#"../borrows.rs" 63 4 63 11] a <- (let Borrows_NonZero_Type.C_NonZero x0 = a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 63 4 63 11] (0 : int32))); + [#"../borrows.rs" 63 4 63 11] a <- (let Borrows_NonZero_Type.C_NonZero x0 = a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 63 4 63 11] [#"../borrows.rs" 63 10 63 11] (0 : int32))); [#"../borrows.rs" 64 8 64 16] _8 <- Borrow.borrow_final (Borrows_NonZero_Type.nonzero_0 ( * b)) (Borrow.inherit_id (Borrow.get_id b) 1); [#"../borrows.rs" 64 8 64 16] b <- { b with current = (let Borrows_NonZero_Type.C_NonZero x0 = * b in Borrows_NonZero_Type.C_NonZero ( ^ _8)) ; }; [#"../borrows.rs" 64 8 64 16] _7 <- Borrow.borrow_final ( * _8) (Borrow.get_id _8); @@ -637,7 +637,7 @@ module Borrows_Destruct assume { resolve1 _8 }; assert { [@expl:type invariant] inv1 b }; assume { resolve2 b }; - [#"../borrows.rs" 61 44 65 1] _0 <- ([#"../borrows.rs" 61 44 65 1] ()); + [#"../borrows.rs" 61 44 65 1] _0 <- ([#"../borrows.rs" 61 44 65 1] [#"../borrows.rs" 61 44 65 1] ()); return _0 } @@ -729,7 +729,7 @@ module Borrows_FrozenDead } BB1 { assume { resolve1 _a }; - [#"../borrows.rs" 69 67 76 1] _0 <- ([#"../borrows.rs" 69 67 76 1] ()); + [#"../borrows.rs" 69 67 76 1] _0 <- ([#"../borrows.rs" 69 67 76 1] [#"../borrows.rs" 69 67 76 1] ()); assert { [@expl:type invariant] inv1 y }; assume { resolve0 y }; return _0 @@ -780,9 +780,9 @@ module Borrows_Dec goto BB0 } BB0 { - [#"../borrows.rs" 108 4 108 11] x <- { x with current = ([#"../borrows.rs" 108 4 108 11] * x - (1 : int32)) ; }; + [#"../borrows.rs" 108 4 108 11] x <- { x with current = ([#"../borrows.rs" 108 4 108 11] * x - ([#"../borrows.rs" 108 10 108 11] (1 : int32))) ; }; assume { resolve0 x }; - [#"../borrows.rs" 107 24 109 1] _0 <- ([#"../borrows.rs" 107 24 109 1] ()); + [#"../borrows.rs" 107 24 109 1] _0 <- ([#"../borrows.rs" 107 24 109 1] [#"../borrows.rs" 107 24 109 1] ()); return _0 } @@ -882,7 +882,7 @@ module Borrows_Impl3_Foo assume { resolve0 _8 }; assert { [@expl:type invariant] inv0 self }; assume { resolve1 self }; - [#"../borrows.rs" 93 26 96 5] _0 <- ([#"../borrows.rs" 93 26 96 5] ()); + [#"../borrows.rs" 93 26 96 5] _0 <- ([#"../borrows.rs" 93 26 96 5] [#"../borrows.rs" 93 26 96 5] ()); return _0 } diff --git a/creusot/tests/should_succeed/type_invariants/generated.mlcfg b/creusot/tests/should_succeed/type_invariants/generated.mlcfg index 679f36dda7..efc20b1f50 100644 --- a/creusot/tests/should_succeed/type_invariants/generated.mlcfg +++ b/creusot/tests/should_succeed/type_invariants/generated.mlcfg @@ -113,7 +113,7 @@ module Generated_UseFoo } BB0 { assert { [@expl:assertion] [#"../generated.rs" 20 18 20 35] inv0 x }; - [#"../generated.rs" 19 62 21 1] _0 <- ([#"../generated.rs" 19 62 21 1] ()); + [#"../generated.rs" 19 62 21 1] _0 <- ([#"../generated.rs" 19 62 21 1] [#"../generated.rs" 19 62 21 1] ()); return _0 } diff --git a/creusot/tests/should_succeed/type_invariants/non_zero.mlcfg b/creusot/tests/should_succeed/type_invariants/non_zero.mlcfg index bfb1259191..85f7281307 100644 --- a/creusot/tests/should_succeed/type_invariants/non_zero.mlcfg +++ b/creusot/tests/should_succeed/type_invariants/non_zero.mlcfg @@ -112,7 +112,11 @@ module NonZero_Impl1_SubPreTrans_Impl constant c : NonZero_NonZeroU32_Type.t_nonzerou32 function sub_pre_trans [#"../non_zero.rs" 36 4 36 51] (a : NonZero_NonZeroU32_Type.t_nonzerou32) (b : NonZero_NonZeroU32_Type.t_nonzerou32) (c : NonZero_NonZeroU32_Type.t_nonzerou32) : () - goal vc_sub_pre_trans : ([#"../non_zero.rs" 36 43 36 44] inv0 c) -> ([#"../non_zero.rs" 36 34 36 35] inv0 b) -> ([#"../non_zero.rs" 36 25 36 26] inv0 a) -> ([#"../non_zero.rs" 34 15 34 27] sub_pre0 b c) -> ([#"../non_zero.rs" 33 15 33 27] sub_pre0 a b) -> ([#"../non_zero.rs" 35 14 35 26] sub_pre0 a c) + goal vc_sub_pre_trans : ([#"../non_zero.rs" 36 43 36 44] inv0 c) + -> ([#"../non_zero.rs" 36 34 36 35] inv0 b) + -> ([#"../non_zero.rs" 36 25 36 26] inv0 a) + -> ([#"../non_zero.rs" 34 15 34 27] sub_pre0 b c) + -> ([#"../non_zero.rs" 33 15 33 27] sub_pre0 a b) -> ([#"../non_zero.rs" 35 14 35 26] sub_pre0 a c) end module NonZero_Impl1_Sub use prelude.Int diff --git a/creusot/tests/should_succeed/type_invariants/quant.mlcfg b/creusot/tests/should_succeed/type_invariants/quant.mlcfg index faae2505c8..6ca7198898 100644 --- a/creusot/tests/should_succeed/type_invariants/quant.mlcfg +++ b/creusot/tests/should_succeed/type_invariants/quant.mlcfg @@ -20,7 +20,8 @@ module Quant_Forall_Impl end) constant _1 : () function forall' [#"../quant.rs" 17 0 17 15] (_1 : ()) : () - goal vc_forall' : [#"../quant.rs" 16 0 16 50] forall x : Quant_WithInvariant_Type.t_withinvariant . inv0 x -> invariant0 x + goal vc_forall' : [#"../quant.rs" 16 0 16 50] forall x : Quant_WithInvariant_Type.t_withinvariant . inv0 x + -> invariant0 x end module Quant_Exists_Impl use Quant_WithInvariant_Type as Quant_WithInvariant_Type diff --git a/creusot/tests/should_succeed/type_invariants/vec_inv.mlcfg b/creusot/tests/should_succeed/type_invariants/vec_inv.mlcfg index e6c042a10c..21135df73a 100644 --- a/creusot/tests/should_succeed/type_invariants/vec_inv.mlcfg +++ b/creusot/tests/should_succeed/type_invariants/vec_inv.mlcfg @@ -108,7 +108,8 @@ module VecInv_Vec requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : slice (borrowed (VecInv_SumTo10_Type.t_sumto10)) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : slice (borrowed (VecInv_SumTo10_Type.t_sumto10)) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) function index_logic2 [@inline:trivial] (self : slice (borrowed (VecInv_SumTo10_Type.t_sumto10))) (ix : int) : borrowed (VecInv_SumTo10_Type.t_sumto10) = @@ -122,7 +123,8 @@ module VecInv_Vec ensures { result = slice_len0 x } use prelude.UInt64 - axiom inv3 : forall x : slice (borrowed (VecInv_SumTo10_Type.t_sumto10)) . inv3 x = (forall i : uint64 . 0 <= i -> i < slice_len0 x -> inv4 (index_logic2 x i)) + axiom inv3 : forall x : slice (borrowed (VecInv_SumTo10_Type.t_sumto10)) . inv3 x = (forall i : uint64 . 0 <= i + -> i < slice_len0 x -> inv4 (index_logic2 x i)) use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Alloc_RawVec_RawVec_Type as Alloc_RawVec_RawVec_Type predicate invariant2 (self : Alloc_RawVec_RawVec_Type.t_rawvec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global)) @@ -138,7 +140,8 @@ module VecInv_Vec ensures { result = inv2 _x } axiom inv2 : forall x : Alloc_RawVec_RawVec_Type.t_rawvec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global) . inv2 x = true - axiom inv1 : forall x : Seq.seq (borrowed (VecInv_SumTo10_Type.t_sumto10)) . inv1 x = (forall i : int . 0 <= i -> i < Seq.length x -> inv4 (Seq.get x i)) + axiom inv1 : forall x : Seq.seq (borrowed (VecInv_SumTo10_Type.t_sumto10)) . inv1 x = (forall i : int . 0 <= i + -> i < Seq.length x -> inv4 (Seq.get x i)) use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type predicate inv0 (_x : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global)) @@ -151,7 +154,8 @@ module VecInv_Vec requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global)) = @@ -177,7 +181,8 @@ module VecInv_Vec predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve1 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) + -> resolve1 (index_logic0 self i) val resolve0 (self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve0 self } @@ -201,7 +206,7 @@ module VecInv_Vec goto BB2 } BB2 { - [#"../vec_inv.rs" 18 33 20 1] _0 <- ([#"../vec_inv.rs" 18 33 20 1] ()); + [#"../vec_inv.rs" 18 33 20 1] _0 <- ([#"../vec_inv.rs" 18 33 20 1] [#"../vec_inv.rs" 18 33 20 1] ()); goto BB3 } BB3 { diff --git a/creusot/tests/should_succeed/unused_in_loop.mlcfg b/creusot/tests/should_succeed/unused_in_loop.mlcfg index c8e939e91a..f1fca52781 100644 --- a/creusot/tests/should_succeed/unused_in_loop.mlcfg +++ b/creusot/tests/should_succeed/unused_in_loop.mlcfg @@ -13,7 +13,7 @@ module UnusedInLoop_UnusedInLoop goto BB0 } BB0 { - [#"../unused_in_loop.rs" 6 12 6 14] x <- ([#"../unused_in_loop.rs" 6 12 6 14] (10 : uint32)); + [#"../unused_in_loop.rs" 6 12 6 14] x <- ([#"../unused_in_loop.rs" 6 12 6 14] [#"../unused_in_loop.rs" 6 12 6 14] (10 : uint32)); goto BB1 } BB1 { diff --git a/creusot/tests/should_succeed/vecdeque.mlcfg b/creusot/tests/should_succeed/vecdeque.mlcfg index 8405ef2b9c..8885afa9d3 100644 --- a/creusot/tests/should_succeed/vecdeque.mlcfg +++ b/creusot/tests/should_succeed/vecdeque.mlcfg @@ -140,7 +140,8 @@ module Vecdeque_TestDeque requires {[#"../../../../creusot-contracts/src/std/deque.rs" 12 21 12 25] inv5 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/deque.rs" 12 21 12 25] inv5 self) -> ([#"../../../../creusot-contracts/src/std/deque.rs" 12 4 12 36] inv6 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/deque.rs" 11 14 11 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/deque.rs" 12 21 12 25] inv5 self) + -> ([#"../../../../creusot-contracts/src/std/deque.rs" 12 4 12 36] inv6 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/deque.rs" 11 14 11 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) val clear0 (self : borrowed (Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global))) : () requires {inv1 self} ensures { [#"../../../../creusot-contracts/src/std/deque.rs" 71 26 71 45] Seq.length (shallow_model0 ( ^ self)) = 0 } @@ -231,10 +232,10 @@ module Vecdeque_TestDeque let constant promoted0 [#"../vecdeque.rs" 5 0 5 19] : Core_Option_Option_Type.t_option uint32 = [@vc:do_not_keep_trace] [@vc:sp] - let _1 = [#"../vecdeque.rs" 24 32 24 39] Core_Option_Option_Type.C_Some (3 : uint32) in let _0 = [#"../vecdeque.rs" 24 32 24 39] _1 in _0 + let _1 = [#"../vecdeque.rs" 24 32 24 39] Core_Option_Option_Type.C_Some ([#"../vecdeque.rs" 24 37 24 38] (3 : uint32)) in let _0 = [#"../vecdeque.rs" 24 32 24 39] _1 in _0 let constant promoted1 [#"../vecdeque.rs" 5 0 5 19] : Core_Option_Option_Type.t_option uint32 = [@vc:do_not_keep_trace] [@vc:sp] - let _1 = [#"../vecdeque.rs" 23 33 23 40] Core_Option_Option_Type.C_Some (2 : uint32) in let _0 = [#"../vecdeque.rs" 23 33 23 40] _1 in _0 + let _1 = [#"../vecdeque.rs" 23 33 23 40] Core_Option_Option_Type.C_Some ([#"../vecdeque.rs" 23 38 23 39] (2 : uint32)) in let _0 = [#"../vecdeque.rs" 23 33 23 40] _1 in _0 let constant promoted2 [#"../vecdeque.rs" 5 0 5 19] : Core_Option_Option_Type.t_option uint32 = [@vc:do_not_keep_trace] [@vc:sp] let _1 = [#"../vecdeque.rs" 17 32 17 36] Core_Option_Option_Type.C_None in let _0 = [#"../vecdeque.rs" 17 32 17 36] _1 in _0 @@ -281,7 +282,7 @@ module Vecdeque_TestDeque goto BB0 } BB0 { - [#"../vecdeque.rs" 6 31 6 57] deque <- ([#"../vecdeque.rs" 6 31 6 57] with_capacity0 (5 : usize)); + [#"../vecdeque.rs" 6 31 6 57] deque <- ([#"../vecdeque.rs" 6 31 6 57] with_capacity0 ([#"../vecdeque.rs" 6 55 6 56] (5 : usize))); goto BB1 } BB1 { @@ -303,7 +304,7 @@ module Vecdeque_TestDeque absurd } BB5 { - [#"../vecdeque.rs" 9 12 9 28] _7 <- ([#"../vecdeque.rs" 9 12 9 28] _8 = (0 : usize)); + [#"../vecdeque.rs" 9 12 9 28] _7 <- ([#"../vecdeque.rs" 9 12 9 28] _8 = ([#"../vecdeque.rs" 9 27 9 28] (0 : usize))); _8 <- any usize; switch (_7) | False -> goto BB7 @@ -311,7 +312,7 @@ module Vecdeque_TestDeque end } BB6 { - [#"../vecdeque.rs" 11 35 11 50] deque1 <- ([#"../vecdeque.rs" 11 35 11 50] new0 ()); + [#"../vecdeque.rs" 11 35 11 50] deque1 <- ([#"../vecdeque.rs" 11 35 11 50] new0 ([#"../vecdeque.rs" 11 35 11 50] ())); goto BB8 } BB7 { @@ -337,7 +338,7 @@ module Vecdeque_TestDeque absurd } BB12 { - [#"../vecdeque.rs" 14 12 14 28] _17 <- ([#"../vecdeque.rs" 14 12 14 28] _18 = (0 : usize)); + [#"../vecdeque.rs" 14 12 14 28] _17 <- ([#"../vecdeque.rs" 14 12 14 28] _18 = ([#"../vecdeque.rs" 14 27 14 28] (0 : usize))); _18 <- any usize; switch (_17) | False -> goto BB14 @@ -356,7 +357,7 @@ module Vecdeque_TestDeque absurd } BB15 { - [#"../vecdeque.rs" 16 33 16 37] _68 <- ([#"../vecdeque.rs" 16 33 16 37] promoted3); + [#"../vecdeque.rs" 16 33 16 37] _68 <- ([#"../vecdeque.rs" 16 33 16 37] [#"../vecdeque.rs" 16 33 16 37] promoted3); [#"../vecdeque.rs" 16 12 16 37] _22 <- ([#"../vecdeque.rs" 16 12 16 37] eq0 _24 _68); goto BB16 } @@ -378,7 +379,7 @@ module Vecdeque_TestDeque absurd } BB19 { - [#"../vecdeque.rs" 17 32 17 36] _67 <- ([#"../vecdeque.rs" 17 32 17 36] promoted2); + [#"../vecdeque.rs" 17 32 17 36] _67 <- ([#"../vecdeque.rs" 17 32 17 36] [#"../vecdeque.rs" 17 32 17 36] promoted2); [#"../vecdeque.rs" 17 12 17 36] _30 <- ([#"../vecdeque.rs" 17 12 17 36] eq0 _32 _67); goto BB20 } @@ -391,7 +392,7 @@ module Vecdeque_TestDeque BB21 { [#"../vecdeque.rs" 19 4 19 9] _38 <- Borrow.borrow_mut deque1; [#"../vecdeque.rs" 19 4 19 9] deque1 <- ^ _38; - [#"../vecdeque.rs" 19 4 19 23] _37 <- ([#"../vecdeque.rs" 19 4 19 23] push_front0 _38 (1 : uint32)); + [#"../vecdeque.rs" 19 4 19 23] _37 <- ([#"../vecdeque.rs" 19 4 19 23] push_front0 _38 ([#"../vecdeque.rs" 19 21 19 22] (1 : uint32))); _38 <- any borrowed (Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global)); goto BB23 } @@ -402,14 +403,14 @@ module Vecdeque_TestDeque BB23 { [#"../vecdeque.rs" 20 4 20 9] _40 <- Borrow.borrow_mut deque1; [#"../vecdeque.rs" 20 4 20 9] deque1 <- ^ _40; - [#"../vecdeque.rs" 20 4 20 23] _39 <- ([#"../vecdeque.rs" 20 4 20 23] push_front0 _40 (2 : uint32)); + [#"../vecdeque.rs" 20 4 20 23] _39 <- ([#"../vecdeque.rs" 20 4 20 23] push_front0 _40 ([#"../vecdeque.rs" 20 21 20 22] (2 : uint32))); _40 <- any borrowed (Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global)); goto BB24 } BB24 { [#"../vecdeque.rs" 21 4 21 9] _42 <- Borrow.borrow_mut deque1; [#"../vecdeque.rs" 21 4 21 9] deque1 <- ^ _42; - [#"../vecdeque.rs" 21 4 21 22] _41 <- ([#"../vecdeque.rs" 21 4 21 22] push_back0 _42 (3 : uint32)); + [#"../vecdeque.rs" 21 4 21 22] _41 <- ([#"../vecdeque.rs" 21 4 21 22] push_back0 _42 ([#"../vecdeque.rs" 21 20 21 21] (3 : uint32))); _42 <- any borrowed (Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global)); goto BB25 } @@ -421,7 +422,7 @@ module Vecdeque_TestDeque goto BB26 } BB26 { - [#"../vecdeque.rs" 23 33 23 40] _66 <- ([#"../vecdeque.rs" 23 33 23 40] promoted1); + [#"../vecdeque.rs" 23 33 23 40] _66 <- ([#"../vecdeque.rs" 23 33 23 40] [#"../vecdeque.rs" 23 33 23 40] promoted1); [#"../vecdeque.rs" 23 12 23 40] _44 <- ([#"../vecdeque.rs" 23 12 23 40] eq0 _46 _66); goto BB27 } @@ -443,7 +444,7 @@ module Vecdeque_TestDeque absurd } BB30 { - [#"../vecdeque.rs" 24 32 24 39] _65 <- ([#"../vecdeque.rs" 24 32 24 39] promoted0); + [#"../vecdeque.rs" 24 32 24 39] _65 <- ([#"../vecdeque.rs" 24 32 24 39] [#"../vecdeque.rs" 24 32 24 39] promoted0); [#"../vecdeque.rs" 24 12 24 39] _52 <- ([#"../vecdeque.rs" 24 12 24 39] eq0 _54 _65); goto BB31 } @@ -475,7 +476,7 @@ module Vecdeque_TestDeque end } BB36 { - [#"../vecdeque.rs" 5 20 27 1] _0 <- ([#"../vecdeque.rs" 5 20 27 1] ()); + [#"../vecdeque.rs" 5 20 27 1] _0 <- ([#"../vecdeque.rs" 5 20 27 1] [#"../vecdeque.rs" 5 20 27 1] ()); goto BB38 } BB37 { diff --git a/creusot/tests/should_succeed/vector/01.mlcfg b/creusot/tests/should_succeed/vector/01.mlcfg index 3a44f0ec81..ff4cafa265 100644 --- a/creusot/tests/should_succeed/vector/01.mlcfg +++ b/creusot/tests/should_succeed/vector/01.mlcfg @@ -102,7 +102,8 @@ module C01_AllZero requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model2 self) val invariant7 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -188,7 +189,9 @@ module C01_AllZero predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces0 self visited o } @@ -204,14 +207,22 @@ module C01_AllZero requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv9 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv9 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv9 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv9 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -232,7 +243,8 @@ module C01_AllZero use prelude.Slice use seq.Seq predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq uint32) (fin : Seq.seq uint32) = - [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq uint32) (fin : Seq.seq uint32) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -338,7 +350,8 @@ module C01_AllZero use prelude.Snapshot let rec cfg all_zero [#"../01.rs" 7 0 7 33] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : () - ensures { [#"../01.rs" 5 0 5 73] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 ( ^ v)) -> index_logic0 ( ^ v) i = (0 : uint32) } + ensures { [#"../01.rs" 5 0 5 73] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 ( ^ v)) + -> index_logic0 ( ^ v) i = (0 : uint32) } ensures { [#"../01.rs" 6 10 6 33] Seq.length (shallow_model0 v) = Seq.length (shallow_model2 ( ^ v)) } = [@vc:do_not_keep_trace] [@vc:sp] @@ -370,7 +383,7 @@ module C01_AllZero goto BB2 } BB2 { - [#"../01.rs" 11 13 11 23] _7 <- ([#"../01.rs" 11 13 11 23] Core_Ops_Range_Range_Type.C_Range (0 : usize) _8); + [#"../01.rs" 11 13 11 23] _7 <- ([#"../01.rs" 11 13 11 23] Core_Ops_Range_Range_Type.C_Range ([#"../01.rs" 11 13 11 14] (0 : usize)) _8); _8 <- any usize; [#"../01.rs" 9 4 9 42] iter <- ([#"../01.rs" 9 4 9 42] into_iter0 _7); _7 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -391,7 +404,8 @@ module C01_AllZero invariant { [#"../01.rs" 9 4 9 42] inv0 iter }; invariant { [#"../01.rs" 9 4 9 42] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; invariant { [#"../01.rs" 9 16 9 40] Seq.length (shallow_model0 v) = Seq.length (shallow_model1 old_v) }; - invariant { [#"../01.rs" 9 4 9 42] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced) -> index_logic0 ( * v) j = (0 : uint32) }; + invariant { [#"../01.rs" 9 4 9 42] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced) + -> index_logic0 ( * v) j = (0 : uint32) }; goto BB7 } BB7 { @@ -412,7 +426,7 @@ module C01_AllZero } BB9 { assume { resolve2 v }; - [#"../01.rs" 9 4 9 42] _0 <- ([#"../01.rs" 9 4 9 42] ()); + [#"../01.rs" 9 4 9 42] _0 <- ([#"../01.rs" 9 4 9 42] [#"../01.rs" 9 4 9 42] ()); return _0 } BB10 { @@ -439,7 +453,7 @@ module C01_AllZero goto BB14 } BB14 { - [#"../01.rs" 12 8 12 16] _27 <- { _27 with current = ([#"../01.rs" 12 8 12 16] (0 : uint32)) ; }; + [#"../01.rs" 12 8 12 16] _27 <- { _27 with current = ([#"../01.rs" 12 8 12 16] [#"../01.rs" 12 15 12 16] (0 : uint32)) ; }; assume { resolve1 _27 }; goto BB6 } diff --git a/creusot/tests/should_succeed/vector/02_gnome.mlcfg b/creusot/tests/should_succeed/vector/02_gnome.mlcfg index 1070d41b2e..d8a3aa84c7 100644 --- a/creusot/tests/should_succeed/vector/02_gnome.mlcfg +++ b/creusot/tests/should_succeed/vector/02_gnome.mlcfg @@ -109,7 +109,9 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -117,7 +119,10 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -125,7 +130,10 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -136,13 +144,19 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -153,7 +167,9 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -164,7 +180,9 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -175,7 +193,9 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -186,7 +206,9 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use prelude.Slice use prelude.Borrow predicate invariant5 (self : borrowed (slice t)) @@ -221,7 +243,8 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv9 (shallow_model3 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -259,7 +282,8 @@ module C02Gnome_GnomeSort axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true use seq.Seq predicate sorted_range0 [#"../02_gnome.rs" 9 0 9 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) = - [#"../02_gnome.rs" 10 4 12 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j) + [#"../02_gnome.rs" 10 4 12 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u + -> le_log0 (Seq.get s i) (Seq.get s j) val sorted_range0 [#"../02_gnome.rs" 9 0 9 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) : bool ensures { result = sorted_range0 s l u } @@ -286,7 +310,9 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self} ensures { result = deep_model1 self } - axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv8 (deep_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model1 self) i = deep_model3 (index_logic1 self i)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self)) + axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv8 (deep_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) + -> Seq.get (deep_model1 self) i = deep_model3 (index_logic1 self i)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self)) predicate resolve3 (self : borrowed (slice t)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve3 (self : borrowed (slice t)) : bool @@ -299,7 +325,8 @@ module C02Gnome_GnomeSort requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model7 self } - axiom shallow_model7_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model7 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) + axiom shallow_model7_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model7 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) function shallow_model6 (self : borrowed (slice t)) : Seq.seq t = [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model7 ( * self) val shallow_model6 (self : borrowed (slice t)) : Seq.seq t @@ -435,7 +462,7 @@ module C02Gnome_GnomeSort BB1 { assert { [@expl:type invariant] inv0 old_v }; assume { resolve0 old_v }; - [#"../02_gnome.rs" 27 16 27 17] i <- ([#"../02_gnome.rs" 27 16 27 17] (0 : usize)); + [#"../02_gnome.rs" 27 16 27 17] i <- ([#"../02_gnome.rs" 27 16 27 17] [#"../02_gnome.rs" 27 16 27 17] (0 : usize)); goto BB2 } BB2 { @@ -456,7 +483,7 @@ module C02Gnome_GnomeSort end } BB5 { - [#"../02_gnome.rs" 31 11 31 17] _14 <- ([#"../02_gnome.rs" 31 11 31 17] i = (0 : usize)); + [#"../02_gnome.rs" 31 11 31 17] _14 <- ([#"../02_gnome.rs" 31 11 31 17] i = ([#"../02_gnome.rs" 31 16 31 17] (0 : usize))); switch (_14) | False -> goto BB7 | True -> goto BB6 @@ -466,7 +493,7 @@ module C02Gnome_GnomeSort goto BB11 } BB7 { - [#"../02_gnome.rs" 31 23 31 28] _20 <- ([#"../02_gnome.rs" 31 23 31 28] i - (1 : usize)); + [#"../02_gnome.rs" 31 23 31 28] _20 <- ([#"../02_gnome.rs" 31 23 31 28] i - ([#"../02_gnome.rs" 31 27 31 28] (1 : usize))); [#"../02_gnome.rs" 31 22 31 29] _18 <- ([#"../02_gnome.rs" 31 22 31 29] index0 ( * v) _20); _20 <- any usize; goto BB8 @@ -493,8 +520,8 @@ module C02Gnome_GnomeSort end } BB11 { - [#"../02_gnome.rs" 32 12 32 18] i <- ([#"../02_gnome.rs" 32 12 32 18] i + (1 : usize)); - [#"../02_gnome.rs" 31 40 33 9] _9 <- ([#"../02_gnome.rs" 31 40 33 9] ()); + [#"../02_gnome.rs" 32 12 32 18] i <- ([#"../02_gnome.rs" 32 12 32 18] i + ([#"../02_gnome.rs" 32 17 32 18] (1 : usize))); + [#"../02_gnome.rs" 31 40 33 9] _9 <- ([#"../02_gnome.rs" 31 40 33 9] [#"../02_gnome.rs" 31 40 33 9] ()); goto BB15 } BB12 { @@ -509,7 +536,7 @@ module C02Gnome_GnomeSort [#"../02_gnome.rs" 34 12 34 13] _28 <- Borrow.borrow_final ( * _29) (Borrow.get_id _29); [#"../02_gnome.rs" 34 12 34 13] _29 <- { _29 with current = ( ^ _28) ; }; assume { inv4 ( ^ _28) }; - [#"../02_gnome.rs" 34 19 34 24] _31 <- ([#"../02_gnome.rs" 34 19 34 24] i - (1 : usize)); + [#"../02_gnome.rs" 34 19 34 24] _31 <- ([#"../02_gnome.rs" 34 19 34 24] i - ([#"../02_gnome.rs" 34 23 34 24] (1 : usize))); [#"../02_gnome.rs" 34 12 34 28] _27 <- ([#"../02_gnome.rs" 34 12 34 28] swap0 _28 _31 i); _28 <- any borrowed (slice t); _31 <- any usize; @@ -518,8 +545,8 @@ module C02Gnome_GnomeSort BB14 { assert { [@expl:type invariant] inv5 _29 }; assume { resolve3 _29 }; - [#"../02_gnome.rs" 35 12 35 18] i <- ([#"../02_gnome.rs" 35 12 35 18] i - (1 : usize)); - [#"../02_gnome.rs" 33 15 36 9] _9 <- ([#"../02_gnome.rs" 33 15 36 9] ()); + [#"../02_gnome.rs" 35 12 35 18] i <- ([#"../02_gnome.rs" 35 12 35 18] i - ([#"../02_gnome.rs" 35 17 35 18] (1 : usize))); + [#"../02_gnome.rs" 33 15 36 9] _9 <- ([#"../02_gnome.rs" 33 15 36 9] [#"../02_gnome.rs" 33 15 36 9] ()); goto BB15 } BB15 { @@ -528,7 +555,7 @@ module C02Gnome_GnomeSort BB16 { assert { [@expl:type invariant] inv1 v }; assume { resolve1 v }; - [#"../02_gnome.rs" 30 4 37 5] _0 <- ([#"../02_gnome.rs" 30 4 37 5] ()); + [#"../02_gnome.rs" 30 4 37 5] _0 <- ([#"../02_gnome.rs" 30 4 37 5] [#"../02_gnome.rs" 30 4 37 5] ()); return _0 } diff --git a/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg b/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg index 4ecfba6223..1d32b64cb4 100644 --- a/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg +++ b/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg @@ -161,7 +161,8 @@ module C03KnuthShuffle_KnuthShuffle requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv9 (shallow_model2 self) val invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -184,7 +185,9 @@ module C03KnuthShuffle_KnuthShuffle predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces0 self visited o } @@ -200,14 +203,22 @@ module C03KnuthShuffle_KnuthShuffle requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -242,7 +253,8 @@ module C03KnuthShuffle_KnuthShuffle requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model7 self } - axiom shallow_model7_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model7 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) + axiom shallow_model7_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model7 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0) function shallow_model6 (self : borrowed (slice t)) : Seq.seq t = [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model7 ( * self) val shallow_model6 (self : borrowed (slice t)) : Seq.seq t @@ -387,7 +399,7 @@ module C03KnuthShuffle_KnuthShuffle goto BB2 } BB2 { - [#"../03_knuth_shuffle.rs" 17 13 17 23] _6 <- ([#"../03_knuth_shuffle.rs" 17 13 17 23] Core_Ops_Range_Range_Type.C_Range (0 : usize) _7); + [#"../03_knuth_shuffle.rs" 17 13 17 23] _6 <- ([#"../03_knuth_shuffle.rs" 17 13 17 23] Core_Ops_Range_Range_Type.C_Range ([#"../03_knuth_shuffle.rs" 17 13 17 14] (0 : usize)) _7); _7 <- any usize; [#"../03_knuth_shuffle.rs" 16 4 16 43] iter <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] into_iter0 _6); _6 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -429,7 +441,7 @@ module C03KnuthShuffle_KnuthShuffle BB9 { assert { [@expl:type invariant] inv5 v }; assume { resolve3 v }; - [#"../03_knuth_shuffle.rs" 16 4 16 43] _0 <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] ()); + [#"../03_knuth_shuffle.rs" 16 4 16 43] _0 <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] [#"../03_knuth_shuffle.rs" 16 4 16 43] ()); return _0 } BB10 { @@ -456,7 +468,7 @@ module C03KnuthShuffle_KnuthShuffle BB14 { [#"../03_knuth_shuffle.rs" 20 20 20 31] upper <- ([#"../03_knuth_shuffle.rs" 20 20 20 31] _26 - n); _26 <- any usize; - [#"../03_knuth_shuffle.rs" 21 16 21 39] i <- ([#"../03_knuth_shuffle.rs" 21 16 21 39] rand_in_range0 (0 : usize) upper); + [#"../03_knuth_shuffle.rs" 21 16 21 39] i <- ([#"../03_knuth_shuffle.rs" 21 16 21 39] rand_in_range0 ([#"../03_knuth_shuffle.rs" 21 30 21 31] (0 : usize)) upper); goto BB15 } BB15 { @@ -471,7 +483,7 @@ module C03KnuthShuffle_KnuthShuffle [#"../03_knuth_shuffle.rs" 22 8 22 9] _32 <- Borrow.borrow_final ( * _33) (Borrow.get_id _33); [#"../03_knuth_shuffle.rs" 22 8 22 9] _33 <- { _33 with current = ( ^ _32) ; }; assume { inv3 ( ^ _32) }; - [#"../03_knuth_shuffle.rs" 22 18 22 27] _36 <- ([#"../03_knuth_shuffle.rs" 22 18 22 27] upper - (1 : usize)); + [#"../03_knuth_shuffle.rs" 22 18 22 27] _36 <- ([#"../03_knuth_shuffle.rs" 22 18 22 27] upper - ([#"../03_knuth_shuffle.rs" 22 26 22 27] (1 : usize))); [#"../03_knuth_shuffle.rs" 22 8 22 28] _31 <- ([#"../03_knuth_shuffle.rs" 22 8 22 28] swap0 _32 i _36); _32 <- any borrowed (slice t); _36 <- any usize; diff --git a/creusot/tests/should_succeed/vector/04_binary_search.mlcfg b/creusot/tests/should_succeed/vector/04_binary_search.mlcfg index 4356c7b205..0a48f487c3 100644 --- a/creusot/tests/should_succeed/vector/04_binary_search.mlcfg +++ b/creusot/tests/should_succeed/vector/04_binary_search.mlcfg @@ -74,7 +74,8 @@ module C04BinarySearch_BinarySearch requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model2 self) val invariant3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -113,7 +114,8 @@ module C04BinarySearch_BinarySearch axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . inv0 x = true use seq.Seq predicate sorted_range0 [#"../04_binary_search.rs" 8 0 8 52] (s : Seq.seq uint32) (l : int) (u : int) = - [#"../04_binary_search.rs" 9 4 11 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> Seq.get s i <= Seq.get s j + [#"../04_binary_search.rs" 9 4 11 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u + -> Seq.get s i <= Seq.get s j val sorted_range0 [#"../04_binary_search.rs" 8 0 8 52] (s : Seq.seq uint32) (l : int) (u : int) : bool ensures { result = sorted_range0 s l u } @@ -161,9 +163,13 @@ module C04BinarySearch_BinarySearch let rec cfg binary_search [#"../04_binary_search.rs" 26 0 26 71] [@cfg:stackify] [@cfg:subregion_analysis] (arr : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) (elem : uint32) : Core_Result_Result_Type.t_result usize usize requires {[#"../04_binary_search.rs" 19 11 19 36] Seq.length (shallow_model1 arr) <= UIntSize.to_int max0} requires {[#"../04_binary_search.rs" 20 11 20 23] sorted0 (shallow_model1 arr)} - ensures { [#"../04_binary_search.rs" 21 0 21 63] forall x : usize . result = Core_Result_Result_Type.C_Ok x -> index_logic0 arr (UIntSize.to_int x) = elem } - ensures { [#"../04_binary_search.rs" 22 0 23 48] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . i < x -> index_logic0 arr (UIntSize.to_int i) <= elem) } - ensures { [#"../04_binary_search.rs" 24 0 25 65] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . x < i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) -> elem < index_logic0 arr (UIntSize.to_int i)) } + ensures { [#"../04_binary_search.rs" 21 0 21 63] forall x : usize . result = Core_Result_Result_Type.C_Ok x + -> index_logic0 arr (UIntSize.to_int x) = elem } + ensures { [#"../04_binary_search.rs" 22 0 23 48] forall x : usize . result = Core_Result_Result_Type.C_Err x + -> (forall i : usize . i < x -> index_logic0 arr (UIntSize.to_int i) <= elem) } + ensures { [#"../04_binary_search.rs" 24 0 25 65] forall x : usize . result = Core_Result_Result_Type.C_Err x + -> (forall i : usize . x < i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) + -> elem < index_logic0 arr (UIntSize.to_int i)) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : Core_Result_Result_Type.t_result usize usize; @@ -193,7 +199,7 @@ module C04BinarySearch_BinarySearch goto BB1 } BB1 { - [#"../04_binary_search.rs" 27 7 27 21] _9 <- ([#"../04_binary_search.rs" 27 7 27 21] _10 = (0 : usize)); + [#"../04_binary_search.rs" 27 7 27 21] _9 <- ([#"../04_binary_search.rs" 27 7 27 21] _10 = ([#"../04_binary_search.rs" 27 20 27 21] (0 : usize))); _10 <- any usize; switch (_9) | False -> goto BB3 @@ -201,7 +207,7 @@ module C04BinarySearch_BinarySearch end } BB2 { - [#"../04_binary_search.rs" 28 15 28 21] _0 <- ([#"../04_binary_search.rs" 28 15 28 21] Core_Result_Result_Type.C_Err (0 : usize)); + [#"../04_binary_search.rs" 28 15 28 21] _0 <- ([#"../04_binary_search.rs" 28 15 28 21] Core_Result_Result_Type.C_Err ([#"../04_binary_search.rs" 28 19 28 20] (0 : usize))); goto BB21 } BB3 { @@ -209,29 +215,31 @@ module C04BinarySearch_BinarySearch goto BB4 } BB4 { - [#"../04_binary_search.rs" 31 19 31 20] base <- ([#"../04_binary_search.rs" 31 19 31 20] (0 : usize)); + [#"../04_binary_search.rs" 31 19 31 20] base <- ([#"../04_binary_search.rs" 31 19 31 20] [#"../04_binary_search.rs" 31 19 31 20] (0 : usize)); goto BB5 } BB5 { invariant { [#"../04_binary_search.rs" 33 16 33 56] 0 < UIntSize.to_int size /\ UIntSize.to_int size + UIntSize.to_int base <= Seq.length (shallow_model1 arr) }; - invariant { [#"../04_binary_search.rs" 33 4 33 58] forall i : usize . i < base -> index_logic0 arr (UIntSize.to_int i) <= elem }; - invariant { [#"../04_binary_search.rs" 33 4 33 58] forall i : usize . UIntSize.to_int base + UIntSize.to_int size < UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) -> elem < index_logic0 arr (UIntSize.to_int i) }; + invariant { [#"../04_binary_search.rs" 33 4 33 58] forall i : usize . i < base + -> index_logic0 arr (UIntSize.to_int i) <= elem }; + invariant { [#"../04_binary_search.rs" 33 4 33 58] forall i : usize . UIntSize.to_int base + UIntSize.to_int size < UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) + -> elem < index_logic0 arr (UIntSize.to_int i) }; goto BB6 } BB6 { - [#"../04_binary_search.rs" 36 10 36 18] _21 <- ([#"../04_binary_search.rs" 36 10 36 18] size > (1 : usize)); + [#"../04_binary_search.rs" 36 10 36 18] _21 <- ([#"../04_binary_search.rs" 36 10 36 18] size > ([#"../04_binary_search.rs" 36 17 36 18] (1 : usize))); switch (_21) | False -> goto BB13 | True -> goto BB7 end } BB7 { - [#"../04_binary_search.rs" 37 19 37 27] _25 <- ([#"../04_binary_search.rs" 37 19 37 27] (2 : usize) = (0 : usize)); + [#"../04_binary_search.rs" 37 19 37 27] _25 <- ([#"../04_binary_search.rs" 37 19 37 27] ([#"../04_binary_search.rs" 37 26 37 27] (2 : usize)) = ([#"../04_binary_search.rs" 37 19 37 27] (0 : usize))); assert { [@expl:division by zero] [#"../04_binary_search.rs" 37 19 37 27] not _25 }; goto BB8 } BB8 { - [#"../04_binary_search.rs" 37 19 37 27] half <- ([#"../04_binary_search.rs" 37 19 37 27] size / (2 : usize)); + [#"../04_binary_search.rs" 37 19 37 27] half <- ([#"../04_binary_search.rs" 37 19 37 27] size / ([#"../04_binary_search.rs" 37 26 37 27] (2 : usize))); [#"../04_binary_search.rs" 38 18 38 29] mid <- ([#"../04_binary_search.rs" 38 18 38 29] base + half); [#"../04_binary_search.rs" 40 21 40 26] _32 <- ([#"../04_binary_search.rs" 40 21 40 26] index0 arr mid); goto BB9 @@ -281,7 +289,7 @@ module C04BinarySearch_BinarySearch end } BB17 { - [#"../04_binary_search.rs" 48 12 48 20] _51 <- ([#"../04_binary_search.rs" 48 12 48 20] base + (1 : usize)); + [#"../04_binary_search.rs" 48 12 48 20] _51 <- ([#"../04_binary_search.rs" 48 12 48 20] base + ([#"../04_binary_search.rs" 48 19 48 20] (1 : usize))); [#"../04_binary_search.rs" 48 8 48 21] _0 <- ([#"../04_binary_search.rs" 48 8 48 21] Core_Result_Result_Type.C_Err _51); _51 <- any usize; goto BB19 diff --git a/creusot/tests/should_succeed/vector/05_binary_search_generic.mlcfg b/creusot/tests/should_succeed/vector/05_binary_search_generic.mlcfg index 1d05338f16..6ed7c06b37 100644 --- a/creusot/tests/should_succeed/vector/05_binary_search_generic.mlcfg +++ b/creusot/tests/should_succeed/vector/05_binary_search_generic.mlcfg @@ -99,7 +99,8 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model2 self) val invariant4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -154,7 +155,9 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y} ensures { result = eq_cmp0 x y } - axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) + axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal)) function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater} @@ -162,7 +165,10 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y} ensures { result = antisym20 x y } - axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) + axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less) function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : () requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less} @@ -170,7 +176,10 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y} ensures { result = antisym10 x y } - axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) + axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater) function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : () @@ -181,13 +190,19 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z} ensures { result = trans0 x y z o } - axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) + axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o) function refl0 (x : deep_model_ty0) : () val refl0 (x : deep_model_ty0) : () requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x} ensures { result = refl0 x } - axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) + axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal) function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = gt_log0 self o } @@ -198,7 +213,9 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y} ensures { result = cmp_gt_log0 x y } - axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)) function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = ge_log0 self o } @@ -209,7 +226,9 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y} ensures { result = cmp_ge_log0 x y } - axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less)) function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = lt_log0 self o } @@ -220,7 +239,9 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y} ensures { result = cmp_lt_log0 x y } - axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) + axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)) function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool ensures { result = le_log0 self o } @@ -231,11 +252,14 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y} ensures { result = cmp_le_log0 x y } - axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) + axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) + -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater)) use seq.Seq predicate sorted_range0 [#"../05_binary_search_generic.rs" 9 0 9 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) = - [#"../05_binary_search_generic.rs" 10 4 12 5] forall j : int . forall i : int . l <= i /\ i <= j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j) + [#"../05_binary_search_generic.rs" 10 4 12 5] forall j : int . forall i : int . l <= i /\ i <= j /\ j < u + -> le_log0 (Seq.get s i) (Seq.get s j) val sorted_range0 [#"../05_binary_search_generic.rs" 9 0 9 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) : bool ensures { result = sorted_range0 s l u } @@ -314,7 +338,9 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv4 self} ensures { result = deep_model2 self } - axiom deep_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 self) -> Seq.get (deep_model2 self) i = deep_model1 (index_logic1 self i)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model2 self) = Seq.length (deep_model2 self)) + axiom deep_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 self) + -> Seq.get (deep_model2 self) i = deep_model1 (index_logic1 self i)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model2 self) = Seq.length (deep_model2 self)) function deep_model0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq deep_model_ty0 = [#"../../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model2 self val deep_model0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq deep_model_ty0 @@ -329,9 +355,13 @@ module C05BinarySearchGeneric_BinarySearch requires {[#"../05_binary_search_generic.rs" 21 11 21 35] sorted0 (deep_model0 arr)} requires {[#"../05_binary_search_generic.rs" 27 41 27 44] inv0 arr} requires {[#"../05_binary_search_generic.rs" 27 55 27 59] inv2 elem} - ensures { [#"../05_binary_search_generic.rs" 22 0 22 89] forall x : usize . result = Core_Result_Result_Type.C_Ok x -> Seq.get (deep_model0 arr) (UIntSize.to_int x) = deep_model1 elem } - ensures { [#"../05_binary_search_generic.rs" 23 0 24 74] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . i < x -> le_log0 (Seq.get (deep_model0 arr) (UIntSize.to_int i)) (deep_model1 elem)) } - ensures { [#"../05_binary_search_generic.rs" 25 0 26 92] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . x <= i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) -> lt_log0 (deep_model1 elem) (Seq.get (deep_model0 arr) (UIntSize.to_int i))) } + ensures { [#"../05_binary_search_generic.rs" 22 0 22 89] forall x : usize . result = Core_Result_Result_Type.C_Ok x + -> Seq.get (deep_model0 arr) (UIntSize.to_int x) = deep_model1 elem } + ensures { [#"../05_binary_search_generic.rs" 23 0 24 74] forall x : usize . result = Core_Result_Result_Type.C_Err x + -> (forall i : usize . i < x -> le_log0 (Seq.get (deep_model0 arr) (UIntSize.to_int i)) (deep_model1 elem)) } + ensures { [#"../05_binary_search_generic.rs" 25 0 26 92] forall x : usize . result = Core_Result_Result_Type.C_Err x + -> (forall i : usize . x <= i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) + -> lt_log0 (deep_model1 elem) (Seq.get (deep_model0 arr) (UIntSize.to_int i))) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : Core_Result_Result_Type.t_result usize usize; @@ -370,7 +400,7 @@ module C05BinarySearchGeneric_BinarySearch goto BB4 } BB4 { - [#"../05_binary_search_generic.rs" 31 7 31 21] _9 <- ([#"../05_binary_search_generic.rs" 31 7 31 21] _10 = (0 : usize)); + [#"../05_binary_search_generic.rs" 31 7 31 21] _9 <- ([#"../05_binary_search_generic.rs" 31 7 31 21] _10 = ([#"../05_binary_search_generic.rs" 31 20 31 21] (0 : usize))); _10 <- any usize; switch (_9) | False -> goto BB7 @@ -382,7 +412,7 @@ module C05BinarySearchGeneric_BinarySearch assume { resolve2 elem }; assert { [@expl:type invariant] inv0 arr }; assume { resolve0 arr }; - [#"../05_binary_search_generic.rs" 32 15 32 21] _0 <- ([#"../05_binary_search_generic.rs" 32 15 32 21] Core_Result_Result_Type.C_Err (0 : usize)); + [#"../05_binary_search_generic.rs" 32 15 32 21] _0 <- ([#"../05_binary_search_generic.rs" 32 15 32 21] Core_Result_Result_Type.C_Err ([#"../05_binary_search_generic.rs" 32 19 32 20] (0 : usize))); goto BB29 } BB6 { @@ -394,7 +424,7 @@ module C05BinarySearchGeneric_BinarySearch goto BB8 } BB8 { - [#"../05_binary_search_generic.rs" 35 26 35 27] base <- ([#"../05_binary_search_generic.rs" 35 26 35 27] (0 : usize)); + [#"../05_binary_search_generic.rs" 35 26 35 27] base <- ([#"../05_binary_search_generic.rs" 35 26 35 27] [#"../05_binary_search_generic.rs" 35 26 35 27] (0 : usize)); goto BB9 } BB9 { @@ -405,24 +435,26 @@ module C05BinarySearchGeneric_BinarySearch } BB11 { invariant { [#"../05_binary_search_generic.rs" 37 16 37 56] 0 < UIntSize.to_int size /\ UIntSize.to_int size + UIntSize.to_int base <= Seq.length (shallow_model1 arr) }; - invariant { [#"../05_binary_search_generic.rs" 37 4 37 58] forall i : usize . i < base -> le_log0 (Seq.get (deep_model0 arr) (UIntSize.to_int i)) (deep_model1 elem) }; - invariant { [#"../05_binary_search_generic.rs" 37 4 37 58] forall i : usize . UIntSize.to_int base + UIntSize.to_int size <= UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) -> lt_log0 (deep_model1 elem) (Seq.get (deep_model0 arr) (UIntSize.to_int i)) }; + invariant { [#"../05_binary_search_generic.rs" 37 4 37 58] forall i : usize . i < base + -> le_log0 (Seq.get (deep_model0 arr) (UIntSize.to_int i)) (deep_model1 elem) }; + invariant { [#"../05_binary_search_generic.rs" 37 4 37 58] forall i : usize . UIntSize.to_int base + UIntSize.to_int size <= UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) + -> lt_log0 (deep_model1 elem) (Seq.get (deep_model0 arr) (UIntSize.to_int i)) }; goto BB12 } BB12 { - [#"../05_binary_search_generic.rs" 40 10 40 18] _21 <- ([#"../05_binary_search_generic.rs" 40 10 40 18] size > (1 : usize)); + [#"../05_binary_search_generic.rs" 40 10 40 18] _21 <- ([#"../05_binary_search_generic.rs" 40 10 40 18] size > ([#"../05_binary_search_generic.rs" 40 17 40 18] (1 : usize))); switch (_21) | False -> goto BB20 | True -> goto BB13 end } BB13 { - [#"../05_binary_search_generic.rs" 41 19 41 27] _25 <- ([#"../05_binary_search_generic.rs" 41 19 41 27] (2 : usize) = (0 : usize)); + [#"../05_binary_search_generic.rs" 41 19 41 27] _25 <- ([#"../05_binary_search_generic.rs" 41 19 41 27] ([#"../05_binary_search_generic.rs" 41 26 41 27] (2 : usize)) = ([#"../05_binary_search_generic.rs" 41 19 41 27] (0 : usize))); assert { [@expl:division by zero] [#"../05_binary_search_generic.rs" 41 19 41 27] not _25 }; goto BB14 } BB14 { - [#"../05_binary_search_generic.rs" 41 19 41 27] half <- ([#"../05_binary_search_generic.rs" 41 19 41 27] size / (2 : usize)); + [#"../05_binary_search_generic.rs" 41 19 41 27] half <- ([#"../05_binary_search_generic.rs" 41 19 41 27] size / ([#"../05_binary_search_generic.rs" 41 26 41 27] (2 : usize))); [#"../05_binary_search_generic.rs" 42 18 42 29] mid <- ([#"../05_binary_search_generic.rs" 42 18 42 29] base + half); [#"../05_binary_search_generic.rs" 44 21 44 26] _32 <- ([#"../05_binary_search_generic.rs" 44 21 44 26] index0 arr mid); goto BB15 @@ -495,7 +527,7 @@ module C05BinarySearchGeneric_BinarySearch goto BB28 } BB27 { - [#"../05_binary_search_generic.rs" 53 30 53 38] _50 <- ([#"../05_binary_search_generic.rs" 53 30 53 38] base + (1 : usize)); + [#"../05_binary_search_generic.rs" 53 30 53 38] _50 <- ([#"../05_binary_search_generic.rs" 53 30 53 38] base + ([#"../05_binary_search_generic.rs" 53 37 53 38] (1 : usize))); [#"../05_binary_search_generic.rs" 53 26 53 39] _0 <- ([#"../05_binary_search_generic.rs" 53 26 53 39] Core_Result_Result_Type.C_Err _50); _50 <- any usize; goto BB28 diff --git a/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg b/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg index cf267cbe28..c4bca34a66 100644 --- a/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg +++ b/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg @@ -199,7 +199,8 @@ module C06KnightsTour_Impl1_New_Closure3 requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv2 (shallow_model0 self) val invariant1 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -242,7 +243,8 @@ module C06KnightsTour_Impl1_New_Closure3 val from_elem0 (elem : usize) (n : usize) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) requires {inv0 elem} ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model0 result) = UIntSize.to_int n } - ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem } + ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n + -> index_logic0 result i = elem } ensures { inv1 result } predicate resolve0 (self : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) = @@ -263,7 +265,7 @@ module C06KnightsTour_Impl1_New_Closure3 } BB0 { assume { resolve0 _1 }; - [#"../06_knights_tour.rs" 44 23 44 36] res <- ([#"../06_knights_tour.rs" 44 23 44 36] from_elem0 (0 : usize) (field_00 ( * _1))); + [#"../06_knights_tour.rs" 44 23 44 36] res <- ([#"../06_knights_tour.rs" 44 23 44 36] from_elem0 ([#"../06_knights_tour.rs" 44 28 44 29] (0 : usize)) (field_00 ( * _1))); goto BB1 } BB1 { @@ -357,7 +359,8 @@ module C06KnightsTour_Impl1_New requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model2 self) val invariant9 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -397,7 +400,8 @@ module C06KnightsTour_Impl1_New requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant6 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) = @@ -450,18 +454,22 @@ module C06KnightsTour_Impl1_New predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces0 self visited o } predicate produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (visited : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq usize . inv7 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) . inv11 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq usize . inv7 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) . inv11 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs + -> ^ Seq.get fs (i - 1) = * Seq.get fs i) /\ (if Seq.length visited = 0 then CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ else * Seq.get fs 0 = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self /\ ^ Seq.get fs (Seq.length visited - 1) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ - ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) + ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i)))) val produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (visited : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool ensures { result = produces1 self visited succ } @@ -477,7 +485,14 @@ module C06KnightsTour_Impl1_New requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv3 c} ensures { result = produces_trans2 a ab b bc c } - axiom produces_trans2_spec : forall a : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, ab : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)), b : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, bc : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)), c : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 22 31 23] inv3 a) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 31 31 33] inv4 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 52 31 53] inv3 b) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 61 31 63] inv4 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv3 c) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans2_spec : forall a : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, ab : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)), b : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, bc : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)), c : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32] produces1 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32] produces1 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 22 31 23] inv3 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 31 31 33] inv4 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 52 31 53] inv3 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 61 31 63] inv4 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv3 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl2 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : () @@ -485,7 +500,8 @@ module C06KnightsTour_Impl1_New requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv3 self} ensures { result = produces_refl2 self } - axiom produces_refl2_spec : forall self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45] produces1 self (Seq.empty ) self) + axiom produces_refl2_spec : forall self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv3 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45] produces1 self (Seq.empty ) self) predicate invariant5 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3)) = @@ -517,7 +533,8 @@ module C06KnightsTour_Impl1_New predicate next_precondition0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (produced : Seq.seq usize) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i + -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Snapshot.new produced) val next_precondition0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (produced : Seq.seq usize) : bool ensures { result = next_precondition0 iter func produced } @@ -525,7 +542,16 @@ module C06KnightsTour_Impl1_New predicate preservation0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall b : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . forall f : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall e2 : usize . forall e1 : usize . forall s : Seq.seq usize . inv0 i -> inv9 b -> inv10 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Snapshot.new s) -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall b : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . forall f : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall e2 : usize . forall e1 : usize . forall s : Seq.seq usize . inv0 i + -> inv9 b + -> inv10 f + -> inv1 e2 + -> inv1 e1 + -> inv7 s + -> unnest0 func ( * f) + -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i + -> precondition0 ( * f) (e1, Snapshot.new s) + -> postcondition_mut0 f (e1, Snapshot.new s) b -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1)) val preservation0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool ensures { result = preservation0 iter func } @@ -542,7 +568,11 @@ module C06KnightsTour_Impl1_New requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv7 produced} ensures { result = preservation_inv0 iter func produced } - axiom preservation_inv0_spec : forall iter : Core_Ops_Range_Range_Type.t_range usize, func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, produced : Seq.seq usize . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 24 121 28] inv0 iter) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 33 121 37] inv2 func) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv7 produced) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 120 4 120 83] produced = Seq.empty -> preservation_inv0 iter func produced = preservation0 iter func) + axiom preservation_inv0_spec : forall iter : Core_Ops_Range_Range_Type.t_range usize, func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, produced : Seq.seq usize . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 24 121 28] inv0 iter) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 33 121 37] inv2 func) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv7 produced) + -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 120 4 120 83] produced = Seq.empty + -> preservation_inv0 iter func produced = preservation0 iter func) predicate resolve3 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) = [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34] ^ self = * self val resolve3 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool @@ -554,7 +584,8 @@ module C06KnightsTour_Impl1_New ensures { result = completed1 self } predicate reinitialize0 (_1 : ()) = - [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 148 8 153 9] forall func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall iter : borrowed (Core_Ops_Range_Range_Type.t_range usize) . inv2 func -> inv8 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func + [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 148 8 153 9] forall func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall iter : borrowed (Core_Ops_Range_Range_Type.t_range usize) . inv2 func + -> inv8 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func val reinitialize0 (_1 : ()) : bool ensures { result = reinitialize0 _1 } @@ -584,13 +615,21 @@ module C06KnightsTour_Impl1_New requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv7 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv7 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv7 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv7 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant1 (self : usize) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant1 (self : usize) : bool @@ -615,13 +654,21 @@ module C06KnightsTour_Impl1_New requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv7 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv7 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv7 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv7 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self) function index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) = @@ -631,7 +678,8 @@ module C06KnightsTour_Impl1_New use C06KnightsTour_Board_Type as C06KnightsTour_Board_Type predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) = - [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model1 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model2 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) + [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model1 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) + -> Seq.length (shallow_model2 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool ensures { result = wf0 self } @@ -671,7 +719,8 @@ module C06KnightsTour_Impl1_New ensures { inv6 result } val map_inv0 (self : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 - requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 141] forall i2 : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i2 -> inv1 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} + requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 141] forall i2 : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i2 + -> inv1 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Snapshot.new (Seq.empty ))} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 44 15 44 51] reinitialize0 ()} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 45 15 45 70] preservation0 self func} requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 21 47 25] inv0 self} @@ -695,7 +744,7 @@ module C06KnightsTour_Impl1_New goto BB0 } BB0 { - [#"../06_knights_tour.rs" 41 19 41 28] _7 <- ([#"../06_knights_tour.rs" 41 19 41 28] Core_Ops_Range_Range_Type.C_Range (0 : usize) size); + [#"../06_knights_tour.rs" 41 19 41 28] _7 <- ([#"../06_knights_tour.rs" 41 19 41 28] Core_Ops_Range_Range_Type.C_Range ([#"../06_knights_tour.rs" 41 20 41 21] (0 : usize)) size); [#"../06_knights_tour.rs" 43 16 43 50] _9 <- ([#"../06_knights_tour.rs" 43 16 43 50] C06KnightsTour_Impl1_New_Closure3.C06KnightsTour_Impl1_New_Closure3 size); [#"../06_knights_tour.rs" 41 19 45 13] _6 <- ([#"../06_knights_tour.rs" 41 19 45 13] map_inv0 _7 _9); _7 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -749,7 +798,8 @@ module C06KnightsTour_Impl1_Available requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) predicate invariant6 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model4 self) val invariant6 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -778,7 +828,8 @@ module C06KnightsTour_Impl1_Available requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) = @@ -849,7 +900,8 @@ module C06KnightsTour_Impl1_Available ensures { result = index_logic0 self ix } predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) = - [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model3 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model4 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) + [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model3 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) + -> Seq.length (shallow_model4 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool ensures { result = wf0 self } @@ -909,7 +961,7 @@ module C06KnightsTour_Impl1_Available use prelude.IntSize let rec cfg available [#"../06_knights_tour.rs" 52 4 52 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : C06KnightsTour_Board_Type.t_board) (p : C06KnightsTour_Point_Type.t_point) : bool requires {[#"../06_knights_tour.rs" 50 15 50 24] wf0 self} - ensures { [#"../06_knights_tour.rs" 51 4 51 44] result -> in_bounds0 self p } + ensures { [#"../06_knights_tour.rs" 51 4 51 44] result -> in_bounds0 self p } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : bool; @@ -929,7 +981,7 @@ module C06KnightsTour_Impl1_Available goto BB0 } BB0 { - [#"../06_knights_tour.rs" 53 8 53 16] _5 <- ([#"../06_knights_tour.rs" 53 8 53 16] (0 : isize) <= C06KnightsTour_Point_Type.point_x p); + [#"../06_knights_tour.rs" 53 8 53 16] _5 <- ([#"../06_knights_tour.rs" 53 8 53 16] ([#"../06_knights_tour.rs" 53 8 53 9] (0 : isize)) <= C06KnightsTour_Point_Type.point_x p); switch (_5) | False -> goto BB8 | True -> goto BB1 @@ -945,7 +997,7 @@ module C06KnightsTour_Impl1_Available end } BB2 { - [#"../06_knights_tour.rs" 55 15 55 23] _11 <- ([#"../06_knights_tour.rs" 55 15 55 23] (0 : isize) <= C06KnightsTour_Point_Type.point_y p); + [#"../06_knights_tour.rs" 55 15 55 23] _11 <- ([#"../06_knights_tour.rs" 55 15 55 23] ([#"../06_knights_tour.rs" 55 15 55 16] (0 : isize)) <= C06KnightsTour_Point_Type.point_y p); switch (_11) | False -> goto BB6 | True -> goto BB3 @@ -979,7 +1031,7 @@ module C06KnightsTour_Impl1_Available goto BB9 } BB9 { - [#"../06_knights_tour.rs" 53 8 57 58] _0 <- ([#"../06_knights_tour.rs" 53 8 57 58] false); + [#"../06_knights_tour.rs" 53 8 57 58] _0 <- ([#"../06_knights_tour.rs" 53 8 57 58] [#"../06_knights_tour.rs" 53 8 57 58] false); goto BB12 } BB10 { @@ -989,7 +1041,7 @@ module C06KnightsTour_Impl1_Available goto BB11 } BB11 { - [#"../06_knights_tour.rs" 57 15 57 58] _0 <- ([#"../06_knights_tour.rs" 57 15 57 58] _18 = (0 : usize)); + [#"../06_knights_tour.rs" 57 15 57 58] _0 <- ([#"../06_knights_tour.rs" 57 15 57 58] _18 = ([#"../06_knights_tour.rs" 57 57 57 58] (0 : usize))); goto BB12 } BB12 { @@ -1053,7 +1105,8 @@ module C06KnightsTour_Impl1_CountDegree requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model5 self } - axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) + axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model5 self) val invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1082,7 +1135,8 @@ module C06KnightsTour_Impl1_CountDegree requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self} ensures { result = shallow_model4 self } - axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) + axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0) predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) = @@ -1139,7 +1193,8 @@ module C06KnightsTour_Impl1_CountDegree requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model1 self) val invariant1 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1177,7 +1232,14 @@ module C06KnightsTour_Impl1_CountDegree requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq (isize, isize), b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq (isize, isize), c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv4 ab) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv4 bc) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq (isize, isize), b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq (isize, isize), c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv4 ab) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv4 bc) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : () @@ -1187,7 +1249,8 @@ module C06KnightsTour_Impl1_CountDegree requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) = @@ -1215,7 +1278,8 @@ module C06KnightsTour_Impl1_CountDegree ensures { result = index_logic2 self ix } predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) = - [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model4 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model5 (index_logic2 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) + [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model4 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) + -> Seq.length (shallow_model5 (index_logic2 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool ensures { result = wf0 self } @@ -1234,13 +1298,14 @@ module C06KnightsTour_Impl1_CountDegree predicate resolve2 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 222 8 222 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> resolve1 (Seq.get (shallow_model3 self) i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 222 8 222 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) + -> resolve1 (Seq.get (shallow_model3 self) i) val resolve2 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve2 self } val available0 [#"../06_knights_tour.rs" 52 4 52 41] (self : C06KnightsTour_Board_Type.t_board) (p : C06KnightsTour_Point_Type.t_point) : bool requires {[#"../06_knights_tour.rs" 50 15 50 24] wf0 self} - ensures { [#"../06_knights_tour.rs" 51 4 51 44] result -> in_bounds0 self p } + ensures { [#"../06_knights_tour.rs" 51 4 51 44] result -> in_bounds0 self p } val mov0 [#"../06_knights_tour.rs" 18 4 18 45] (self : C06KnightsTour_Point_Type.t_point) (p : (isize, isize)) : C06KnightsTour_Point_Type.t_point requires {[#"../06_knights_tour.rs" 12 15 12 52] - 10000 <= IntSize.to_int (C06KnightsTour_Point_Type.point_x self) /\ IntSize.to_int (C06KnightsTour_Point_Type.point_x self) <= 10000} @@ -1312,7 +1377,8 @@ module C06KnightsTour_Impl1_CountDegree val moves0 [#"../06_knights_tour.rs" 95 0 95 33] (_1 : ()) : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) ensures { [#"../06_knights_tour.rs" 93 10 93 28] Seq.length (shallow_model1 result) = 8 } - ensures { [#"../06_knights_tour.rs" 94 0 94 130] forall i : int . 0 <= i /\ i < 8 -> - 2 <= IntSize.to_int (let (a, _) = index_logic0 result i in a) /\ IntSize.to_int (let (a, _) = index_logic0 result i in a) <= 2 /\ - 2 <= IntSize.to_int (let (_, a) = index_logic0 result i in a) /\ IntSize.to_int (let (_, a) = index_logic0 result i in a) <= 2 } + ensures { [#"../06_knights_tour.rs" 94 0 94 130] forall i : int . 0 <= i /\ i < 8 + -> - 2 <= IntSize.to_int (let (a, _) = index_logic0 result i in a) /\ IntSize.to_int (let (a, _) = index_logic0 result i in a) <= 2 /\ - 2 <= IntSize.to_int (let (_, a) = index_logic0 result i in a) /\ IntSize.to_int (let (_, a) = index_logic0 result i in a) <= 2 } let rec cfg count_degree [#"../06_knights_tour.rs" 70 4 70 45] [@cfg:stackify] [@cfg:subregion_analysis] (self : C06KnightsTour_Board_Type.t_board) (p : C06KnightsTour_Point_Type.t_point) : usize requires {[#"../06_knights_tour.rs" 68 15 68 24] wf0 self} @@ -1341,8 +1407,8 @@ module C06KnightsTour_Impl1_CountDegree goto BB0 } BB0 { - [#"../06_knights_tour.rs" 71 24 71 25] count <- ([#"../06_knights_tour.rs" 71 24 71 25] (0 : usize)); - [#"../06_knights_tour.rs" 74 17 74 24] _8 <- ([#"../06_knights_tour.rs" 74 17 74 24] moves0 ()); + [#"../06_knights_tour.rs" 71 24 71 25] count <- ([#"../06_knights_tour.rs" 71 24 71 25] [#"../06_knights_tour.rs" 71 24 71 25] (0 : usize)); + [#"../06_knights_tour.rs" 74 17 74 24] _8 <- ([#"../06_knights_tour.rs" 74 17 74 24] moves0 ([#"../06_knights_tour.rs" 74 17 74 24] ())); goto BB1 } BB1 { @@ -1427,12 +1493,12 @@ module C06KnightsTour_Impl1_CountDegree end } BB17 { - [#"../06_knights_tour.rs" 77 16 77 26] count <- ([#"../06_knights_tour.rs" 77 16 77 26] count + (1 : usize)); - [#"../06_knights_tour.rs" 76 36 78 13] _16 <- ([#"../06_knights_tour.rs" 76 36 78 13] ()); + [#"../06_knights_tour.rs" 77 16 77 26] count <- ([#"../06_knights_tour.rs" 77 16 77 26] count + ([#"../06_knights_tour.rs" 77 25 77 26] (1 : usize))); + [#"../06_knights_tour.rs" 76 36 78 13] _16 <- ([#"../06_knights_tour.rs" 76 36 78 13] [#"../06_knights_tour.rs" 76 36 78 13] ()); goto BB19 } BB18 { - [#"../06_knights_tour.rs" 78 13 78 13] _16 <- ([#"../06_knights_tour.rs" 78 13 78 13] ()); + [#"../06_knights_tour.rs" 78 13 78 13] _16 <- ([#"../06_knights_tour.rs" 78 13 78 13] [#"../06_knights_tour.rs" 78 13 78 13] ()); goto BB19 } BB19 { @@ -1473,7 +1539,8 @@ module C06KnightsTour_Impl1_Set requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant6 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model3 self) val invariant6 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -1502,7 +1569,8 @@ module C06KnightsTour_Impl1_Set requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model1 self } - axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) + axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) = @@ -1574,7 +1642,8 @@ module C06KnightsTour_Impl1_Set ensures { result = index_logic0 self ix } predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) = - [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model1 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model3 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) + [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model1 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) + -> Seq.length (shallow_model3 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool ensures { result = wf0 self } @@ -1596,7 +1665,8 @@ module C06KnightsTour_Impl1_Set use prelude.Slice use seq.Seq predicate resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) = - [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool ensures { result = resolve_elswhere1 self old' fin } @@ -1630,7 +1700,8 @@ module C06KnightsTour_Impl1_Set predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) = - [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -1707,7 +1778,7 @@ module C06KnightsTour_Impl1_Set BB2 { [#"../06_knights_tour.rs" 88 8 88 50] _9 <- { _9 with current = ([#"../06_knights_tour.rs" 88 8 88 50] v) ; }; assume { resolve0 _9 }; - [#"../06_knights_tour.rs" 88 8 88 50] _0 <- ([#"../06_knights_tour.rs" 88 8 88 50] ()); + [#"../06_knights_tour.rs" 88 8 88 50] _0 <- ([#"../06_knights_tour.rs" 88 8 88 50] [#"../06_knights_tour.rs" 88 8 88 50] ()); assume { resolve1 _11 }; assume { resolve2 self }; return _0 @@ -1766,7 +1837,8 @@ module C06KnightsTour_Min requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) = @@ -1830,7 +1902,8 @@ module C06KnightsTour_Min requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self} ensures { result = shallow_model6 self } - axiom shallow_model6_spec : forall self : slice (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) + axiom shallow_model6_spec : forall self : slice (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0) function index_logic3 [@inline:trivial] (self : slice (usize, C06KnightsTour_Point_Type.t_point)) (ix : int) : (usize, C06KnightsTour_Point_Type.t_point) = @@ -1853,7 +1926,9 @@ module C06KnightsTour_Min requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv4 self} ensures { result = to_ref_seq0 self } - axiom to_ref_seq0_spec : forall self : slice (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv3 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic3 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model3 self)) + axiom to_ref_seq0_spec : forall self : slice (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv3 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) + -> Seq.get (to_ref_seq0 self) i = index_logic3 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model3 self)) function shallow_model1 (self : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)) : slice (usize, C06KnightsTour_Point_Type.t_point) val shallow_model1 (self : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)) : slice (usize, C06KnightsTour_Point_Type.t_point) @@ -1877,7 +1952,11 @@ module C06KnightsTour_Min requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv3 bc} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point), ab : Seq.seq (usize, C06KnightsTour_Point_Type.t_point), b : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point), bc : Seq.seq (usize, C06KnightsTour_Point_Type.t_point), c : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point), ab : Seq.seq (usize, C06KnightsTour_Point_Type.t_point), b : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point), bc : Seq.seq (usize, C06KnightsTour_Point_Type.t_point), c : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv3 ab) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv3 bc) + -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)) : () = [#"../../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] () @@ -1960,7 +2039,8 @@ module C06KnightsTour_Min ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 89 0 166 1] into_iter_post0 self result } let rec cfg min [#"../06_knights_tour.rs" 111 0 111 58] [@cfg:stackify] [@cfg:subregion_analysis] (v : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point) - ensures { [#"../06_knights_tour.rs" 109 0 110 62] forall r : (usize, C06KnightsTour_Point_Type.t_point) . result = Core_Option_Option_Type.C_Some r -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) /\ index_logic0 v i = r) } + ensures { [#"../06_knights_tour.rs" 109 0 110 62] forall r : (usize, C06KnightsTour_Point_Type.t_point) . result = Core_Option_Option_Type.C_Some r + -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) /\ index_logic0 v i = r) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point); @@ -2002,7 +2082,8 @@ module C06KnightsTour_Min BB4 { invariant { [#"../06_knights_tour.rs" 113 4 114 74] inv0 iter }; invariant { [#"../06_knights_tour.rs" 113 4 114 74] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; - invariant { [#"../06_knights_tour.rs" 113 4 114 74] forall r : (usize, C06KnightsTour_Point_Type.t_point) . min = Core_Option_Option_Type.C_Some r -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) /\ index_logic0 v i = r) }; + invariant { [#"../06_knights_tour.rs" 113 4 114 74] forall r : (usize, C06KnightsTour_Point_Type.t_point) . min = Core_Option_Option_Type.C_Some r + -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) /\ index_logic0 v i = r) }; goto BB5 } BB5 { @@ -2061,18 +2142,18 @@ module C06KnightsTour_Min [#"../06_knights_tour.rs" 117 26 117 33] _25 <- ([#"../06_knights_tour.rs" 117 26 117 33] Core_Option_Option_Type.C_Some x); [#"../06_knights_tour.rs" 117 20 117 33] min <- ([#"../06_knights_tour.rs" 117 20 117 33] _25); _25 <- any Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point); - [#"../06_knights_tour.rs" 117 20 117 33] _23 <- ([#"../06_knights_tour.rs" 117 20 117 33] ()); + [#"../06_knights_tour.rs" 117 20 117 33] _23 <- ([#"../06_knights_tour.rs" 117 20 117 33] [#"../06_knights_tour.rs" 117 20 117 33] ()); goto BB18 } BB15 { [#"../06_knights_tour.rs" 120 26 120 33] _31 <- ([#"../06_knights_tour.rs" 120 26 120 33] Core_Option_Option_Type.C_Some x); [#"../06_knights_tour.rs" 120 20 120 33] min <- ([#"../06_knights_tour.rs" 120 20 120 33] _31); _31 <- any Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point); - [#"../06_knights_tour.rs" 120 20 120 33] _23 <- ([#"../06_knights_tour.rs" 120 20 120 33] ()); + [#"../06_knights_tour.rs" 120 20 120 33] _23 <- ([#"../06_knights_tour.rs" 120 20 120 33] [#"../06_knights_tour.rs" 120 20 120 33] ()); goto BB17 } BB16 { - [#"../06_knights_tour.rs" 121 17 121 17] _23 <- ([#"../06_knights_tour.rs" 121 17 121 17] ()); + [#"../06_knights_tour.rs" 121 17 121 17] _23 <- ([#"../06_knights_tour.rs" 121 17 121 17] [#"../06_knights_tour.rs" 121 17 121 17] ()); goto BB17 } BB17 { @@ -2095,7 +2176,8 @@ module C06KnightsTour_DumbNonlinearArith_Impl use prelude.UIntSize constant a : usize function dumb_nonlinear_arith [#"../06_knights_tour.rs" 131 0 131 33] (a : usize) : () - goal vc_dumb_nonlinear_arith : ([#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000) -> ([#"../06_knights_tour.rs" 130 10 130 30] UIntSize.to_int a * UIntSize.to_int a <= 1000000) + goal vc_dumb_nonlinear_arith : ([#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000) + -> ([#"../06_knights_tour.rs" 130 10 130 30] UIntSize.to_int a * UIntSize.to_int a <= 1000000) end module C06KnightsTour_KnightsTour use prelude.IntSize @@ -2131,7 +2213,8 @@ module C06KnightsTour_KnightsTour requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv14 self} ensures { result = shallow_model3 self } - axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv14 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) + axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv14 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0) predicate invariant14 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv11 (shallow_model3 self) val invariant14 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool @@ -2160,7 +2243,8 @@ module C06KnightsTour_KnightsTour requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv13 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv13 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant12 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) = @@ -2246,7 +2330,8 @@ module C06KnightsTour_KnightsTour requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self} ensures { result = shallow_model5 self } - axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv15 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) + axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv15 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0) predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv15 (shallow_model5 self) val invariant5 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : bool @@ -2265,7 +2350,8 @@ module C06KnightsTour_KnightsTour requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) = @@ -2326,7 +2412,14 @@ module C06KnightsTour_KnightsTour requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv1 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq (isize, isize), b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq (isize, isize), c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv1 a) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv15 ab) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv15 bc) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq (isize, isize), b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq (isize, isize), c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces1 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces1 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv1 a) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv15 ab) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv1 b) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv15 bc) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv1 c) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : () @@ -2336,7 +2429,8 @@ module C06KnightsTour_KnightsTour requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv1 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) = @@ -2360,7 +2454,9 @@ module C06KnightsTour_KnightsTour predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces0 self visited o } @@ -2376,14 +2472,22 @@ module C06KnightsTour_KnightsTour requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv11 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv11 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv11 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv11 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -2418,7 +2522,8 @@ module C06KnightsTour_KnightsTour predicate resolve4 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve6 (index_logic0 self i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) + -> resolve6 (index_logic0 self i) val resolve4 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve4 self } @@ -2430,7 +2535,8 @@ module C06KnightsTour_KnightsTour ensures { result = shallow_model8 self } val min0 [#"../06_knights_tour.rs" 111 0 111 58] (v : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point) - ensures { [#"../06_knights_tour.rs" 109 0 110 62] forall r : (usize, C06KnightsTour_Point_Type.t_point) . result = Core_Option_Option_Type.C_Some r -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model8 v) /\ index_logic0 v i = r) } + ensures { [#"../06_knights_tour.rs" 109 0 110 62] forall r : (usize, C06KnightsTour_Point_Type.t_point) . result = Core_Option_Option_Type.C_Some r + -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model8 v) /\ index_logic0 v i = r) } predicate resolve5 (self : isize) = [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true @@ -2446,7 +2552,8 @@ module C06KnightsTour_KnightsTour predicate resolve3 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) = - [#"../../../../../creusot-contracts/src/std/vec.rs" 222 8 222 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model6 self) -> resolve2 (Seq.get (shallow_model6 self) i) + [#"../../../../../creusot-contracts/src/std/vec.rs" 222 8 222 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model6 self) + -> resolve2 (Seq.get (shallow_model6 self) i) val resolve3 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : bool ensures { result = resolve3 self } @@ -2480,7 +2587,8 @@ module C06KnightsTour_KnightsTour ensures { result = index_logic2 self ix } predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) = - [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model2 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model3 (index_logic2 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) + [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model2 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) + -> Seq.length (shallow_model3 (index_logic2 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)) val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool ensures { result = wf0 self } @@ -2490,7 +2598,7 @@ module C06KnightsTour_KnightsTour val available0 [#"../06_knights_tour.rs" 52 4 52 41] (self : C06KnightsTour_Board_Type.t_board) (p : C06KnightsTour_Point_Type.t_point) : bool requires {[#"../06_knights_tour.rs" 50 15 50 24] wf0 self} - ensures { [#"../06_knights_tour.rs" 51 4 51 44] result -> in_bounds0 self p } + ensures { [#"../06_knights_tour.rs" 51 4 51 44] result -> in_bounds0 self p } val mov0 [#"../06_knights_tour.rs" 18 4 18 45] (self : C06KnightsTour_Point_Type.t_point) (p : (isize, isize)) : C06KnightsTour_Point_Type.t_point requires {[#"../06_knights_tour.rs" 12 15 12 52] - 10000 <= IntSize.to_int (C06KnightsTour_Point_Type.point_x self) /\ IntSize.to_int (C06KnightsTour_Point_Type.point_x self) <= 10000} @@ -2561,7 +2669,8 @@ module C06KnightsTour_KnightsTour val moves0 [#"../06_knights_tour.rs" 95 0 95 33] (_1 : ()) : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) ensures { [#"../06_knights_tour.rs" 93 10 93 28] Seq.length (shallow_model5 result) = 8 } - ensures { [#"../06_knights_tour.rs" 94 0 94 130] forall i : int . 0 <= i /\ i < 8 -> - 2 <= IntSize.to_int (let (a, _) = index_logic3 result i in a) /\ IntSize.to_int (let (a, _) = index_logic3 result i in a) <= 2 /\ - 2 <= IntSize.to_int (let (_, a) = index_logic3 result i in a) /\ IntSize.to_int (let (_, a) = index_logic3 result i in a) <= 2 } + ensures { [#"../06_knights_tour.rs" 94 0 94 130] forall i : int . 0 <= i /\ i < 8 + -> - 2 <= IntSize.to_int (let (a, _) = index_logic3 result i in a) /\ IntSize.to_int (let (a, _) = index_logic3 result i in a) <= 2 /\ - 2 <= IntSize.to_int (let (_, a) = index_logic3 result i in a) /\ IntSize.to_int (let (_, a) = index_logic3 result i in a) <= 2 } val new4 (_1 : ()) : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 68 26 68 44] Seq.length (shallow_model0 result) = 0 } @@ -2615,7 +2724,8 @@ module C06KnightsTour_KnightsTour requires {[#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000} ensures { result = dumb_nonlinear_arith0 a } - axiom dumb_nonlinear_arith0_spec : forall a : usize . ([#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000) -> ([#"../06_knights_tour.rs" 130 10 130 30] UIntSize.to_int a * UIntSize.to_int a <= 1000000) + axiom dumb_nonlinear_arith0_spec : forall a : usize . ([#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000) + -> ([#"../06_knights_tour.rs" 130 10 130 30] UIntSize.to_int a * UIntSize.to_int a <= 1000000) val set0 [#"../06_knights_tour.rs" 87 4 87 41] (self : borrowed (C06KnightsTour_Board_Type.t_board)) (p : C06KnightsTour_Point_Type.t_point) (v : usize) : () requires {[#"../06_knights_tour.rs" 83 15 83 24] wf0 ( * self)} requires {[#"../06_knights_tour.rs" 84 15 84 32] in_bounds0 ( * self) p} @@ -2694,7 +2804,7 @@ module C06KnightsTour_KnightsTour _12 <- any isize; [#"../06_knights_tour.rs" 139 4 139 9] _15 <- Borrow.borrow_mut board; [#"../06_knights_tour.rs" 139 4 139 9] board <- ^ _15; - [#"../06_knights_tour.rs" 139 4 139 19] _14 <- ([#"../06_knights_tour.rs" 139 4 139 19] set0 _15 p (1 : usize)); + [#"../06_knights_tour.rs" 139 4 139 19] _14 <- ([#"../06_knights_tour.rs" 139 4 139 19] set0 _15 p ([#"../06_knights_tour.rs" 139 17 139 18] (1 : usize))); _15 <- any borrowed (C06KnightsTour_Board_Type.t_board); goto BB2 } @@ -2704,7 +2814,7 @@ module C06KnightsTour_KnightsTour } BB3 { [#"../06_knights_tour.rs" 145 19 145 32] _22 <- ([#"../06_knights_tour.rs" 145 19 145 32] size * size); - [#"../06_knights_tour.rs" 145 16 145 32] _21 <- ([#"../06_knights_tour.rs" 145 16 145 32] Core_Ops_Range_Range_Type.C_Range (2 : usize) _22); + [#"../06_knights_tour.rs" 145 16 145 32] _21 <- ([#"../06_knights_tour.rs" 145 16 145 32] Core_Ops_Range_Range_Type.C_Range ([#"../06_knights_tour.rs" 145 16 145 17] (2 : usize)) _22); _22 <- any usize; [#"../06_knights_tour.rs" 142 4 142 36] iter <- ([#"../06_knights_tour.rs" 142 4 142 36] into_iter0 _21); _21 <- any Core_Ops_Range_Range_Type.t_range usize; @@ -2772,11 +2882,11 @@ module C06KnightsTour_KnightsTour [#"../06_knights_tour.rs" 142 4 142 36] produced <- ([#"../06_knights_tour.rs" 142 4 142 36] _40); _40 <- any Snapshot.snap_ty (Seq.seq usize); [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] step <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem); - [#"../06_knights_tour.rs" 147 50 147 60] candidates <- ([#"../06_knights_tour.rs" 147 50 147 60] new4 ()); + [#"../06_knights_tour.rs" 147 50 147 60] candidates <- ([#"../06_knights_tour.rs" 147 50 147 60] new4 ([#"../06_knights_tour.rs" 147 50 147 60] ())); goto BB17 } BB17 { - [#"../06_knights_tour.rs" 150 17 150 24] _46 <- ([#"../06_knights_tour.rs" 150 17 150 24] moves0 ()); + [#"../06_knights_tour.rs" 150 17 150 24] _46 <- ([#"../06_knights_tour.rs" 150 17 150 24] moves0 ([#"../06_knights_tour.rs" 150 17 150 24] ())); goto BB18 } BB18 { @@ -2807,7 +2917,8 @@ module C06KnightsTour_KnightsTour BB25 { invariant { [#"../06_knights_tour.rs" 148 8 149 54] inv1 iter1 }; invariant { [#"../06_knights_tour.rs" 148 8 149 54] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 }; - invariant { [#"../06_knights_tour.rs" 148 8 149 54] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 candidates) -> in_bounds0 board (let (_, a) = index_logic0 candidates i in a) }; + invariant { [#"../06_knights_tour.rs" 148 8 149 54] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 candidates) + -> in_bounds0 board (let (_, a) = index_logic0 candidates i in a) }; goto BB26 } BB26 { @@ -2872,11 +2983,11 @@ module C06KnightsTour_KnightsTour goto BB36 } BB36 { - [#"../06_knights_tour.rs" 152 36 155 13] _34 <- ([#"../06_knights_tour.rs" 152 36 155 13] ()); + [#"../06_knights_tour.rs" 152 36 155 13] _34 <- ([#"../06_knights_tour.rs" 152 36 155 13] [#"../06_knights_tour.rs" 152 36 155 13] ()); goto BB38 } BB37 { - [#"../06_knights_tour.rs" 155 13 155 13] _34 <- ([#"../06_knights_tour.rs" 155 13 155 13] ()); + [#"../06_knights_tour.rs" 155 13 155 13] _34 <- ([#"../06_knights_tour.rs" 155 13 155 13] [#"../06_knights_tour.rs" 155 13 155 13] ()); goto BB38 } BB38 { @@ -2912,7 +3023,7 @@ module C06KnightsTour_KnightsTour goto BB44 } BB44 { - [#"../06_knights_tour.rs" 145 33 162 5] _34 <- ([#"../06_knights_tour.rs" 145 33 162 5] ()); + [#"../06_knights_tour.rs" 145 33 162 5] _34 <- ([#"../06_knights_tour.rs" 145 33 162 5] [#"../06_knights_tour.rs" 145 33 162 5] ()); goto BB45 } BB45 { @@ -2973,5 +3084,6 @@ module C06KnightsTour_Impl3 axiom inv0 : forall x : C06KnightsTour_Point_Type.t_point . inv0 x = true use prelude.Borrow - goal clone'_refn : [#"../06_knights_tour.rs" 4 15 4 20] forall self : C06KnightsTour_Point_Type.t_point . inv0 self -> (forall result : C06KnightsTour_Point_Type.t_point . result = self -> inv1 result /\ result = self) + goal clone'_refn : [#"../06_knights_tour.rs" 4 15 4 20] forall self : C06KnightsTour_Point_Type.t_point . inv0 self + -> (forall result : C06KnightsTour_Point_Type.t_point . result = self -> inv1 result /\ result = self) end diff --git a/creusot/tests/should_succeed/vector/07_read_write.mlcfg b/creusot/tests/should_succeed/vector/07_read_write.mlcfg index 4d411db624..7a73cf7f08 100644 --- a/creusot/tests/should_succeed/vector/07_read_write.mlcfg +++ b/creusot/tests/should_succeed/vector/07_read_write.mlcfg @@ -123,7 +123,8 @@ module C07ReadWrite_ReadWrite requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model2 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -194,7 +195,8 @@ module C07ReadWrite_ReadWrite ensures { result = resolve0 self } predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq t) (fin : Seq.seq t) = - [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i + [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' + -> Seq.get old' i = Seq.get fin i val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq t) (fin : Seq.seq t) : bool ensures { result = resolve_elswhere0 self old' fin } @@ -259,7 +261,7 @@ module C07ReadWrite_ReadWrite assume { resolve0 x }; assert { [@expl:type invariant] inv4 a }; assume { resolve3 a }; - [#"../07_read_write.rs" 6 76 9 1] _0 <- ([#"../07_read_write.rs" 6 76 9 1] ()); + [#"../07_read_write.rs" 6 76 9 1] _0 <- ([#"../07_read_write.rs" 6 76 9 1] [#"../07_read_write.rs" 6 76 9 1] ()); return _0 } BB5 { diff --git a/creusot/tests/should_succeed/vector/08_haystack.mlcfg b/creusot/tests/should_succeed/vector/08_haystack.mlcfg index be73d8e1ee..bcb27a7e3f 100644 --- a/creusot/tests/should_succeed/vector/08_haystack.mlcfg +++ b/creusot/tests/should_succeed/vector/08_haystack.mlcfg @@ -104,7 +104,8 @@ module C08Haystack_Search requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self} ensures { result = shallow_model2 self } - axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) + axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0) predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model2 self) val invariant9 (self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) : bool @@ -201,7 +202,9 @@ module C08Haystack_Search predicate produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 + -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i) val produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool ensures { result = produces1 self visited o } @@ -217,14 +220,22 @@ module C08Haystack_Search requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c} ensures { result = produces_trans1 a ab b bc c } - axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv8 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv8 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c) + axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv8 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv8 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c) use seq.Seq function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self} ensures { result = produces_refl1 self } - axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self) + axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self) predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool @@ -249,7 +260,9 @@ module C08Haystack_Search requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self} ensures { result = is_empty_log0 self } - axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self)) + axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self + -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self)) function range_inclusive_len0 (r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : int = [#"../../../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5] if is_empty_log0 r then 0 @@ -260,11 +273,14 @@ module C08Haystack_Search requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r} ensures { result = range_inclusive_len0 r } - axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0)) + axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0)) predicate produces0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (visited : Seq.seq usize) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) = - [#"../../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i) + [#"../../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self + -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited + -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i) val produces0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (visited : Seq.seq usize) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : bool ensures { result = produces0 self visited o } @@ -282,14 +298,22 @@ module C08Haystack_Search requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c} ensures { result = produces_trans0 a ab b bc c } - axiom produces_trans0_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, ab : Seq.seq usize, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, bc : Seq.seq usize, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv8 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv8 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces0 a (Seq.(++) ab bc) c) + axiom produces_trans0_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, ab : Seq.seq usize, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, bc : Seq.seq usize, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces0 a ab b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces0 b bc c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv0 a) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv8 ab) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv0 b) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv8 bc) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces0 a (Seq.(++) ab bc) c) function produces_refl0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : () = [#"../../../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10] () val produces_refl0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : () requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self} ensures { result = produces_refl0 self } - axiom produces_refl0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces0 self (Seq.empty ) self) + axiom produces_refl0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces0 self (Seq.empty ) self) predicate invariant0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) = [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true val invariant0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : bool @@ -388,7 +412,8 @@ module C08Haystack_Search predicate match_at0 [#"../08_haystack.rs" 7 0 7 77] (needle : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (haystack : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (pos : int) (len : int) = - [#"../08_haystack.rs" 8 4 12 5] len <= Seq.length (shallow_model0 needle) /\ pos <= Seq.length (shallow_model0 haystack) - len /\ (forall i : int . 0 <= i /\ i < len -> index_logic1 needle i = index_logic1 haystack (pos + i)) + [#"../08_haystack.rs" 8 4 12 5] len <= Seq.length (shallow_model0 needle) /\ pos <= Seq.length (shallow_model0 haystack) - len /\ (forall i : int . 0 <= i /\ i < len + -> index_logic1 needle i = index_logic1 haystack (pos + i)) val match_at0 [#"../08_haystack.rs" 7 0 7 77] (needle : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (haystack : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (pos : int) (len : int) : bool ensures { result = match_at0 needle haystack pos len } @@ -420,7 +445,8 @@ module C08Haystack_Search requires {inv3 end'} ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 220 26 220 53] start_log0 result = start } ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 221 26 221 49] end_log0 result = end' } - ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end' -> not is_empty_log0 result } + ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end' + -> not is_empty_log0 result } ensures { inv0 result } val len0 (self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) : usize @@ -430,8 +456,12 @@ module C08Haystack_Search let rec cfg search [#"../08_haystack.rs" 21 0 21 60] [@cfg:stackify] [@cfg:subregion_analysis] (needle : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (haystack : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) : usize requires {[#"../08_haystack.rs" 15 11 15 65] Seq.length (shallow_model0 needle) >= 1 /\ Seq.length (shallow_model0 needle) <= Seq.length (shallow_model0 haystack)} ensures { [#"../08_haystack.rs" 16 10 16 85] UIntSize.to_int result = Seq.length (shallow_model0 haystack) \/ UIntSize.to_int result < Seq.length (shallow_model0 haystack) - Seq.length (shallow_model0 needle) + 1 } - ensures { [#"../08_haystack.rs" 17 0 19 108] UIntSize.to_int result < Seq.length (shallow_model0 haystack) -> match_at0 needle haystack (UIntSize.to_int result) (Seq.length (shallow_model0 needle)) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int result -> not match_at0 needle haystack i (Seq.length (shallow_model0 needle))) } - ensures { [#"../08_haystack.rs" 20 0 20 139] UIntSize.to_int result = Seq.length (shallow_model0 haystack) -> (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 haystack) -> not match_at0 needle haystack i (Seq.length (shallow_model0 needle))) } + ensures { [#"../08_haystack.rs" 17 0 19 108] UIntSize.to_int result < Seq.length (shallow_model0 haystack) + -> match_at0 needle haystack (UIntSize.to_int result) (Seq.length (shallow_model0 needle)) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int result + -> not match_at0 needle haystack i (Seq.length (shallow_model0 needle))) } + ensures { [#"../08_haystack.rs" 20 0 20 139] UIntSize.to_int result = Seq.length (shallow_model0 haystack) + -> (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 haystack) + -> not match_at0 needle haystack i (Seq.length (shallow_model0 needle))) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : usize; @@ -480,7 +510,7 @@ module C08Haystack_Search [#"../08_haystack.rs" 23 21 23 50] _11 <- ([#"../08_haystack.rs" 23 21 23 50] _12 - _14); _12 <- any usize; _14 <- any usize; - [#"../08_haystack.rs" 23 17 23 50] _10 <- ([#"../08_haystack.rs" 23 17 23 50] new0 (0 : usize) _11); + [#"../08_haystack.rs" 23 17 23 50] _10 <- ([#"../08_haystack.rs" 23 17 23 50] new0 ([#"../08_haystack.rs" 23 17 23 18] (0 : usize)) _11); _11 <- any usize; goto BB3 } @@ -503,7 +533,8 @@ module C08Haystack_Search BB7 { invariant { [#"../08_haystack.rs" 22 4 22 112] inv0 iter }; invariant { [#"../08_haystack.rs" 22 4 22 112] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter }; - invariant { [#"../08_haystack.rs" 22 4 22 112] forall k : int . 0 <= k /\ k < Seq.length (Snapshot.inner produced) -> not match_at0 needle haystack k (Seq.length (shallow_model0 needle)) }; + invariant { [#"../08_haystack.rs" 22 4 22 112] forall k : int . 0 <= k /\ k < Seq.length (Snapshot.inner produced) + -> not match_at0 needle haystack k (Seq.length (shallow_model0 needle)) }; goto BB8 } BB8 { @@ -546,7 +577,7 @@ module C08Haystack_Search goto BB15 } BB15 { - [#"../08_haystack.rs" 25 17 25 32] _35 <- ([#"../08_haystack.rs" 25 17 25 32] Core_Ops_Range_Range_Type.C_Range (0 : usize) _36); + [#"../08_haystack.rs" 25 17 25 32] _35 <- ([#"../08_haystack.rs" 25 17 25 32] Core_Ops_Range_Range_Type.C_Range ([#"../08_haystack.rs" 25 17 25 18] (0 : usize)) _36); _36 <- any usize; [#"../08_haystack.rs" 24 8 24 68] iter1 <- ([#"../08_haystack.rs" 24 8 24 68] into_iter1 _35); _35 <- any Core_Ops_Range_Range_Type.t_range usize; diff --git a/creusot/tests/should_succeed/vector/09_capacity.mlcfg b/creusot/tests/should_succeed/vector/09_capacity.mlcfg index d4206d382b..dc1d4c242d 100644 --- a/creusot/tests/should_succeed/vector/09_capacity.mlcfg +++ b/creusot/tests/should_succeed/vector/09_capacity.mlcfg @@ -77,7 +77,8 @@ module C09Capacity_ChangeCapacity requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv2 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -122,7 +123,8 @@ module C09Capacity_ChangeCapacity let rec cfg change_capacity [#"../09_capacity.rs" 6 0 6 41] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : () requires {[#"../09_capacity.rs" 6 26 6 27] inv1 v} ensures { [#"../09_capacity.rs" 4 10 4 33] Seq.length (shallow_model0 ( ^ v)) = Seq.length (shallow_model1 v) } - ensures { [#"../09_capacity.rs" 5 0 5 69] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 v) -> index_logic0 ( ^ v) i = index_logic0 ( * v) i } + ensures { [#"../09_capacity.rs" 5 0 5 69] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 v) + -> index_logic0 ( ^ v) i = index_logic0 ( * v) i } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -142,7 +144,7 @@ module C09Capacity_ChangeCapacity [#"../09_capacity.rs" 7 4 7 5] _5 <- Borrow.borrow_mut ( * v); [#"../09_capacity.rs" 7 4 7 5] v <- { v with current = ( ^ _5) ; }; assume { inv0 ( ^ _5) }; - [#"../09_capacity.rs" 7 4 7 18] _4 <- ([#"../09_capacity.rs" 7 4 7 18] reserve0 _5 (100 : usize)); + [#"../09_capacity.rs" 7 4 7 18] _4 <- ([#"../09_capacity.rs" 7 4 7 18] reserve0 _5 ([#"../09_capacity.rs" 7 14 7 17] (100 : usize))); _5 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); goto BB1 } @@ -150,7 +152,7 @@ module C09Capacity_ChangeCapacity [#"../09_capacity.rs" 8 4 8 5] _7 <- Borrow.borrow_mut ( * v); [#"../09_capacity.rs" 8 4 8 5] v <- { v with current = ( ^ _7) ; }; assume { inv0 ( ^ _7) }; - [#"../09_capacity.rs" 8 4 8 24] _6 <- ([#"../09_capacity.rs" 8 4 8 24] reserve_exact0 _7 (200 : usize)); + [#"../09_capacity.rs" 8 4 8 24] _6 <- ([#"../09_capacity.rs" 8 4 8 24] reserve_exact0 _7 ([#"../09_capacity.rs" 8 20 8 23] (200 : usize))); _7 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); goto BB2 } @@ -166,14 +168,14 @@ module C09Capacity_ChangeCapacity [#"../09_capacity.rs" 10 4 10 5] _11 <- Borrow.borrow_final ( * v) (Borrow.get_id v); [#"../09_capacity.rs" 10 4 10 5] v <- { v with current = ( ^ _11) ; }; assume { inv0 ( ^ _11) }; - [#"../09_capacity.rs" 10 4 10 18] _10 <- ([#"../09_capacity.rs" 10 4 10 18] shrink_to0 _11 (1 : usize)); + [#"../09_capacity.rs" 10 4 10 18] _10 <- ([#"../09_capacity.rs" 10 4 10 18] shrink_to0 _11 ([#"../09_capacity.rs" 10 16 10 17] (1 : usize))); _11 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)); goto BB4 } BB4 { assert { [@expl:type invariant] inv1 v }; assume { resolve0 v }; - [#"../09_capacity.rs" 6 42 11 1] _0 <- ([#"../09_capacity.rs" 6 42 11 1] ()); + [#"../09_capacity.rs" 6 42 11 1] _0 <- ([#"../09_capacity.rs" 6 42 11 1] [#"../09_capacity.rs" 6 42 11 1] ()); return _0 } @@ -217,7 +219,8 @@ module C09Capacity_ClearVec requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self} ensures { result = shallow_model0 self } - axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) + axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) + -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0) predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv2 (shallow_model0 self) val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool @@ -256,7 +259,7 @@ module C09Capacity_ClearVec BB1 { assert { [@expl:type invariant] inv1 v }; assume { resolve0 v }; - [#"../09_capacity.rs" 14 36 16 1] _0 <- ([#"../09_capacity.rs" 14 36 16 1] ()); + [#"../09_capacity.rs" 14 36 16 1] _0 <- ([#"../09_capacity.rs" 14 36 16 1] [#"../09_capacity.rs" 14 36 16 1] ()); return _0 } diff --git a/why3/src/exp.rs b/why3/src/exp.rs index 2dab563a5f..1194cd1d06 100644 --- a/why3/src/exp.rs +++ b/why3/src/exp.rs @@ -89,7 +89,7 @@ pub enum UnOp { #[derive(Debug, Clone, Copy, PartialEq, Eq)] #[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))] -pub enum Purity { +pub(crate) enum Purity { Logic, Program, } @@ -123,8 +123,8 @@ pub enum Exp { arg: Box, body: Box, }, - Var(Ident, Purity), - QVar(QName, Purity), + Var(Ident), + QVar(QName), Record { fields: Vec<(String, Exp)>, }, @@ -194,8 +194,8 @@ pub fn super_visit_mut(f: &mut T, exp: &mut Exp) { f.visit_mut(arg); f.visit_mut(body) } - Exp::Var(_, _) => {} - Exp::QVar(_, _) => {} + Exp::Var(_) => {} + Exp::QVar(_) => {} Exp::RecUp { record, updates } => { f.visit_mut(record); updates.iter_mut().for_each(|(_, val)| f.visit_mut(val)); @@ -276,8 +276,8 @@ pub fn super_visit(f: &mut T, exp: &Exp) { f.visit(arg); f.visit(body) } - Exp::Var(_, _) => {} - Exp::QVar(_, _) => {} + Exp::Var(_) => {} + Exp::QVar(_) => {} Exp::RecUp { record, updates } => { f.visit(record); updates.iter().for_each(|(_, val)| f.visit(val)); @@ -340,20 +340,12 @@ pub fn super_visit_trigger(f: &mut T, trigger: &Trigger) { } impl Exp { - pub fn impure_qvar(q: QName) -> Self { - Exp::QVar(q, Purity::Program) + pub fn qvar(q: QName) -> Self { + Exp::QVar(q) } - pub fn impure_var(v: Ident) -> Self { - Exp::Var(v, Purity::Program) - } - - pub fn pure_qvar(q: QName) -> Self { - Exp::QVar(q, Purity::Logic) - } - - pub fn pure_var(v: impl Into) -> Self { - Exp::Var(v.into(), Purity::Logic) + pub fn var(v: impl Into) -> Self { + Exp::Var(v.into()) } pub fn lazy_conj(l: Exp, r: Exp) -> Self { @@ -545,8 +537,6 @@ impl Exp { impl ExpVisitor for IsPure { fn visit(&mut self, exp: &Exp) { match exp { - Exp::Var(_, Purity::Program) => self.pure &= false, - Exp::QVar(_, Purity::Program) => self.pure &= false, Exp::Verbatim(_) => self.pure &= false, Exp::Absurd => self.pure &= false, // This is a bit absurd, but you can't put "pure {...}" @@ -701,8 +691,8 @@ impl Exp { Exp::Final(_) => Prefix, Exp::Let { .. } => IfLet, Exp::Abs(_, _) => Abs, - Exp::Var(_, _) => Atom, - Exp::QVar(_, _) => Atom, + Exp::Var(_) => Atom, + Exp::QVar(_) => Atom, Exp::RecUp { .. } => App, Exp::RecField { .. } => Infix4, Exp::Tuple(_) => Atom, @@ -751,7 +741,7 @@ impl Exp { impl ExpVisitor for Occurs { fn visit(&mut self, exp: &Exp) { match exp { - Exp::Var(v, _) => { + Exp::Var(v) => { *self.occurs.entry(v.clone()).or_insert(0) += 1; } Exp::Let { pattern, arg, body } => { @@ -804,7 +794,7 @@ impl Exp { impl ExpVisitor for QFvs { fn visit(&mut self, exp: &Exp) { match exp { - Exp::QVar(v, _) => { + Exp::QVar(v) => { self.qfvs.insert(v.clone()); } _ => super_visit(self, exp), @@ -823,7 +813,7 @@ impl Exp { impl<'a> ExpMutVisitor for &'a HashMap { fn visit_mut(&mut self, exp: &mut Exp) { match exp { - Exp::Var(v, _) => { + Exp::Var(v) => { if let Some(e) = self.get(v) { *exp = e.clone() } @@ -874,7 +864,7 @@ impl Exp { let mut extended = HashMap::new(); for (_, exp) in &mut subst { for id in &bnds & &exp.fvs() { - extended.insert(id.clone(), Exp::pure_var(format!("{}'", &*id))); + extended.insert(id.clone(), Exp::var(format!("{}'", &*id))); } } binders.iter_mut().for_each(|(id, _)| { @@ -897,7 +887,7 @@ impl Exp { let mut extended = HashMap::new(); for (_, exp) in &mut subst { for id in &bnds & &exp.fvs() { - extended.insert(id.clone(), Exp::pure_var(format!("{}'", &*id))); + extended.insert(id.clone(), Exp::var(format!("{}'", &*id))); } } binders.iter_mut().for_each(|(id, _)| { diff --git a/why3/src/mlcfg/printer.rs b/why3/src/mlcfg/printer.rs index e001e1da7c..29431232fa 100644 --- a/why3/src/mlcfg/printer.rs +++ b/why3/src/mlcfg/printer.rs @@ -545,8 +545,8 @@ impl Print for Exp { .append(arg.pretty(alloc)) .append(" in ") .append(body.pretty(alloc)), - Exp::Var(v, _) => v.pretty(alloc), - Exp::QVar(v, _) => v.pretty(alloc), + Exp::Var(v) => v.pretty(alloc), + Exp::QVar(v) => v.pretty(alloc), Exp::RecUp { box record, updates } => { let mut res = alloc .space() @@ -666,7 +666,14 @@ impl Print for Exp { .append(" . ") .append(exp.pretty(alloc)), Exp::Impl(box hyp, box exp) => { - parens!(alloc, self, hyp).append(" -> ").append(parens!(alloc, self, exp)) + let hyp = parens!(alloc, self, hyp); + let impl_ = alloc + .line() + .append(alloc.text(" -> ")) + .append(parens!(alloc, self, exp)) + .group(); + + hyp.append(impl_) } Exp::Ascribe(e, t) => { parens!(alloc, self, e).append(" : ").append(t.pretty(alloc)).group() diff --git a/why3/src/name.rs b/why3/src/name.rs index c45db84071..c1edf2e1c8 100644 --- a/why3/src/name.rs +++ b/why3/src/name.rs @@ -55,7 +55,7 @@ impl From for Ident { impl From for Exp { fn from(q: QName) -> Self { - Exp::impure_qvar(q) + Exp::qvar(q) } }